Entries Tagged "police"

Page 9 of 28

Becoming a Police Informant in Exchange for a Lighter Sentence

Fascinating article.

Snitching has become so commonplace that in the past five years at least 48,895 federal convicts—one of every eight—had their prison sentences reduced in exchange for helping government investigators, a USA TODAY examination of hundreds of thousands of court cases found. The deals can chop a decade or more off of their sentences.

How often informants pay to acquire information from brokers such as Watkins is impossible to know, in part because judges routinely seal court records that could identify them. It almost certainly represents an extreme result of a system that puts strong pressure on defendants to cooperate. Still, Watkins’ case is at least the fourth such scheme to be uncovered in Atlanta alone over the past 20 years.

Those schemes are generally illegal because the people who buy information usually lie to federal agents about where they got it. They also show how staggeringly valuable good information has become—­ prices ran into tens of thousands of dollars, or up to $250,000 in one case, court records show.

There are all sorts of complexities and unintended consequences in this system. This is just a small part of it:

The risks are obvious. If the government rewards paid-for information, wealthy defendants could potentially buy early freedom. Because such a system further muddies the question of how informants—already widely viewed as untrustworthy ­—know what they claim to know, “individual cases can be undermined and the system itself is compromised,” U.S. Justice Department lawyers said in a 2010 court filing.

Plea bargaining is illegal in many countries precisely because of the perverse incentives it sets up. I talk about this more in Liars and Outliers.

Posted on December 28, 2012 at 6:37 AMView Comments

Information-Age Law Enforcement Techniques

This is an interesting blog post:

Buried inside a recent United Nations Office on Drugs and Crime report titled Use of Internet for Terrorist Purposes one can carve out details and examples of law enforcement electronic surveillance techniques that are normally kept secret.

[…]

Point 280: International members of the guerilla group Revolutionary Armed Forces of Colombia (FARC) communicated with their counterparts hiding messages inside images with steganography and sending the emails disguised as spam, deleting Internet browsing cache afterwards to make sure that the authorities would not get hold of the data. Spanish and Colombian authorities cooperated to break the encryption keys and successfully deciphered the messages.

[…]

Point 198: It explains how an investigator can circumvent Truecrypt plausible deniability feature (hidden container), advising computer forensics investigators to take into consideration during the computer analysis to check if there is any missing volume of data.

[…]

Point 210: Explains how Remote Administration Trojans (RATs) can be introduced into a suspects computer to collect data or control his computer and it makes reference to hardware and software keyloggers as well as packet sniffers.

There’s more at the above link. Here’s the final report.

Posted on December 19, 2012 at 6:47 AMView Comments

Is iPhone Security Really this Good?

Simson Garfinkel writes that the iPhone has such good security that the police can’t use it for forensics anymore:

Technologies the company has adopted protect Apple customers’ content so well that in many situations it’s impossible for law enforcement to perform forensic examinations of devices seized from criminals. Most significant is the increasing use of encryption, which is beginning to cause problems for law enforcement agencies when they encounter systems with encrypted drives.

“I can tell you from the Department of Justice perspective, if that drive is encrypted, you’re done,” Ovie Carroll, director of the cyber-crime lab at the Computer Crime and Intellectual Property Section in the Department of Justice, said during his keynote address at the DFRWS computer forensics conference in Washington, D.C., last Monday. “When conducting criminal investigations, if you pull the power on a drive that is whole-disk encrypted you have lost any chance of recovering that data.”

Yes, I believe that full-disk encryption—whether Apple’s FileVault or Microsoft’s BitLocker (I don’t know what the iOS system is called)—is good; but its security is only as good as the user is at choosing a good password.

The iPhone always supported a PIN lock, but the PIN wasn’t a deterrent to a serious attacker until the iPhone 3GS. Because those early phones didn’t use their hardware to perform encryption, a skilled investigator could hack into the phone, dump its flash memory, and directly access the phone’s address book, e-mail messages, and other information. But now, with Apple’s more sophisticated approach to encryption, investigators who want to examine data on a phone have to try every possible PIN. Examiners perform these so-called brute-force attacks with special software, because the iPhone can be programmed to wipe itself if the wrong PIN is provided more than 10 times in a row. This software must be run on the iPhone itself, limiting the guessing speed to 80 milliseconds per PIN. Trying all four-digit PINs therefore requires no more than 800 seconds, a little more than 13 minutes. However, if the user chooses a six-digit PIN, the maximum time required would be 22 hours; a nine-digit PIN would require 2.5 years, and a 10-digit pin would take 25 years. That’s good enough for most corporate secrets—and probably good enough for most criminals as well.

Leaving aside the user practice questions—my guess is that very few users, even those with something to hide, use a ten-digit PIN—could this possibly be true? In the introduction to Applied Cryptography, almost 20 years ago, I wrote: “There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files.”

Since then, I’ve learned two things: 1) there are a lot of gradients to kid sister cryptography, and 2) major government cryptography is very hard to get right. It’s not the cryptography; it’s everything around the cryptography. I said as much in the preface to Secrets and Lies in 2000:

Cryptography is a branch of mathematics. And like all mathematics, it involves numbers, equations, and logic. Security, palpable security that you or I might find useful in our lives, involves people: things people know, relationships between people, people and how they relate to machines. Digital security involves computers: complex, unstable, buggy computers.

Mathematics is perfect; reality is subjective. Mathematics is defined; computers are ornery. Mathematics is logical; people are erratic, capricious, and barely comprehensible.

If, in fact, we’ve finally achieved something resembling this level of security for our computers and handheld computing devices, this is something to celebrate.

