Posts

Apple’s Spiking National Security Requests Could Reflect USA Freedom Compliance

A number of outlets are pointing to an alarming spike in Apple’s national security requests, as reflected in its privacy numbers (though I think they are exaggerating the number). Here’s what the numbers look like since it began reporting national security requests. [I’ll put this in a table later, but I’m trying to get this done in the last window I’ll have for a while.]

Orders received, accounts affected

1H 2013: 0-249, 0-249

2H 2013: 0-249, 0-249

1H 2014: 0-249, 0-249

2H 2014: 250-499, 0-249

1H 2015: 750-999, 250-499

2H 2015: 1250-1499, 1000-1249

As you can see, Apple’s numbers were already rising from a baseline of 0-249 for both categories in the second half of 2014 (not incidentally when encryption became default), though really started to grow the first half of last year. Where the request-to-number-of-accounts affected ratio has differed, it shows more requests received than accounts affected, suggesting either that Apple is getting serial requests (first iMessage metadata, then content), or that the authorities are renewing requests — say, after a 90-day 215 order expires (though Apple reiterates in this report that they have never received a bulk order, so they are presumably, but not definitely, not the additional bulk provider that appears to have shown up in the June 29 order last year. The number of requests may have doubled or even nearly tripled in the reporting reflecting the first half of last year, and may have almost doubled again, but it appears that Apple continues to get multiple orders affecting the same account.

In other words, this appears to be a spike in the number of accounts affected, accompanied by a more gradual spike in the orders received, but it follows on what could be a straight doubling of both categories from the prior period.

It appears Apple is reporting under paragraph 3 reporting, described as follows.

(3) A semiannual report that aggregates the number of orders, directives, or national security letters with which the
person was required to comply in the into separate categories of–

(A) the total number of all national security process received, including all national security letters, and orders or directives under this Act, combined, reported in bands of 250 starting with 0-249;
and

(B) the total number of customer selectors targeted under all national security process received, including all national security letters, and orders or directives under this Act, combined, reported in bands of 250 starting with 0-249.

[snip]

(2) A report described in paragraph (3) of subsection (a) shall include only information relating to the previous 180 days.

That should work out to the same reporting method they were using, provided there was no 2-year delay in reporting of a new kind of production, which doesn’t appear to have happened.

One possible explanation of what’s partly behind the increase is that the more recent number reflects USA Freedom Act collection. USAF became law on June 2, with the new 2-hop production going into effect on November 29. Marco Rubio made it clear last year that USAF extended the 2-hop collection to “a large number of companies.” The Intelligence Authorization made it clear a fair number of companies would be covered by it as well. In its discussion of what kind of responses it gave to San Bernardino requests Apple said they got legal process.

Especially given that Apple is a “phone company,” it seems highly likely the government included iMessage data in its roll out of the expanded program (which, multiple witnesses have made clear, was functioning properly in time for the December 2 San Bernardino attack). So it’s quite possible what look to be 500 first-time requests are USAF’s new reporting, though that would seem to be a very high number of requests for the first month of the program.

Probably, the bulk of the increase is from something else, perhaps PRISM production, because iMessage is an increasing part of online communication. Apple’s numbers are still far below Google’s (though Yahoo’s had a big drop off in this reporting period). But it would make sense as more people use iMessage, it will increase Apple’s PRISM requests.

Update: This post has been updated to better reflect my understanding of how this reporting and the new production work.

Tuesday Morning: Trash Day

It’s trash day in my neighborhood. Time to take the garbage to the curb. I aim for as little trash as possible, which means buying and consuming less processed/more fresh foods. I use paper/glass/ceramic/stainless steel for storage, avoiding plastics as much as possible. Every lick of plastic means oil — either the plastic has been created wholly from oil, or fossil fuels have been used in its manufacture. Can say the same about the manufacturing of paper/glass/ceramic/stainless steel, but paper can be composted/recycled/renewed, and the rest can be used for lifetimes if cared for. I use ceramic bowls that belonged to my great-grandmother, and stainless pots and bowls once belonging to my mother, and I expect to hand them down some day.

Which makes me all judgy when I’m walking through the neighborhood, side-eyeing the garbage cans at the curb. Can’t believe how much waste is created every week, and how willing we are to pay tax dollars to stick it in the ground as landfill. How can Family X not bother to recycle at all? How can Family Y live on so much processed, chemical-laden garbage? It’s all right there at the end of their driveway, their addiction to fossil fuel consumption spelled out in trash.

What small change can you make in your lifestyle so Judgy McJudgyPants here doesn’t side-eye your trash cans?

