When the mainstream media first announced Barack Obama's "victory" in keeping his BlackBerry, the focus was on the security of the device, and keeping the U.S. president's e-mail communications private from spies and hackers.
The news coverage and analysis by armchair security experts thus far has failed to focus on the real threat: attacks against President Obama's location privacy, and the potential physical security risks that come with someone knowing the president's real-time physical location.
President Obama and his BlackBerry at the White House in late January.
(Credit: UPI Photo/Ron Sachs/Pool)Serial numbers
Before we dive in, let's take a moment to note that each mobile phone has a unique serial number, known as an IMEI, or MEID. This unique number is transmitted in clear text, every time the phone communicates with a nearby cell tower. Thus, while the contents of a phone call or the data session (for e-mail) are usually encrypted, anyone with the right equipment can home in on a particular IMEI and identify the location of the source of that signal.
The most common device used to locate a phone by its IMEI is a "Triggerfish", a piece of equipment that is routinely used by law enforcement and intelligence agencies. This kind of device tricks nearby cell phones into transmitting their serial numbers and other information by impersonating a cell tower.
The devices, which are actually fairly low-tech, were used to hunt down famed hacker Kevin Mitnick back in the 1990s. Most interesting of all, according to Department of Justice documents, Triggerfish can be used to reveal a suspect's location "without the user knowing about it and without involving the cell phone provider."
The expensive brand-name Triggerfish devices, made by the Harris Corp., are sold only to government agencies. However, it is almost certain that foreign governments have similar technology. Furthermore, someone with a low budget could likely use the open-source GNU Radio platform, which can already decipher GSM signals, to roll their own phone sniffer.
Finding Obama
We know that the president has been given a White House-issued BlackBerry phone. As a result, Obama's smartphone is broadcasting its IMEI serial number for anyone with the right equipment to detect.
Of course, the president is never alone, and so it is likely that anyone sniffing the wireless spectrum near the president would pick up hundreds of different BlackBerrys in the area.
However, Obama's aides do have to go home at some point, whereas Obama sleeps at the White House. This means that over the course of several days or weeks, it should be possible for a patient adversary to determine which IMEI belongs to the president's phone, and which IMEIs are associated with the phones of aides, simply by following the president (at a distance) and monitoring the spectrum at all hours.
As staffers go home for the evening, and Secret Service agents rotate out of duty, an adversary can strike their IMEI numbers off of the list. Within days, that initial list of 100 BlackBerrys can be reduced down to a single IMEI identifying the president's phone
Were someone to learn the president's IMEI, they could use it to gain valuable (and dangerous) information. For example, by pointing an antenna at the White House, it'd be possible to instantly determine if the president was inside. With a sophisticated-enough antenna, it might even be possible to determine which vehicle the president is sitting in while traveling in a motorcade, or to determine if the Secret Service is driving an empty limousine along a high-profile route to draw attention, while the president travels to a venue in an unmarked vehicle. The digital trail left by the president's BlackBerry would soon announce his presence to those keeping an eye out for his IMEI.
I am sure that others could come up with even more nefarious uses for real-time access to the president's physical location. I will leave that task to the blogosphere.
Burners
The simple solution to this problem, of course, is for the President to regularly change his IMEI serial number by getting a new phone. However, this presents another problem: that of the odd man out.
Imagine that foreign spies point a directional antenna at the White House and are thus able to capture the IMEI numbers of Obama and his team, as they leave and return to the White House from various events.
If a new IMEI number were to suddenly appear, be used for one week, disappear, and then be replaced by a new IMEI, which was also used for a week, before also disappearing, it would soon be obvious that a single person was changing phones. This pattern would be even more obvious, if everyone else in the president's entourage kept using their own phone--and thus broadcast the same IMEI, week after week.
Simply put, the only way that President Obama can gain some level of anonymity with regard to his IMEI number is if everyone in his team also changes their IMEI numbers with the same regularity.
Fans of the HBO TV show The Wire (a group that includes Obama) will no doubt remember the use of cheap prepaid "burner" phones by the fictional drug dealers. In order to avoid being wiretapped by the police, the entire criminal gang would dispose of their phones at once and switch to brand-new devices.
Essentially, the White House needs to start using burners.
Cost-effective protection
It would be extremely expensive (and wasteful) for the president and his staff to get a new BlackBerry each week. Luckily, there are two options available to the White House tech staff that allow them to protect the president's location privacy in a cost-effective (and environmentally friendly) way:
First, the White House geek team can simply shuffle the BlackBerrys used by the President's staff. That is, take away everyone's phone, mix them up, restore the software to the factory default, then issue a "new" phone to each staffer.
Within minutes, the phones would synchronize with the White House e-mail servers, and thus the "new" devices would have instant access to the e-mails and information that had been on the previous device.
The inconvenience factor of such a solution could also be significantly reduced by having twice as many phones as employees--that way, staff would not have to go without their phone for more than a minute or two, as they were swapped each week.
As long as this shuffling of phones were done randomly, the IMEI numbers would be sufficiently anonymized. Sure, a potential attacker would know that the device belonged to a member of the White House staff, but they would not know whether if belonged to a lowly intern, the press secretary, or the president.
A slightly more laborious method would be to hack the software running on the BlackBerrys and flash the devices with a new serial number. While this is quite possibly a violation of the Digital Millennium Copyright Act (which prohibits most forms of phone hacking), it is unlikely that Research In Motion (which makes the BlackBerry) would sue the White House for engaging in such reverse engineering.
Of course, the downside of giving each phone a new serial number is that these phones would then need to be re-registered with the wireless communication company, which would otherwise refuse to provide the devices with service. However, this additional burden for the White House techies would yield significant security benefits, as each phone would be given a clean IMEI number not associated with the White House.
Insiders
In this article, I've focused solely on the scenario of a bad guy with an antenna. There is also the very real (and significant) risk of an insider working for the phone company.