But I’m skeptical.

Another article.

Slashdot has a thread on the article.

EDITED TO ADD: More analysis. And Elcomsoft can crack iPhones.

Posted on August 21, 2012 at 1:42 PMView Comments

Police Sting Operation Yields No Mobile Phone Thefts

Police in Hastings, in the UK, outfitted mobile phones with tracking devices and left them in bars and restaurants, hoping to catch mobile phone thieves in the act. But no one stole them:

Nine premises were visited in total and officers were delighted that not one of the bait phones was ‘stolen’. In fact, on nearly every occasion good hearted members of the public handed them to bar or security staff.

I’m not sure about the headline: “Operation Mobli deters mobile phone thieves in Hastings.”

There are two things going on here. One, people are generally nice and will return property to its rightful owner. Two, it’s hard for the average person to profit from a stolen cell phone. He already has a cell phone that’s assigned to his phone number. He doesn’t really know if he can sell a random phone, especially one assigned to the number of someone who had her phone stolen. Yes, professional phone thieves know what to do, but what’s the odds that one of those is dining out in Hastings on a particular night?

Posted on July 26, 2012 at 6:55 AMView Comments

The Banality of Surveillance Photos

Interesting essay on a trove on surveillance photos from Cold War-era Prague.

Cops, even secret cops, are for the most part ordinary people. Working stiffs concerned with holding down jobs and earning a living. Even those who thought it was important to find enemies recognized the absurdity of their task.

I take photos all the time and these empty blurry frames tell me that they were made intentionally. Shot out of boredom, as little acts of defiance, the secret police wandered the streets of Prague for twenty years taking lousy pictures of people from far away because a job is a job.

Occasionally something interesting happened, like spotting a hot stylish, American made Ford Mustang Sally. However, it must have been an awful job, with dull days that turned into months and years, of killing time between lunch and dinner.

Posted on May 24, 2012 at 6:17 AMView Comments

Biometric Passports Make it Harder for Undercover CIA Officers

Last year, I wrote about how social media sites are making it harder than ever for undercover police officers. This story talks about how biometric passports are making it harder than ever for undercover CIA agents.

Busy spy crossroads such as Dubai, Jordan, India and many E.U. points of entry are employing iris scanners to link eyeballs irrevocably to a particular name. Likewise, the increasing use of biometric passports, which are embedded with microchips containing a person’s face, sex, fingerprints, date and place of birth, and other personal data, are increasingly replacing the old paper ones. For a clandestine field operative, flying under a false name could be a one-way ticket to a headquarters desk, since they’re irrevocably chained to whatever name and passport they used.

“If you go to one of those countries under an alias, you can’t go again under another name,” explains a career spook, who spoke on condition of anonymity because he remains an agency consultant. “So it’s a one-time thing—one and done. The biometric data on your passport, and maybe your iris, too, has been linked forever to whatever name was on your passport the first time. You can’t show up again under a different name with the same data.”

Posted on April 26, 2012 at 6:57 AMView Comments

Bomb Threats As a Denial-of-Service Attack

The University of Pittsburgh has been the recipient of 50 bomb threats in the past two months (over 30 during the last week). Each time, the university evacuates the threatened building, searches it top to bottom—one of the threatened buildings is the 42-story Cathedral of Learning—finds nothing, and eventually resumes classes. This seems to be nothing more than a very effective denial-of-service attack.

Police have no leads. The threats started out as handwritten messages on bathroom walls, but are now being sent via e-mail and anonymous remailers. (Here is a blog and a
Google Docs spreadsheet documenting the individual threats.)

The University is implementing some pretty annoying security theater in response:

To enter secured buildings, we all will need to present a University of Pittsburgh ID card. It is important to understand that book bags, backpacks and packages will not be allowed. There will be single entrances to buildings so there will be longer waiting times to get into the buildings. In addition, non-University of Pittsburgh residents will not be allowed in the residence halls.

I can’t see how this will help, but what else can the University do? Their incentives are such that they’re stuck overreacting. If they ignore the threats and they’re wrong, people will be fired. If they overreact to the threats and they’re wrong, they’ll be forgiven. There’s no incentive to do an actual cost-benefit analysis of the security measures.

For the attacker, though, the cost-benefit payoff is enormous. E-mails are cheap, and the response they induce is very expensive.

If you have any information about the bomb threatener, contact the FBI. There’s a $50,000 reward waiting for you. For the university, paying that would be a bargain.

Posted on April 12, 2012 at 1:34 PMView Comments

Law Enforcement Forensics Tools Against Smart Phones

Turns out the password can be easily bypassed:

XRY works by first jailbreaking the handset. According to Micro Systemation, no ‘backdoors’ created by Apple used, but instead it makes use of security flaws in the operating system the same way that regular jailbreakers do.

Once the iPhone has been jailbroken, the tool then goes on to ‘brute-force’ the passcode, trying every possible four digit combination until the correct password has been found. Given the limited number of possible combinations for a four-digit passcode—10,000, ranging from 0000 to 9999—this doesn’t take long.

Once the handset has been jailbroken and the passcode guessed, all the data on the handset, including call logs, messages, contacts, GPS data and even keystrokes, can be accessed and examined.

One of the morals is to use an eight-digit passcode.

EDITED TO ADD (4/13): This has been debunked. The 1Password blog has a fairly lengthy post discussing the details of the XRY tool.

Posted on April 3, 2012 at 2:01 PMView Comments

1 7 8 9 10 11 28

Sidebar photo of Bruce Schneier by Joe MacInnis.