Speaking of trash…

Piling on the wonks, Part 3: United Healthcare exiting Obamacare in Michigan
Disclosure: UHC is my health insurer, which I am fortunate enough to afford. But I couldn’t stay with them if I had to go on Obamacare. UHC says it’s losing too much money in Michigan to remain in the program — not certain how given the double-digit underwriting increase it posted for this past year. UHC will leave other states which may not fare as well as Michigan, and even Michigan will suffer from decreasing competition. Do tell us, though, wonks, how great Obamacare is. I’m sure I will feel better should I ever have to shop Obamacare plans for pricey coverage with a dwindling number of providers. And if you missed the previous discussions on inept Obamacare wonkery, see Part 1 by Marcy and Part 2 by Ed Walker.

Tech Tiews

  • Don’t let anybody say Apple isn’t cooperating with law enforcement (Phys.org) — Apple has, to the tune of 30,000 times from Jul-Dec 2015 alone, according to a report released late Monday.
  • BlackBerry CEO says telecom companies should ‘comply with reasonable lawful access requests‘ to assist law enforcement (Reuters) — Nice bit of footwork from a company which passed their encryption key to Canadian law enforcement as far back as 2010.
  • If you missed the 60 Minutes segment about the security threat posted by Signalling System Number 7 protocol (SS7), you should read up. (The Guardian) — Also wouldn’t hurt to look into end-to-end encryption for your communications. Wonder what role SS7 played in NSA’s and GHCQ’s ‘treasure mapping’ Germany’s Telekom and other global networks, and if this explains why SS7 is still not secure?
  • [Presence of drugs in car] plus [pics of cash on phone] = suspicious (Ars Technica) — Wait, isn’t the presence of illegal drugs in one’s car enough to make one a suspect?
  • New technology for chip-embedded smart cards will speed checkout times, says VISA (Phys.org) — What the hell are we being forced to switch to so-called smart cards for if they don’t actually improve checkout process already? We’ll piss away any savings from increased security standing in line waiting.

Time to fetch the emptied trash can. See you tomorrow!

Monday Morning: Calm, You Need It

Another manic Monday? Then you need some of Morcheeba’s Big Calm combining Skye Edward’s mellow voice with the Godfrey brothers’ mellifluous artistry.

Apple’s Friday-filed response to USDOJ: Nah, son
You can read here Apple’s response to the government’s brief filed after Judge James Orenstein’s order regarding drug dealer Jun Feng’s iPhone. In a nutshell, Apple tells the government they failed to exhaust all their available resources, good luck, have a nice life. A particularly choice excerpt from the preliminary statement:

As a preliminary matter, the government has utterly failed to satisfy its burden to demonstrate that Apple’s assistance in this case is necessary—a prerequisite to compelling third party assistance under the All Writs Act. See United States v. N.Y. Tel. Co. (“New York Telephone”), 434 U.S. 159, 175 (1977). The government has made no showing that it has exhausted alternative means for extracting data from the iPhone at issue here, either by making a serious attempt to obtain the passcode from the individual defendant who set it in the first place—nor to obtain passcode hints or other helpful information from the defendant—or by consulting other government agencies and third parties known to the government. Indeed, the government has gone so far as to claim that it has no obligation to do so, see DE 21 at 8, notwithstanding media reports that suggest that companies already offer commercial solutions capable of accessing data from phones running iOS 7, which is nearly three years old. See Ex. B [Kim Zetter, How the Feds Could Get into iPhones Without Apple’s Help, Wired (Mar. 2, 2016) (discussing technology that might be used to break into phones running iOS 7)]. Further undermining the government’s argument that Apple’s assistance is necessary in these proceedings is the fact that only two and a half weeks ago, in a case in which the government first insisted that it needed Apple to write new software to enable the government to bypass security features on an iPhone running iOS 9, the government ultimately abandoned its request after claiming that a third party could bypass those features without Apple’s assistance. See Ex. C [In the Matter of the Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, Cal. License Plate #5KGD203 (“In the Matter of the Search of an Apple iPhone” or the “San Bernardino Matter”), No. 16-cm-10, DE 209 (C.D. Cal. Mar. 28, 2016)]. In response to those developments, the government filed a perfunctory letter in this case stating only that it would not modify its application. DE 39. The letter does not state that the government attempted the method that worked on the iPhone running iOS 9, consulted the third party that assisted with that phone, or consulted other third parties before baldly asserting that Apple’s assistance remains necessary in these proceedings. See id. The government’s failure to substantiate the need for Apple’s assistance, alone, provides more than sufficient grounds to deny the government’s application.

Mm-hmm. That.

Dieselgate: Volkswagen racing toward deadline

  • Thursday, April 21 is the extended deadline for VW to propose a technical solution for ~500,000 passenger diesel cars in the U.S. (Intl Business Times) — The initial deadline was 24-MAR, establishing a 30-day window of opportunity for VW to create a skunkworks team to develop a fix. But if a team couldn’t this inside 5-7 years since the cars were first sold in the U.S., another 30 days wouldn’t be enough. Will 60 days prove the magical number? Let’s see.
  • VW may have used copyrighted hybrid technology without paying licensing (Detroit News) — What the heck was going on in VW’s culture that this suit might be legitimate?
  • After last month’s drop-off in sales, VW steps up discounting (Reuters) — Trust in VW is blamed for lackluster sales; discounts aren’t likely to fix that.