Insiders are a notoriously difficult security problem to fix, something Obama has likely already learned, after his passport file was read by a contractor working for the State Department.
Even if every person working for the White House's telecommunications carrier were honest, it could also be possible to social-engineer the information out of a customer service representative (otherwise known as "pretexting").
Alternatively, an adversary could simply hack into the computer systems used by the phone company in order to get information on Obama's phone. Is was this latter approach that was followed by an unknown attacker who was able to spy on the phone calls of more than 100 Greek government officials during the 2004 Olympics.
Foreign trips
President Obama is likely to go on many foreign trips during his four (or more) years in office. In addition to burdening taxpayers with the obscene international roaming rates associated with his foreign BlackBerry usage, there are new and more serious security concerns to consider.
The federal government can most likely trust AT&T and the other wireless carriers. After all, they did join forces with the National Security Agency to spy on millions of American's phone calls without a warrant. The telecommunication companies in foreign countries are far less likely to be pro-United States, and in some cases, they are likely to be working closely with foreign intelligence agencies.
Thus, as long as President Obama keeps his BlackBerry turned on while he is in China, it is likely that the Chinese government will be closely monitoring his location, as reported by the president's phone to the Chinese government-owned phone company. The same sort of security issues will likely arise in many other countries.
Due to these security concerns, this blogger would be extremely surprised if the Secret Service permitted the President to use his BlackBerry when on foreign trips.
As you can see, the use of a BlackBerry by the president creates a number of very real security headaches that are no doubt keeping several people at the Secret Service awake at night. While the initial focus of the press was on the e-mail and smartphone technology in the president's phone, the real threats and risks are actually associated with more boring functions of the device.
Further reading: M. Jakobsson and S. Wetzel. "Security Weaknesses in Bluetooth" (PDF) describes some very similar location privacy attacks against mobile phones using Bluetooth-based sniffers.
Question: You're a multibillion dollar tech giant, and you've launched a new phone platform after much media fanfare. Then a security researcher finds a flaw in your product within days of its release. Worse, the vulnerability is due to the fact that you shipped old (and known to be flawed) software on the phones. What should you do? Issue an emergency update, warn users, or perhaps even issue a recall? If you're Google, the answer is simple. Attack the researcher.
With the news of a flaw in Google's Android phone platform making The New York Times on Friday, the search giant quickly ramped up the spin machine. After first dismissing the amount of damage to which the flaw exposed users, anonymous Google executives then attempted to discredit the security researcher, Charlie Miller, who's a former NSA employee turned security consultant. Miller, the unnamed Googlers argued, acted irresponsibly by going to The New York Times to announce his vulnerability instead of giving the Big G a few weeks or months to fix the flaw:
Google executives said they believed that Mr. Miller had violated an unwritten code between companies and researchers that is intended to give companies time to fix problems before they are publicized.
What the Googlers are talking about is the idea of "responsible disclosure," one method of disclosing security vulnerabilities in software products. While it is an approach that is frequently followed by researchers, it is not the only method available, and in spite of the wishes of the companies whose products are frequently analyzed, it is by no means the "norm" for the industry.
Another frequently used method is that of "full disclosure"--in which a researcher will post complete details of a vulnerability to a public forum (typically a mailing list dedicated to security topics). This approach is often used by researchers when they have discovered a flaw in a product made by a company with a poor track record of working with researchers--or worse, threatening to sue them. For example, some researchers refuse to provide Apple with any advanced notification, due to its past behavior.
A third method involves selling information on the vulnerabilities to third parties (such TippingPoint and iDefense)--who pass that information on to their own customers, or perhaps keep it for themselves. Charlie Miller, the man who discovered the Android flaw, has followed this path in the past, most notably when he sold details of a flaw in the Linux kernel to the U.S. National Security Agency for $50,000 (PDF).
Google's poor track record
First, consider the fact that security is a two-sided coin. If Google wants researchers to come to it first with vulnerability information, it is only fair to expect that Google be forthcoming with the community (and the general public) once the flaw has been fixed. Google's approach in this area is that of total secrecy--not acknowledging flaws, and certainly not notifying users that a vulnerability existed or has been fixed. Google's CIO admitted as much in a 2007 interview with The Wall Street Journal:
Regarding security-flaw disclosure, Mr. Merrill says Google hasn't provided much because consumers, its primary users to date, often aren't tech-savvy enough to understand security bulletins and find them "distracting and confusing." Also, because fixes Google makes on its servers are invisible to the user, notification hasn't seemed necessary, he says.
Second, companies do not have a right to expect "responsible disclosure." It is a mutual compromise, where the researchers provide the company with advanced notification in exchange for some form of assurance that the company will act reasonably, keep the lines of communication open, and give the researcher full credit once the vulnerability is fixed.
Google's track record in this area leaves much to be desired. Many top-tier researchers have not been credited for disclosing flaws, and in some cases, Google has repeatedly dragged its feet in fixing flaws. The end result is that many frustrated researchers have opted to follow the full-disclosure path, after hitting a brick wall when trying to provide Google with advanced notice.
I can personally confirm this experience, after I discovered a fairly significant flaw in a number of commercial Firefox toolbars back in 2007. While Mozilla and Yahoo replied to my initial e-mail within a day or so and kept the lines of communication open, Google repeatedly stonewalled me, and I didn't hear anything from them for weeks at a time. Eventually, Google fixed the flaw a day or two after I went public with the vulnerability, 45 days after I had originally given the company private notice. As a result, I have extreme sympathy for those in the research community who have written Google off.
A rather unimpressive vulnerability
Once we actually look into the details of the vulnerability, and Miller's disclosure, the situation looks even worse for Google.
A known vulnerability: The Android platform is built on top of more than 80 open-source libraries and programs. This particular flaw had been known about for some time and already fixed in the current version of the open-source libraries. The flaw in Google's product only exists because the company shipped out-of-date software, which was known to be vulnerable.