Once around the kitchen

  • California’s winter rains not enough to offset long-term continued drought (Los Angeles Times) — Op-ed by Jay Famiglietti, senior water scientist at the NASA Jet Propulsion Laboratory–Pasadena and UC-Irvine’s professor of Earth system science. Famiglietti also wrote last year’s gangbuster warning about California’s drought and incompatible water usage.
  • Western scientists meet with North Korean scientists on joint study of Korean-Chinese volcano (Christian Science Monitor) — This seems quite odd, that NK would work in any way with the west on science. But there you have it, they are meeting over a once-dormant nearly-supervolcano at the Korea-china border.
  • BTW: Deadline today for bids on Yahoo.

There you are, your week off to a solid start. Catch you tomorrow morning!

Wednesday Morning: A Whiter Shade

She said, ‘There is no reason
and the truth is plain to see.’
But I wandered through my playing cards
and would not let her be

— excerpt, Whiter Shade of Pale by Procol Harum
cover here by Annie Lennox

I’ve been on an Annie Lennox jag, sorry. I’m indulging myself here at the intersection of a favorite song which fit today’s theme and a favorite performer. Some of you will take me to task for not using the original version by Procol Harum, or another cover like Eric Clapton’s. Knock yourselves out; it’s Lennox for me.

Speaking of a whiter shade and truth…

FBI used a ‘gray hat’ to crack the San Bernardino shooter’s phone
Last evening after regular business hours WaPo published a story which made damned sure we knew:

1) The FBI waded into a fuzzy zone to hack the phone — oh, not hiring a ‘black hat’, mind you, but a whiter-shade ‘gray hat’ hacker;
2) Cellebrite wasn’t that ‘gray hat’;
3) The third-party resource was referred to as ‘professional hackers’ or ‘researchers who sell flaws’;
4) FBI paid a ‘one-time fee’ for this hack — which sounds like, “Honest, we only did it once! How could we be pregnant?!
5) A ‘previously unknown software flaw’ was employed after the third-party pointed to it.

This reporting only generated more questions:

• Why the careful wording, ‘previously unknown software flaw’ as opposed to zero-day vulnerability, which has become a term of art?
• How was the determination made that the party was not black or white but gray, and not just a ‘professional hacker who sold knowledges about a flaw they used’? Or was the explanation provided just stenography?
• However did Cellebrite end up named in the media anyhow if they weren’t the source of the resolution?
• What assurances were received in addition to the assist for that ‘one-time fee’?
• Why weren’t known security experts consulted?
• Why did the FBI say it had exhausted all resources to crack the San Bernardino shooter’s phone?
• Why did FBI director Jim Comey say “we just haven’t decided yet” to tell Apple about this unlocking method at all if ‘persons familiar with the matter’ were going to blab to WaPo about their sketchy not-black-or-white-hat approach instead?

That’s just for starters. Marcy’s gone over this latest story, too, be sure to read.

Volkswagen execs get a haircut
Panic among employees and state of Lower Saxony over VW’s losses and anticipated payouts as a result of Dieselgate impelled executives to share the pain and cut their bonuses. Germany’s Lower Saxony is the largest state/municipal shareholder in VW, but it’s doubly exposed to VW financial risks as nearly one in ten Germans are employed in the automotive industry, and VW is the largest single German automotive company. The cuts to bonuses will be retroactive, affecting payouts based on last year’s business performance.

Fuzzy dust bunnies

  • Verizon workers on strike (Boston Globe) — Until minimum wage is raised across the country and offshoring jobs stops, we’ll probably see more labor actions like this. Should be a warning to corporations with quarter-after-quarter profits and offshore tax shelters to watch themselves — they can afford to pay their workers.
  • Facebook deploys bots across its services (Computerworld) — But, but AI is years away, said Microsoft research…meanwhile, you just know Amazon’s Alexa is already looking to hookup with Facebook’s chatbot.
  • Google’s charitable arm ponied up $20M cash for disabled users’ technology improvements (Google.org) — IMO, this was a great move for an underserved population.
  • Judge’s rejects Obama administration blow-off of apex predator wolverines (HGN) — Wolverines, a necessary part of health northern and mountain ecosystems, need cold weather to survive. Montana’s U.S. District Court ruled the administration had not done enough to protect biodiversity including the wolverine. Crazy part of this entire situation is that the feds don’t believe the wolverine warrants Endangered Species Act (ESA) protection and that they can’t tell what effects climate change has on this species, but the species is seen rarely to know. Hello? A rarely-seen species means the numbers are so low they are at risk of extinction — isn’t that what the ESA is supposed to define and prevent?

UPDATE — 12:10 PM EDT —
From @cintagliata via Twitter:

Back in 1971, researchers observed Zika virus replicating in neurons and glia. (in mice) http://bit.ly/1XvsD4d

I’m done with the pesticides-as-causal theory. It may be a secondary exacerbating factor, but not likely primary. In short, we’ve had information about Zika’s destructive effects on the brain and nervous system for 45 years. It’s past time for adequate funding to address prevention, treatments, control of its spread.

It’s all down the hump from here, kids. See you tomorrow morning!

Friday Morning: Far Over Yonder

It was rough road this week, but we made it to Friday again for more jazz. Today’s genre is ska jazz, which will feel like an old friend to many of you.

The artist Tommy McCook was one of the earliest artists in this genre. Just listen to his work and you’ll understand why he has had such a deep and long-lasting influence on contemporary Jamaican music.

Let’s get cooking.

Apple pan dowdy

  • Need a hashtag for NotAlliPhones after FBI says hack only works on “narrow slice” (Reuters) — The method offered by a third party to open San Bernardino shooter’s iPhone 5c won’t work on later phones like the iPhone 5s in the Brooklyn case, according to FBI director Jim Comey. While it may be assumed newer technology is the barrier, this could be a simple line in the sand drawn by the FBI so as to limit potential risk.
  • Yet another pearl-clutching essay asking us if Apple went too far protecting privacy (MIT Technology Review) — This is the second such POS in this outlet in the last couple of months. Oh, by all means, let’s risk exposing hundreds of millions of iOS users to any surveillance because law enforcement needs access to the kind of information they didn’t have 20 years ago.
  • Apple has complied with government requests to crack iPhones 70 times, beginning in 2008 (Mac Rumors) — The first request, believed to have occurred while George Bush was still in office, arose from a child abuse and pornography case. In a case like this where children may have been endangered, one can understand the impetus for the request. But maybe, just maybe, Apple was so firm about the San Bernardino iPhone 5c is that Apple knows the government has gone too far after nearly eight years of compliance.
  • And for a change of pace, a recipe for Apple Pan Dowdy. Don’t fret over the pastry flour; just use all-purpose and not bread flour.

Leftovers

  • Yahoo up for bids, Verizon interested (Reuters) — The same telecom once in trouble for using persistent cookies is interested in a search engine-portal business which may offer them access to non-Verizon customers. Plan ahead for the next level of consumer tracking if Verizon’s bid wins. Bidding deadline has been extended from April 11 to the 18th.
  • Households at bottom income levels can’t afford food, housing (Vox) — Can’t understand why the rise of angry white man candidates? This is one big reason — things are getting much worse for those who can afford it least. And nobody working in Capitol Hill or the White House seems to give a rat’s whisker.
  • Banksters blame Hollywood for lack of interest in dodgy subprime automotive bonds (Indiewire) — Investment banking firm Morgan Stanley credits the film The Big Short, based on Michael Lewis’ book about the 2000s housing bubble and the subprime mortgage crisis, with spooking investors away from subprime automotive bonds. By all means, let’s not look in the mirror, banksters, or at the inability of working poor to make ends meet, increasing likely uptick in automotive loan defaults.
  • Venezuela makes every Friday a holiday (Bloomberg)

    — The deep El Nino cycle caused drought conditions, substantively lowering reservoir levels. President Maduro is asking large customers to make their electricity in addition to declaring every Friday for the next two months a work holiday to conserve energy. Clearly Venezuela needed investment in solar energy before this El Nino began.

  • Researchers found people do stupid stuff when they find a flash drive (Naked Security) — After sprinkling a campus with prepared USB flash drives, a study found nearly half the people who found them plugged them into a computer, ostensibly to find the owner. DON’T DO IT. If you find one, destroy it. If you lost one, consider it a lost cause — and before you lose one, make sure you’ve encrypted it just in case somebody is stupid enough to try and find the owner/look at the contents.

HIGHLY EDITORIAL COMMENT: Bill, STFU.
Just because a single African American author called you “The First Black President” doesn’t mean you are literally a black man (and the label wasn’t meant as a compliment). Your massive white/male/former-elected privilege is getting in the way of listening to people you helped marginalize. You cannot fake feeling their pain or triangulate this away. Just shut up and listen, if for no other reason than you’re hurting your wife yet again. (Sorry, I had to get that off my chest. This opinion may differ from those of other contributors at this site. YMMV.)

Phew. Hope you have a quiet, calm weekend planned. We could use one. See you Monday morning!

Thursday Morning: Taboo You

Still on spring break around here. If I was legit on a road trip some place warm right now, you’d find me lounging in the sun, sipping fruity cocktails at all hours, listening to some cheesy exotica like this Arthur Lyman piece I’ve shared here.

Though horribly appropriative and colonialist, it’s hard not to like exotica for its in-your-face corniness. I think my favorite remains Martin Denny’s Quiet Village. It brings back memories from the early 1960s, when life was pretty simple.

Let’s have a mai tai for breakfast and get on with our day.

Urgent: Increasing number of hospitals held ransom
Last month it was just one hospital — Hollywood Presbyterian Medical Center paid out bitcoin ransom.