Advanced notice: While the anonymous Google executives criticized Miller for not following responsible disclosure practices, it is worth noting that the researcher did provide Google with early notice--informing the company on the 20th of October. It is also important to note that Miller and his colleagues have yet to actually provide full information on the vulnerability or a working proof-of-concept exploit to the security community. Thus, it can hardly be said that Miller followed the full-disclosure path.
If Google can criticize Miller at all, it cannot be for not warning the company, but perhaps for not providing them with enough warning. However, given that Google shipped known-vulnerable software to hundreds of thousands of users, and that fixed versions of the vulnerable software packages have been available for some time, it is difficult for this blogger to sympathize with the folks in Mountain View.
Furthermore, given Mr. Miller's previous mercenaryish history of selling software vulnerabilities to the National Security Agency (which presumably used the flaws to break into foreign government computers, and not in order to fix the vulnerable software), we should be happy that he is at least now sharing the existence of this flaw with the public. At least this way, developers have a good chance of finding and fixing it.
Disclosure: In the summer of 2006, I worked as an intern for the Application Security Team at Google. Furthermore between 2003-2005, I was a student at Johns Hopkins University and was advised by Prof. Avi Rubin, who is one of the founders of Independent Security Evaluators, the company that employs Charlie Miller. A couple of my former colleagues also now work for ISE. I have not spoken with them (or anyone at Google) about this article.
Updated Jan 27 2009 with a comment from the Turkish Government. See below
When criminals turn to disk encryption to hide the evidence of their crimes, law enforcement investigations can hit a brick wall. Where digital forensics software has failed to recover encryption passwords, one tried and true technique remains: violence. It is is this more aggressive form of good cop bad cop behavior which the Turkish government is alleged to have turned to, in order to learn the cryptographic keys of one of primary ringleaders in the TJ Maxx credit card theft investigation.
The 2005 theft of tens of million credit card numbers from an unsecured wireless network run by TJ Maxx stores has lead to over 150 million dollars in damages for the company. The two gentlemen behind the heist sold the pilfered credit card information to others online. Eventually, the stolen cards reached Maksym Yastremskiy, a Ukrainian citizen, and, according to media reports, a "major figure in the international sale of stolen credit card information."
Mr Yastremskiy was later arrested in 2007, while on vacation in Turkey. The US government has formally requested that Yastremskiy be extradited, and has charged him with a number of crimes including aggravated identity theft.
According to comments allegedly made by Howard Cox, a US Department of Justice official in a closed-door meeting last week, after being frustrated with the disk encryption employed by Yastremskiy, Turkish law enforcement may have resorted to physical violence to force the password out of the Ukrainian suspect.
Mr Cox's revelation came in the context of a joke made during his speech. While the exact words were not recorded, multiple sources have verified that Cox quipped about leaving a stubborn suspect alone with Turkish police for a week as a way to get them to voluntarily reveal their password. The specifics of the interrogation techniques were not revealed, but all four people I spoke to stated that it was clear that physical coercion was the implied method.
The Turkish interrogation seemed to have worked as Mr Cox was even able to share Yastremskiy's encryption password with the audience.
Mr Cox, the Assistant Deputy Chief for the DOJ's Computer Crime and Intellectual Property Section, made the comments during his keynote talk at an invitation only event for academic and industry experts focused on phishing related crimes. This blogger has spoken to four sources, each in independent interviews, who claim to have witnessed Mr. Cox making such statements. However, due to the closed-door nature of the event, and fearing that coming forward publicly would lead to them being blackballed from future information sharing sessions, no one would go on the record to make their claims.
If Mr Yastremskiy is successfully extradited to the United States, it is unclear if the evidence from his encrypted disk could be used against him in court. It also remains an open question as to how much the US knew about the alleged beating of Yastremskiy by the Turkish authorities, and when.
If Mr Cox's alleged comments are indeed true, this is alarming news. The majority of cryptographic tools in use today are designed around the general assumption that an end-user can refuse to disclose his or her key if the computer is seized. While password discovery via torture is something that has been discussed in the academic literature for a number of years (it is commonly known as rubber-hose cryptanalysis), it has for the most part remained a theoretical threat. A few tools, such as TrueCrypt, are designed to resist such attacks, and thus use deniable encryption -- that is, making it impossible for someone to examine a computer and be able to determine if there is anything encrypted on the disk. Some tools even allow for multiple deniable encrypted folders, each with a different password.
Of course, Truecrypt and other tools that have adopted deniable cryptography do not stop government agents from torturing a suspect. It just means that they cannot be sure when to stop the beatings, as there could always be one additional hidden file on the disk.
Multiple requests for comment, by both phone and email to Howard Cox and the DOJ Office of Public Affairs have been ignored. Similarly, the Turkish embassy in Washington DC had not responded to a request for comment by press time.
A Freedom of Information Act request has been submitted for the slides and notes for Mr Cox's speech, however, this could take months or years before any information is returned.
Update:On January 27, 2009, Berkan Pazarcı, the First Secretary at the Turkish Embassy in Washington DC replied to the request for a comment that I sent back in October of 2008:
The Turkish Ministry of Justice informed the Embassy that Maksym Yastremskiy has not filed any complaint for being subject to ill-treatment or police violence or brutality. The medical reports issued by the Turkish forensic medicine clearly state that no signs of physical harm have been detected on his body.
Disclosure:
Mr Cox presented at a closed-door session at the Anti-Phishing Working Group e-Crime summit. I presented at the same conference the next day, at a session open to the general public. My hotel and airplane ticket were paid for by the APWG, as part of a scholarship program for graduate students.
In 2006, the FBI investigated me for some of my research into boarding pass security. While no charges were ever filed, it's reasonable to state that I have little affection for the DOJ computer crimes section.
Finally, due to the fact that the Turkish government is involved, it is worth mentioning that I am 50% Armenian by blood. Several generations ago, a number of my family members died at the hands of the Ottoman Empire (now Turkey). I do not have an axe to grind in this area, but in the interest of honest disclosure, I thought it should be mentioned here.
How popular can a piece of software get before being in "beta" is no longer a legitimate excuse for known software flaws? Or, to put it another way, is it responsible to allow hundreds of thousands of people to install your product, when you know ahead of time that doing so opens them up to attack?
The software visionaries at the Mozilla Corporation, which makes the popular Firefox web browser, have taken the approach that creativity and functionality is king--even if security has to take a backseat. Case in point: The widely praised "Ubiquity" software add-on, which brings an amazingly rich and extensible new form of interaction to the Firefox Web browser.
The technology press has showered praise upon the developers of this software tool. However, in prioritizing functionality over security, Mozilla Labs punted complex trust choices to end users--the vast majority of whom are ill-equipped to make such decisions. The end result is that the hundreds of thousands of users of Ubiquity face a significant risk of browser hijacking by attackers, which could result in the theft of e-mail and online banking account information.
Mozilla's Ubiquity in Action
If you thought that the National Security Agency's warrantless wiretapping was limited to AT&T, Verizon and Sprint, think again.
While these household names of the telecom industry almost certainly helped the government to illegally snoop on their customers, statements by a number of legal experts suggest that collaboration with the NSA may run far deeper into the wireless phone industry. With over 3,000 wireless companies operating in the United States, the majority of industry-aided snooping likely occurs under the radar, with the dirty-work being handled by companies that most consumers have never heard of.
A recent article in the London Review of Books revealed that a number of private companies now sell off-the-shelf data-mining solutions to government spies interested in analyzing mobile-phone calling records and real-time location information. These companies include ThorpeGlen, VASTech, Kommlabs, and Aqsacom--all of which sell "passive probing" data-mining services to governments around the world.
ThorpeGlen, a U.K.-based firm, offers intelligence analysts a graphical interface to the company's mobile-phone location and call-record data-mining software. Want to determine a suspect's "community of interest"? Easy. Want to learn if a single person is swapping SIM cards or throwing away phones (yet still hanging out in the same physical location)? No problem.
In a Web demo (PDF) (mirrored here) to potential customers back in May, ThorpeGlen's vice president of global sales showed off the company's tools by mining a dataset of a single week's worth of call data from 50 million users in Indonesia, which it has crunched in order to try and discover small anti-social groups that only call each other.
Slide from "Identification of Nomadic Targets " ISS Webinar
(Credit: ThorpeGlen)Clearly, this is creepy, yet highly lucrative, stuff. The fact that human-rights abusing governments in the Middle East and Asia have deployed these technologies is not particularly surprising. However, what about our own human-rights-abusing government here in the U.S.? Could it be using the same data-mining tools?
To get a few answers, I turned to Albert Gidari, a lawyer and partner at Perkins Coie in Seattle who frequently represents the wireless industry in issues related to location information and data privacy.
When asked if there is a market for these kinds of surveillance data-mining tools in the U.S., Gidari told me: "Of course. It is a global market and these companies have partners in the U.S. or competitors."
The question is not if the government would like to use these tools--after all, what spy wouldn't want to have point-and-click real-time access to the location information on millions of Americans? The real mystery is how the heck the National Security Agency can legally get access to such large datasets of real-time location information and calling records. The answer to that, Gidari said, is the thousands of other, lesser-known companies in the wireless phone and communications industry.
The massive collection of customer data comes down to the interplay of two specific issues: First, thousands of companies play small, niche support roles in the wireless phone industry, and as such these firms learn quite a bit about the calling habits of millions of U.S. citizens. Second, the laws relating to information sharing and wiretapping specifically regulate companies that provide services to the general public (such as AT&T and Verizon), but they do not cover the firms that provide services to the major carriers or connect communications companies to one other.
Thus, while it may be impossible for the NSA to legally obtain large-scale, real-time customer location information from Verizon, the spooks at Fort Meade can simply go to the company that owns and operates the wireless towers that Verizon uses for its network and get accurate information on anyone using those towers--or go to other entities connecting the wireless network to the landline network. The wiretapping laws, at least in this situation, simply don't apply.
Giardi explained it as follows:
Networks are more and more disaggregated and outsourced, from customer service call centers overseas with full viewing access to data to key infrastructure components and processing. A single communication is handled by many more parties than the named provider today. Moreover, interoperability protocols include network identifiers--send a message from company A to company B and the acknowledgment of delivery may include location and other information. That's just the way the system is designed--location was about billing in the early years and no one bothered to undo the existing protocols when business models changed and interoperability became common practice or a myriad of new messaging companies came into being...So my point is that there are many access points--albeit less convenient than one-stop shopping at the big carriers--to get information including real-time data.
ThorpeGlen's product appears to be a mashup of Google Earth + phone location data (in this case, from 50 million people in Indonesia)
(Credit: ThorpeGlen)For example, if a Sprint Wireless customer in Virginia calls a relative in Montana--who is a customer of a small, regional landline carrier--information on the callers will spread far beyond just those two communications companies.
Sprint doesn't own any of its own cellular towers, and so TowerCo, the company that owns and operates the towers, of course, learns some information on every mobile phone that communicates with one of its towers. This is just the tip of the iceberg, though. There are companies that provide "backhaul" connections between towers and the carriers, providers of sophisticated billing services, outsourced customer-service centers, as well as Interexchange Carriers, which help to route calls from one phone company to another. All of these companies play a role in the wireless industry, have access to significant amounts of sensitive customer information, which of course, can be obtained (politely, or with a court order) by the government.
With the passage of laws like the FISA Amendments Act and the USA Patriot Act, in most cases, requests for customer information come with a gag order, forbidding the companies from notifying the public, or the end users whose calling information is being snooped upon. Gidari summed it up this way:
So any entity--from tower provider, to a third-party spam filter, to WAP gateway operator to billing to call center customer service--can get legal process and be compelled to assist in silence. They likely don't volunteer because of reputation and contractual obligations, but they won't resist either.