Last week it was three — two Prime Healthcare Management hospitals in California and a Methodist Hospital in Kentucky held hostage.

Now, an entire chain of hospitals has been attacked by ransomware, this time affecting the servers of 10 related facilities in Maryland and Washington DC. The FBI is involved in the case. Is this simple extortion or terrorism? The patients diverted from the facilities to other hospitals’ emergency rooms probably don’t care which it is — this latest attack interfered with getting care as quickly as possible. Let’s hope none of the diverted patients, or those already admitted into the MedStar Union Memorial Hospital chain, have been directly injured by ransomware’s impact on the system.

The MedStar cases spawns many questions:

  • Was any patient’s physical health care negatively affected by the ransomware attack?
  • Given the risks to human health, why aren’t hospitals better prepared against ransomware?
  • Have hospitals across the country treated ransomware as a potential HIPAA violation?
  • Was MedStar targeted because of its proximity to Washington DC?
  • Was Hollywood Presbyterian Medical Center targeted because its owner, CHA Medical Center, is South Korean?
  • Were any patients being treated at MedStar also affected by the OPM data breach, or other health insurance data breaches?
  • How much will ransomware affect U.S. healthcare costs this year and next?

Bet you can think of a couple more questions, too, maybe more than a couple after reading this:

Hospitals are considered critical infrastructure, but unless patient data is impacted there is no requirement to disclose such hackings even if operations are disrupted.

Computer security of the hospital industry is generally regarded as poor, and the federal Health and Human Services Department regularly publishes a list of health care providers that have been hacked with patient information stolen. The agency said Monday it was aware of the MedStar incident.

Apple iPhone cases emerge
After the San Bernardino #AppleVsFBI case, more law enforcement investigations relying on iPhones are surfacing in the media.

  • L.A. police crack open iPhone with fingerprints obtained under warrant (Forbes);
  • FBI will assist county prosecutor in Arkansas with iPhone belonging to alleged teen killer (Los Angeles Times); the method may be the same hack used on the San Bernardino phone, which was supposed to be a one-off (Network World);
  • ACLU found 63 other cases in which FBI used All Writs Act to obtain iPhone/Android smartphone data from Apple and Google (The Register).

Stupid stuff

  • In spite of screwing up not once but twice by releasing its racist, obnoxious Tay AI chatbot, Microsoft tripled down on a future full of chatbots you can build yourself with their tools. (Ars Technica) — Ugh. The stupid…
  • UK’s Ministry of Defense awarded funding to Massive Analytics for work on “Artificial precognition and decision-making support for persistent surveillance-based tactical support” (Gov.UK) — OMG Precog in warfare. Human-free drone attacks. What could go wrong?
  • Rich white guys queue up outside Tesla dealerships for days waiting to pre-order the new Tesla 3 (Vancity Buzz) — Vancouver, Sydney, probably other places I’m too arsed to bother with, because rich white guys.

That’s quite enough. Back to pretending I’m lying under a cerulean sky, baking my tuchis, cold drink in hand.

Wednesday Morning: Breaking Spring

In the Spring a livelier iris changes on the burnish’d dove;
In the Spring a young man’s fancy lightly turns to thoughts of love.

— excerpt, Locksley Hall by Alfred, Lord Tennyson

Welcome to spring break. And by break, I mean schedules are broken around here. Nothing like waiting up until the wee hours for a young man whose fancy not-so-lightly turned to love, because spring.

~yawn~

While the teenager lies abed yet, mom here will caffeinate and scratch out a post. It may be early afternoon by the time I get over this spring-induced sleep deprivation and hit the publish button.

Apple blossoms — iPhones and iPads, that is
Not much blooming on the #AppleVsFBI front, where Apple now seeks information about the FBI’s method for breaking into the San Bernardino shooter’s iPhone 5C. The chances are slim to none that the FBI will tell Apple anything. Hackday offers a snappy postmortem about this case with an appropriate amount of skepticism.

I wonder what Apple’s disclosure will look like about this entire situation in its next mandatory filing with the SEC? Will iPhone 5C users upgrade to ditch the undisclosed vulnerability?

What if any effect will the iPhone 5C case have on other criminal cases where iPhones are involved — like the drug case Brooklyn? Apple asked for a delay in that case, to assess its position after the iPhone 5C case. We’ll have to wait until April 11 for the next move in this unfolding crypto-chess match.

In the meantime, spring also means baseball, where new business blossoms for Apple. Major League Baseball has now signed with Apple for iPads in the dugout. Did the snafu with Microsoft’s Surface tablets during the NFL’s AFC championship game persuade the MLB to go with Apple?

Volkswagen coasting
It’s downhill all the way for VW, which missed last week its court-imposed 30-day deadline to offer a technical solution on its emissions standards cheating “clean diesel” passenger vehicles. If there was such a thing as “clean diesel,” VW would have met the deadline; as I said before, there’s no such thing as “clean diesel” technology. The judge allowed a 30-day extension to April 24, but my money is on another missed deadline. Too bad there’s not a diesel engine equivalent of Cellebrite, willing to offer a quick fix to VW or the court, huh?

Of note: former FBI director Robert Mueller has been named “special master” on this case by Judge Charles Breyer; Mueller has been meeting with all the parties involved. What the heck is a “special master”? We may not have a ready answer, but at least there’s a special website set up for this case, In re: Volkswagen “Clean Diesel” MDL.

The cherry on top of this merde sundae is the Federal Trade Commission’s lawsuit filed yesterday against VW for false advertising promoting its “clean diesel” passenger cars.

With no bottom yet in sight, some are wondering if VW will simply exit the U.S. market.

Automotive odd lot

  • Jury says GM’s ignition switch was bad, but not at fault in a 2014 accident in New Orleans (Reuters) — Keep an eye on media representation of this case. Headline on this one focused on the switch, not the jury’s decision.
  • Car-to-car communications will be road tested soon (MIT Technology Review) — This technology might have prevented Google’s self-driving car from getting crunched by a bus recently.
  • Dude demonstrates his hack of Alexa + Raspberry Pi + OBDLink to remote start his car (Gizmodo) — What. even.
  • Did Tennyson write anything about spring spawning naps? Because I feel like I need one. Hope we’re back in the groove soon. See you in the morning.

Thursday Morning: Two Too Good

I would post this video every week if I could get away with it. It’s a favorite in my household where three of us play string instruments. I’ve blown out speakers cranking these guys up as far as I can (shhh…don’t tell the dude in charge of speaker maintenance here).

You’ll note this post is pushed down the page as Marcy’s last two posts about #AppleVsFBI (here and here) have been picked up by several news outlets. Let’s let new readers have the rail for a bit.

NC and GA state legislatures wreaking bigoted havoc
Regressive bills allowing open practice of anti-LGBT bigotry have been working their way through states’ legislatures in the wake of Burwell v. Hobby Lobby Stores, Inc. Indiana and Arizona are two examples where bills using a template based on the federal Religious Freedom Restoration Act (RFRA) have been passed. Arizona’s governor Jan Brewer made an unusually rational move and vetoed the bill. Indiana did not, and many organizations protested until an amendment was passed modifying SB 101‘s worst component.

Georgia’s legislature passed their own spin on RFRA, The Free Exercise Protection Act; the bill is now in the hands of Gov. Nathan Deal, who has until the first week of May to sign it into law. The state has an emerging film and TV production industry, home to popular shows like AMC’s The Walking Dead. Disney and its subsidiary Marvel yesterday announced they would yank production out of Georgia if Gov. Deal signed the bill. AMC followed suit and announced it too would pull out of Georgia. Other corporations with business interests in GA, like The Dow Chemical Company, are also unhappy. How many more companies will it take before Deal wises up and vetoes the bill or demands amendment?

Sadly, North Carolina’s GOP-led legislature rushed through a bill yesterday with a slightly different spin — like a proof-of-concept for the rest of the states where RFRA bills have been unable to gain traction while avoiding the potential for boycotting leveraged against the governor. Anti-transgender fear-mongering was used to force HB2-Public Facilities Privacy & Security Act through while avoiding “religious freedom” as a promotional feature. It was signed into law yesterday by NC’s jackass governor, Pat McCrory, who tweeted,

Ordinance defied common sense, allowing men to use women’s bathroom/locker room for instance. That’s why I signed bipartisan bill to stop it.

I signed bipartisan legislation to stop the breach of basic privacy and etiquette, ensure privacy in bathrooms and locker rooms.

Except that HB2 not only overturns local ordinances protecting LGBT persons, it prevents transpersons from using the facilities appropriate to their transgender, and it allows businesses to post notices they will not serve groups. Welcome back, Jim Fucking Crow.

The bill was not truly bipartisan, either. Although 14 idiotic state house Democrats voted for the bill, the entire Democratic state senate caucus walked out in protest rather than vote on the bill at all. Methinks NC Dem Party discipline needs a little work, and state house members need a little less bigotry.

Speaking of which, DNC was typically ineffectual, offering a bunch of jargon instead of straight talk about NC’s discrimination. Are there any groups at all the DNC under its current leadership will really extend any effort except for corporations?

The speed at which the bill passed through NC’s legislature during an “emergency” session — because making sure the body parts align with the identity on the bathroom door is an emergency! — may have prevented the state’s largest employers from responding appropriately. Let’s see if NC’s largest employers, including University of North Carolina, Time Warner Cable, Duke Energy, Bank of America, Wells Fargo, Merrill Lynch, and the many sci-tech companies of Research Triangle, will wise up and demand an end to the ignorance and bigotry of Public Facilities Privacy & Security Act.

Finished digging out here after a late season snow storm, now serving up a hot dish brunch casserole made with a mess of oddments.