Seeking clarification, I turned to Paul Ohm, a former federal prosecutor turned cyberlaw professor at the University of Colorado Law School and a noted expert on surveillance laws.
Before getting into the details of the issue, Ohm first outlined the basic problem of the various wiretap and surveillance laws; they are extremely confusing and few people fully understand them. The 9th Circuit Court of Appeals seemed to share Ohm's view, stating a few years ago that the Electronic Communications Privacy Act is a "complex, often convoluted area of the law" (United States v. Smith, 155 F.3d 1051).
Ohm then said that the "one thing I can say with confidence is that you are correct to note that the [Stored Communication Act's] voluntary disclosure prohibitions (in 18 USC 2702(a)) apply only to providers to the public."
After describing all the ways that the government could legally collect real-time data on millions of U.S. citizens, Gidari said that essentially, the existence of such a program would likely remain a secret (barring a whistle-blower or leaks to the press by government officials). Summing it up, he stated that:
Whether [a] vendor to a carrier to the public cooperates with agencies (either for a fee or by acquiescence in an order), is something you will not find out as FISA makes it so, regardless of whether the person is in the U.S. or communicating with a person abroad. Such means and methods largely are hidden.
However, if the existence of such a program were ever confirmed, Ohm said that Congress would not be too happy:
If [the sharing of data by niche telecom providers] is seen as allowing an end-around an otherwise clear prohibition in the SCA, Congress is likely to throw a fit when it is revealed and try to amend the law. DOJ is sensitive to this kind of thing (despite what the NSA wiretapping program would lead you to believe) and would probably try to avoid blatantly bypassing otherwise clear language in this way.
A group of researchers from the University of Colorado and University of Washington could face both civil and criminal penalties for a research project in which they snooped on users of the Tor anonymous proxy network. Should federal prosecutors take interest in the project, the researchers could also face up to 5 years in jail for violating the Wiretap Act.
The team of two graduate students and three professors neither sought legal review of the project, nor ran it past the Human Subjects Committee at their university, putting them in a particularly dangerous position.
The academic paper, "Shining Light in Dark Places: Understanding the Tor Network" (pdf) was presented at the Privacy Enhancing Technologies Symposium yesterday, in Leuven, Belgium. The authors are listed as: Damon McCoy, Kevin Bauer, Dr. Dirk Grunwald, Dr. Tadayoshi Kohno and Dr. Douglas Sicker.
The goal of the project was to learn what kind of traffic was flowing over Tor -- a free network providing anonymous web and other Internet services to hundreds of thousands of users world-wide. Some of Tor's users include pro-democracy dissidents, journalists and bloggers in countries like China, Egypt and Burma who would otherwise face arrest and torture for their work.
Tor relies on volunteers who donate computing power and bandwidth to run approximately 2500 publicly accessible proxy servers, which are then used by hundreds of thousands of people to hide their Internet traffic.
In order to study Tor, the researchers setup their own 'exit node' server on the University of Colorado's high-speed network. For 4 days in December 2007, they logged and stored the first 150 bytes of each network packet that crossed their network, thus revealing what kind of traffic was crossing the network, and the remote websites that Tor users were visiting. While the authors do not state how many sessions they snooped on, they do state that their server carried over 700GB of data.
In a second part of the study, the researchers ran an 'entry node' to the network for 15 days, which allowed them to determine the source IP address of a large number of Tor users. They used this to learn which countries use Tor more heavily than others. Note that in this second part of the study, the researchers did not have access to the destination site information, nor were they able to observe the kinds of traffic going through their server.
The researchers found that HTTP (web traffic) was responsible for 58% of their servers' bandwidth. They also found that the BitTorrent file-sharing protocol, while accounting for only 3% of the number of connections, was responsible for over 40% of the overall bandwidth. They also observed that German users were responsible for over 30% of the requests through their server.
No Legal Review Sought
In his presentation of the work at the PET Symposium yesterday, Kevin Bauer, one of the graduate students who wrote the paper shed some light on the limited amount of legal analysis performed on the project.
Bauer said that the researchers "spoke informally with one lawyer, who told us that that area of the law is ill defined" based on this, the researchers felt that it was "unnecessary to follow up with other lawyers."
The lawyer they spoke to was Professor Paul Ohm, who teaches at the University of Colorado Law School. Ohm has previously collaborated with two of the researchers on an earlier publication, which discussed the legal risks faced by academics engaged network monitoring research. Ohm, a former federal computer crimes prosecutor, has also been the subject of some media attention in recent months, after he publicly stated that ISP-level advertising and traffic-shaping systems may violate US wiretap laws .
In a response to questions by this blogger, Professor Ohm seemed to attempt to distance himself from the researchers, writing by email:
I met with the research team once before they had finished their research, although I don't know how far along they were at that point. At the meeting, I gave them a very brief sketch about federal Wiretap law and they gave me a very brief sketch of their research. They seemed to have put in place a number of controls to try to minimize the risk of liability. I haven't seen the final paper (as far as I can recall).
I'm not their lawyer, and I've never been their lawyer, and I haven't produced any official or unofficial legal advice about their research, but because I spoke with them about this, I don't think it would be appropriate for me to give you any opinions about the research other than this brief statement.
Legal Risks
The Electronic Frontier Foundation, which wrote a legal guide for operators of Tor servers, strongly advises server administrators against snooping on their users. A section in the legal guide makes this clear:
Should I snoop on the plaintext that exits through my Tor relay?
No. You may be technically capable of modifying the Tor source code or installing additional software to monitor or log plaintext that exits your node. However, Tor relay operators in the U.S. can create legal and possibly even criminal liability for themselves under state or federal wiretap laws if they affirmatively monitor, log, or disclose Tor users' communications .... Do not examine the contents of anyone's communications without first talking to a lawyer.