  • Diebold buys German competitor Wincor Nixdorf (Bloomberg) — wonder how this industry shakes out as mobile payment systems become more popular and more widely accepted.
  • Speaking of mobile payment systems: Apple Pay expected to expand to apps and websites before Christmas shopping season (FastCompany) — expected to take a bite out of PayPal’s market share, but if transactions are conducted online, this could eat into other payment processing systems. Need the importance of encryption be pointed out yet again, too?
  • Apple’s new, smaller iPhone SE available for pre-orders today (BusinessInsider) — also iPad Pro. Already hearing strong interest from a lot of women about the smaller phone; they’ve been unhappy with the increasing size of iPhones.
  • Nielsen TV ratings data will begin tracking streaming equipment brands (FastCompany) — their data will be based on 40,000 households, though. Apparently sales of streaming equipment like Apple TV, Chromecast, Roku aren’t granular enough for firms acquiring content consumption data. Wonder how long before Nielsen itself is replaced by network sniffing?
  • Related? Funny how Iran is the focus of the first, but not mentioned in the second:
  • AI-written novel survives first round in Japanese literature contest (DigitalTrends) — and you thought it was just the news that was generated by robots.

That’s a wrap, catch you tomorrow morning!

Tuesday Morning: Été Frappé

[graphic: Map of Belgian attacks 22MAR2016 for Le Monde via Eric Beziat]

[graphic: Map of Belgian attacks 22MAR2016 for Le Monde via Eric Beziat]

Whatever I was going to write today has been beaten into submission by current events.

Woke up to news about alleged terror attacks in Belgium — social media was a mess, a deluge of information with little organization. Best I can tell from French language news outlets including Le Monde, the first attack was at 8:00 a.m. local time at the Zaventem Airport just outside Brussels. The second attack occurred at the metro station Maelbeek at 9:11 a.m. Both attacks appeared use bombs, unlike the Paris attack this past year — two at the airport, one at the metro. Reports indicate 15 deaths and 55 seriously injured so far.

A third explosion reported in the city at a different location in the city of Brussels has been attributed to the controlled detonation of a suspicious package after the second attack.

In the time gap between the two attacks, one might suppose many law enforcement and military would have gone to the airport to respond to the first attack. Was there synchronization by planned schedule, or was there coordination by communication?

However, communications may have been difficult as telecom networks were quickly flooded. How soon were the telecom networks overloaded? Or were the networks throttled for observation? We may not ever know.

It’s worth reexamining what Marcy wrote about the communications found after Paris attack (here and here). It may be relevant if the same practices were used by the attackers in Brussels.

Important to note that Paris terror attack suspect Salah Abdeslam was arrested March 18 in a raid in Brussels. He is believed to have transported several of the attackers to the Stade de France just before the November 13 attack. Abdeslam may have been one of several suspects who fled from another earlier raid during which another suspect was killed.

Still working on the order issued late yesterday vacating today’s planned hearing on #AppleVsFBI. The order is here.

UPDATE — 9:30 a.m. EST — Marcy will be posting in a bit about the #AppleVsFBI hearing that wasn’t.

Another interesting story that broke in France today: French Supreme Court affirmed a previous lower court decision which ruled legal the wiretapping of former president Nicolas Sarkozy. Sarkozy has been under investigation for various forms of influence peddling since 2010, including receipt of campaign funds from Libya’s Muammar Gaddafi in 2007.

UPDATE — 1:00 p.m. EST/5:00 p.m. London/6:00 p.m. Brussels, Paris —

Now into the post-emergency recovery stage — all manner of political functionaries and talking heads have offered their two bits on this morning’s attacks. Three days of mourning have been declared in Belgium. Pictures of the alleged bombers at the airport taken by security video camera have now been published. The airport attackers detonated their weapons in the pre-security check-in area. 34 deaths have now been reported as a result of the attacks for which ISIS has now claimed responsibility. Across the Channel, the UK remains on alert for multiple attacks after last week’s raid in Brussels; UK travelers have been discouraged from traveling to Brussels.

Timeline (via Agence France-Presse)

22 mars Peu après 09h00/22 March Shortly after 9:00 a.m.
Explosion dans la station de métro Maelbeek.
Explosion in the Maelbeek metro station.

22 mars 08h00/22 March 8:00 a.m.
Deux explosions a l’aeroport. Possible kamikaze.
Two explosions at the airport. Possible suicide bomber.

21 mars/21 March
[Suspect] Najim Laachraoui, dont l’ADN a été retrouvé sur des explosifs, identifié et activement recherché.
Najim Laachraoui, whose DNA was found on explosives, identified and actively sought.

18 mars/18 March
Salah Abdeslam arête à Molenbeek.
Abdeslam Salah arrested in Molenbeek.

15 mars/15 March
Fusillade, quartier Forest – Mohammed Belkaid, lié aux auteurs de attentats de Paris du 13 novembre est tué. Empreintes de Salah Abdeslam retrouvées.
Shooting, Forest district – Mohamed Belkaid, linked to Paris attack planners of November 13, killed. Footprints of Salah Abdeslam found.