While state laws vary, one immediate concern would be the Wiretap Act, a federal law that broadly prohibits snooping by network operators and others. The core prohibition of the Wiretap Act is found at section 2511(1)(a), which prohibits any person from intentionally intercepting, or attempting to intercept, any wire, oral, or electronic communication." A violation of these rules is is a Class D felony, and can result in fines up to $250,000 and up to 5 years in jail.
It is this same law that groups such as the ACLU and EFF sued AT&T and other telecom companies for violating, when they shared customer communication with the US National Security Agency. AT&T was able to obtain retroactive immunity from the US Congress, but only after spending tens of millions of dollars on lobbyists.
In order to learn more about the legal issues at play, I spoke with Kevin Bankston, the EFF lawyer who wrote the Legal guide for Tor server operators, and who also lead the EFF's lawsuit against AT&T. Bankston told me that:
"I agree that their logging the content exiting their nodes would appear to constitute interceptions of those electronic (not wire) communications under the Wiretap Act, and I don't think they qualify for the narrow provider exceptions [18 USC 2511, 2 (a) I], so I still see the same potential civil and criminal liability that was noted in our FAQ."
No Human Subjects Committee Review
In addition to possible legal issues, the project also raises serious ethical concerns related to the study of users' communications without their consent.
During his presentation, Bauer revealed that the researchers did not seek the approval of their university's Institutional Review Board -- a body that reviews research projects that involve human subjects. He said that, "we were advised that it wasn't necessary," adding that the IRB review process is used "used more in medical and psychology research at our university," and was not generally consulted in computer science projects
Information listed on the website of the University of Colorado's Human Research Committee states that: "All research involving human participants that is conducted by UCB faculty, staff or students must receive some level of review by the Human Research Committee."
Of particular concern to all Institutional Review Boards is any research that involves the study of participants under the age off 18, and other at risk or vulnerable persons. Given that the users of the Tor network have gone out of their way to seek anonymity, and that in some cases, their discovery could lead to arrest or torture, it would seem that these users would almost certainly be considered to be vulnerable. Furthermore, it is quite likely that the snooped communications include at least a few users under the age of 18 -- something that the researchers did not address in their paper.
In a paper published earlier this year, Dr. Simson Garfinkel explored some of the common myths and pitfalls for computer security researchers that study real users and their behavior, and the need to submit their projects to an IRB review.
Dr Garfinkel specifically deals with one of the researcher's claims:
Myth: Because the Common Rule exempts research involving subjects that cannot be identified, IRB approval is not required when using anonymized data
Although this would certainly be convenient, most institutions only allow a determination of exemption to be made by the IRB itself.
A request for clarification on these issues left with the director of the University of Colorado Human Research Committee had not been returned by press time.
Other concerns
In addition to the issues surrounding US legal liability, and ethical concerns over human subject testing -- there is one other problem: International law.
While the researchers are Americans, and conducted their study on a server based in the US, there is certainly an international angle to their study. Users from around the world sent traffic through the researchers' server, and as such more strict Canadian and European intercept and data privacy laws may apply.
Furthermore, one of the strongest privacy protections inherent in the Tor system is the complete lack of logging. That is, if law enforcement agencies approach a Tor server administrator seeking information on a user of the system, the admin can truthfully reply that they have no logs, and thus have nothing that they can be compelled to produce.
Taking questions before their presentation, two of the authors told me that they still have a copy of the data that they collected, and admitted that it was not currently stored on an encrypted disk. They did stress that it was, however, being kept in a "secure" location.
What this means of course, is that law enforcement agencies could easily subpoena this data, thus legally compelling the researchers into handing over the data. This places the users of the Tor network at a significant risk, one that certainly violates the expected social norms of the system.
During the question and answer session after his presentation, Bauer stated that the researchers were still not sure what they were going to do with the data set, and were exploring possibilities for releasing it to researchers in an anonymized and non-personally identifiable way. This statement was met with boos from the audience, which was mainly made up of privacy researchers and activists, a number of whom run their own legitimate Tor servers.
Caveat Emptor
While the US government did not send officials to this annual meeting of privacy researchers, the Canadian government did. A representative for Dr. Ann Cavoukian, the Information and Privacy Commissioner of Ontario was in the audience during the presentation.
When asked for comment on the research project, and any potential impact for Canadian citizens who may have used the snooping Tor server, Cavoukian issued the following statement:
"Whether you run an ISP, a search engine, a Tor server node, or a research project, the principle of Data Minimization should rule. Universal privacy practices require that strong limits be placed on the processing and storage of personal data. In today's online world of constant data availability, privacy requires data minimization at every stage of the information life-cycle: If you don't need the data, don't collect it in the first place; if you don't need it any more, then destroy it securely -- don't keep it any longer than you need to. Full stop."
Wise words indeed.
Over the past few weeks, things have heated up again in Lebanon, with the U.S.-backed government on one side and the Syrian-backed Hezbollah on the other.
To many U.S. observers, this might be just another case of tensions flaring up in the Middle East. Do not be fooled. This is all about telecommunications policy--and the design of secure, attack-resistant data networks.
But first, a bit of background. Hezbollah and Israel have been at war for some time. In an effort to stop Hezbollah's guerrilla fighters from communicating, Israel has in the past jammed the cell phone towers in the Hezbollah-controlled areas in southern Lebanon. Eager to make sure that didn't happen again, Hezbollah has covertly built out a fiber-optic network throughout the areas it controls.
Jamming cell phones is relatively easy, as it is simply a matter of sending out radio waves. Disrupting a fiber-optic network, on the other hand, is extremely difficult. The Israelis would need to locate the individual fiber-optic lines, and then cut them. To do that, they'd need boots on the ground, in control. This is not something that Israel, or even the central Lebanese government, can currently do.
It seems that recently, the U.S.-backed central government of Lebanon tried to put an end to Hezbollah's private network. Hezbollah responded with force, eventually taking over West Beirut. As the Boston Globe recently reported:
(Hezbollah's leader, Hassan Nasrallah) said the government's decision to shut down Hezbollah's fiber-optic communications network was tantamount to a declaration of war. For the (central) government, the network represented an intolerable example of Hezbollah's efforts to set up an Iranian- and Syrian-backed state within Lebanon. Hezbollah justifies the network, which carried its communications during a 2006 war with Israel, as a vital security asset.
This sort of thing, as interesting as it is, is way out of my league. To get a better grasp of the situation, I spoke with John Robb, an expert in modern asymmetrical warfare, an author, and blogger.
Robb said Hezbollah is not alone in building out its own communications infrastructure. He said that it is fairly common for such groups and that a similar situation exists in the Sadr City area of Baghdad.
Yahoo, Cisco Systems, and other U.S. companies have been heavily criticized for their assistance of China and its so-called Great Firewall. Thinking along these lines, I asked Robb which U.S. companies might be manufacturing Hezbollah's equipment.
He responded that there is no reason to suspect that U.S. equipment was being used. He added that Chinese-made, no-name optical-networking gear is available in most of these markets and certainly available to Hezbollah. Even equipment five to seven years old, Robb said, would work for Hezbollah's needs.
As a technologist, and someone interested in tech policy, this is fascinating. We typically hear that developing countries are leapfrogging over the traditional wire-based network infrastructure, due to the costs involved, and going straight to mobile or Wi-Fi technologies. It's interesting to see that fiber-optic networks can play a vital role in these countries. It seems that when there is a real threat of network interruption and jamming, the cost and difficulty of laying the cable is worth it.
At the Freedom To Connect conference a few weeks back, Doc Searls coined the term "glass roots" to describe community-built fiber networks. That term doesn't quite apply here, so I'm going to quickly stake my claim to "fiber warfare" (fiber vs. cyber, get it?). Remember, you heard it here first.
With that out of the way, I thought it'd be fun to end on a snarky note. For the last six months, I suffered with an AT&T 3Mbps DSL line. So how would Hezbollah act as an ISP? Consider these questions:
- What, exactly, does Hezbollah consider to be "reasonable network management," and are its views on this area the same as Comcast's?
- Does Hezbollah block BitTorrent? Does it use Linux?
- Does Hezbollah offer so-called "naked" DSL?
- If I do not get satisfactory customer service from the Hezbollah ISP, what happens if I resort to a Consumerist.com-style executive e-mail carpet bomb? Will its executives bomb me back?
- How does Hezbollah respond to Digital Millennium Copyright Act cease-and-desist threats? If the RIAA and MPAA are too scared to send DMCA threats to Harvard, will they risk sending them to Hezbollah?
- If I pay my fiber network bill late, will Hezbollah terminate my connection, or me?
- We do not have competition in most U.S. markets, but instead have a duopoly of crappy DSL and evil cable. How many Americans would switch to Hezbollah's fiber network if it meant that they could use BitTorrent without Comcast "temporarily delaying" their data transfers? Could Hezbollah force the Federal Communications Commission to open up the market to real competition?
Update:For more info on Hezbollah's network infrastructure, check out this detailed report.
The United Kingdom has the most surveillance cameras per capita in the world. With the recent news that CCTV cameras do not actually deter crime, how can the local town councils justify the massive surveillance program? By going after pooping dogs.
In a recent interview with The Guardian, the head of the Metropolitan Police's Visual Images Office explained the failings of CCTV:
"Billions of pounds has been spent on it, but no thought has gone into how the police are going to use the images and how they will be used in court. It's been an utter fiasco: only 3 percent of crimes were solved by CCTV. There's no fear of CCTV. Why don't people fear it? (They think) the cameras are not working."
Conjuring up the bogeymen of terrorists, online pedophiles and cybercriminals, the U.K. passed a comprehensive surveillance law, The Regulation of Investigatory Powers Act, in 2000. The law allows "the interception of communications, carrying out of surveillance, and the use of covert human intelligence sources" to help prevent crime, including terrorism.
Recent reports in the U.K. media indicate that the laws are being used for everything but terrorism investigations:
- Derby City Council, Bolton, Gateshead, and Hartlepool used surveillance to investigate dog fouling.
- Bolton Council also used the act to investigate littering.
- The London borough of Kensington and Chelsea conducted surveillance on the misuse of a disabled parking pass.
- Liverpool City Council used Ripa to identify a false claim for damages.
- Conwy Council used the law to spy on a person who was working while off sick.
Privacy activists were, unsurprisingly, up in arms. Shami Chakrabarti, director of human rights group Liberty, told the BBC that "you don't use a sledgehammer to crack a nut, nor targeted surveillance to stop a litter bug." Liberty and other groups have called for a complete review of the law and its unplanned uses.
Is this surprising? Not really. Just as we've seen in the U.S., once law enforcement and intelligence agencies are given new unchecked powers, abuse tends to happen. The more secretive and unchecked the powers, the more widespread the abuse. (See: Warrantless wiretapping, detainee torture, COINTELPRO, The CIA's Operation Chaos.)
Thanks to Dizzy Thinks for the tip.
There is no right to privacy at international borders. For those of us with laptops, this presents a pretty major problem: How do we get through U.S. Customs with our beloved portable devices, without having Uncle Sam peeking at every e-mail we've sent, every MP3 we've listened to, and every "home movie" we've made?
The obvious solution, encryption, is not enough. Non-Americans have no right to enter the U.S. Don't want to hand over your encryption keys? No problem--but you will be put on the next airplane back to your home country (if you're lucky...If the government really doesn't like you, you may end up getting sent to Syria).
Those of us "lucky" enough to have a U.S. passport may be forced to enter the password for the data, if we want to avoid having the devices seized and never returned.
For travelers heading to countries other than the U.S., it can be even worse. Refusing to hand over your encryption key to a lawful request by British Police can result in jail time. Ouch.
CNET News.com's Declan McCullagh posted a guide to securing laptops for border searches back in March. The Electronic Frontier Foundation's Jennifer Granick wrote a blog post on the subject recently, in which she broke down the case law and offered a bit of advice. While both of these are interesting reads, neither includes the practical solution which I use.
Chris' Guide to Safe International Data Transport
- Before going on any international trip, back up all of your important and potentially embarrassing, incriminating, or troubling data. This includes any copyrighted content which you may not be able to prove you own.
- Create an encrypted disk image/encrypted folder of that data. This can be done with Pretty Good Privacy, Truecrypt, or software built into many operating systems.
- Remember the password. This is very important, as if you forget it, you lose all your data.
- Upload the encrypted data to a reliable place on the Internet (or two). Personally, I use Amazon S3, which charges 15 cents per GB-month of storage plus 17 cents per GB of data transfer.
- Wipe your laptop clean (do this properly, or the data may be accessible after the fact with forensics software), and install a fresh copy of your OS onto it.
- Travel. You should have no problem at U.S. Customs (or in any other country) as you won't have anything problematic on your computer.
- At your hotel/office, fire up your Web browser and download the encrypted data file from Amazon's servers.
- Decrypt the data.
Once you are done with your trip, you can simply re-encrypt the data, upload it to Amazon again, and wipe the disk clean.
For those of you traveling to countries (or places in the U.S.) with slow Internet connections, you may wish to burn your encrypted data to a DVD and FedEx it to your destination. Do it a few days before you leave, and you should know before you get on the airplane if the disk made it to your destination safely by checking the delivery status online.
I realize that I take paranoia to a more extreme level than most, but I find that this technique works really, really well for me. For those of you who are even more paranoid, and are worried about customs agents being able to recover the deleted data from your laptop disk, you may wish to avoid keeping the decrypted data on your laptop at all (while on the trip). Portable flash drives are quite cheap these days, and can be easily destroyed (a microwave, a hammer, driving over them in a rental car, etc.) once your trip is done.
Disclosure: Jennifer Granick represented me, pro-bono, in my civil troubles with TSA back in 2006 and 2007.
Hackers have turned their attention to Facebook's hundreds of independent applications. The results are not terribly surprising, but do not tell a good tale: app developers don't seem to know a thing about basic security, and are putting private user information at risk. As a result, malicious hackers are able to access and change what should be private user data managed by the application providers.
Just a few months after this blog brought you exclusive news of privacy problems in Facebook's application system, we are now already seeing the consequences of Facebook's decision to pass the buck on on application security and privacy. Facebook shares user data with a large number of third-party application developers (without user consent), who then leave the data open to hackers due to nonexistent security and privacy protections. We at Surveillance State would be lying if we said we didn't see this coming.
Third-party developers
As I mentioned in a blog post back in January, Facebook permits application developers to get access to large amounts of sensitive data, all without clear user consent. Simply put, whenever a user installs a Facebook app, the developers of that application get access to data on every person who that user is Facebook 'friends' with, as well as most of the people in that user's network. While Facebook makes it perfectly clear when users install an application that developers will get access to their data, it doesn't do anything at all to warn users that the same data sharing occurs when their friends install apps.
Facebook has its legal bases covered though, as its Terms of Service clearly state that the company is in no way responsible for anything that the developers do with user data. It further notes that the company does nothing at all to verify that developers are doing anything at all to protect user data, or that they are not storing data beyond the time needed to process the application request (a strict no-no). The terms of service state:
"[each application] has not been approved, endorsed, or reviewed in any manner by Facebook...we are not responsible for...the privacy practices or other policies of the Developer. YOU USE SUCH DEVELOPER APPLICATIONS AT YOUR OWN RISK."
Flaws in apps, users at risk
According to a recent article in 2600, the Hacker Quarterly, many popular Facebook applications are vulnerable to trivial attacks, which permit a nefarious person to both set and read the data associated with that app. The 2600 article uses apps Moods, Free Gifts, and Super Wall to prove its point.
Quite simply, the developers have no authentication mechanism in place on their own servers when processing queries issued by a Facebook application. The developers rely instead, on the Facebook app itself playing by the rules. A nefarious hacker merely needs to intercept the Web request issued by the app, and replace his/her own Facebook ID with that of a potential victim.
While the 2600 article is not online, a reader of the Consumerist blog summarized it online:
In all three of those applications, User A can very easily modify User B's data by intercepting a form and modifying the uid (Facebook user ID) before transmission. In addition, with some applications, User A can gain access to stored application data (e.g. history, etc.) for any User B, whether they are friends or not. Such applications blindly trust form data that can easily be tampered with, which is very clearly a bad idea.
The Moods application allows unauthorized users to view the mood histories of non-friends, and with Firebug, anyone with the app can intercept their own mood change form before submitting it, change the uid in the form, and change someone else's mood.
Super Wall has a similar vulnerability that allows someone to intercept the form in a similar way and spoof messages from ANYONE to ANYONE (even a non-friend) just by changing the to and from uid's.
This is not rocket science, but far closer to computer security 101. Microsoft's Larry Osterman has written about these kinds of flaws on his own blog, describing his effort to educate Microsoft's programmers:
It takes a special mindset to think like a bad guy. Not everyone can switch into that mindset. For instance, I can't think of the number of times I had to tell developers on my team "It doesn't matter that you've checked the value on the client, you still need to check it on the server because the client that's talking to your server might not be your code."
On Wednesday, I spoke with Adrienne Felt, the University of Virginia researcher whose report first highlighted the excessive and dangerous data sharing that happens between Facebook and its Application developers. When asked for her thoughts on the lack of authentication and security at major Facebook apps, Adrienne told me that, "sadly i am not surprised at all" as "apps are written by people who just barely know anything about coding."
For those of you interested in learning more, someone has taken the time to record a screencast of the attack in action. All that's needed is a Facebook account, the Firefox browser, and the Firebug browser add-on.