Are the Authorities Confusing a PRISM Problem with an Encryption Problem?

CNN has its own version of updated reporting from the Paris attack. It provides a completely predictable detail inexplicably not included in the weekend’s big NYT story: that the one phone with any content on it — as distinct from a pure burner — had Telegram loaded on it.

Several hours earlier, at 2:14 p.m., while they were still at the Alfortville hotel, the Bataclan attackers had downloaded the encryption messaging app Telegram onto their Samsung smart phone, according to police reports. No recovered content from the messaging app is mentioned in the French police documents, suggesting there were likely communications by the Bataclan attackers that will never be recovered.

As well as offering end-to-end encryption, the Telegram messaging app offers an option for users to “self-destruct” messages. At 4:39 p.m. on November 13, one of the attackers downloaded detailed floor plans of the Bataclan venue onto the Samsung phone and conducted online searches for the American rock band playing there that night, the Eagles of Death Metal.

I predicted as much in my post on that NYT story.

My suspicion is that, as had been reported, rather than emails ISIS relied on Telegram, but used in such a fashion that would make it less useful on burner phones (“secret” Telegram chat are device specific, meaning you’d need a persistent phone number to use that function). But if these terrorists did use Telegram, they probably eluded authorities not because of encryption, but because it’s fairly easy to make such chats temporary (again, using the secret function). Without Telegram being part of PRISM, the NSA would have had to obtain the metadata for chats via other means, and by the time they IDed the phones of interest, there may have been no metadata left.

If ISIS’ use of Telegram (which was publicly acknowledged when Telegram shut down a bunch of ISIS channels in the wake of the attack) is what anonymous sources keep insisting is an encryption problem, then it suggests the problem is being misportrayed as an encryption one.

True, Telegram does offer the option of end to end encryption for its messaging. There are questions about its encryption (though thus far it hasn’t been broken publicly). So it does offer users the ability to carry out secret chats and to then destroy them, which may be where the concern about all the “scoured” “email” in the NYT piece comes from, the assumption these terrorists have used Telegram but deleted those messages.

But as the Grugq points out, it’s a noisy app in other ways that the NSA should be able to exploit.

Contact Theft

When registering an account with Telegram, the app helpfully uploads the entire Contacts database to Telegram’s servers (optional on iOS). This allows Telegram to build a huge social network map of all the users and how they know each other. It is extremely difficult to remain anonymous while using Telegram because the social network of everyone you communicate with is known to them (and whomever has pwned their servers).

Contact books are extremely valuable information. We know that the NSA went to great lengths to steal them from instant messenger services. On mobile the contact lists are even more important because they are very frequently linked to real world identities.

Voluminous Metadata

Anything using a mobile phone exposes a wide range of metadata. In addition to all the notification flows through Apple and Google’s messaging services, there is the IP traffic flows to/from those servers, and the data on the Telegram servers. If I were a gambling man, I’d bet those servers have been compromised by nation state intelligence services and all that data is being dumped regularly.

This metadata would expose who talked with who, at what time, where they were located (via IP address), how much was said, etc. There is a huge amount of information in those flows that would more than compensate for lacking access to the content (even if, big assumption, the crypto is solid).

He spends particular time on Telegram’s Secret chat function (the one that allows a person to destroy a chat). But he doesn’t talk about how that might play into the extensive use of burners that we’ve seen from ISIS. Secret chats are device specific (that is, they can be sent only to a numbered device, not an account). That would make the function very hard to integrate with disciplined burner use, because the whole point of burners is not to have persistent telephone numbers. How will a terrorist remember the new number he wants to associate with a Telegram secret chat? Write it on a piece of paper?

In other words, it seems you could use one (disciplined burners) or another (full use of Telegram with persistent phones), the latter of which would provide its own kind of intelligence. It may well be ISIS does merge these two uses, but if so we shouldn’t expect to see Telegram on their true burner phones. Plus, assuming the bearer of the phone speaks that dialect the Belgians were struggling to translate, voice calls on burners would be just as useful as transient use of Telegram.

But that’s probably not the real problem for authorities. In fact, if known terrorists had been using, say, WhatsApp rather than Telegram for such encrypted chats, authorities might have had more information on their network than they do now. That’s because WhatsApp metadata would be available under PRISM, whereas to get Telegram data, non-German authorities are going to have to go steal it.

If that supposition is correct, it would suggest that the US should drop all efforts to make Apple phones’ encryption weaker. So long as it has the presumed best security (notwithstanding the iMessage vulnerability just identified by researchers at Johns Hopkins), people from around the world will choose it, ensuring that the world’s best SIGINT agency could have ready access. If Telegram is perceived as being better — or even being close, given the location — people of all sorts will prefer that.

That won’t give you the content, in either case (even if you had the Moroccan translators you needed to translate, if that indeed remained a problem for authorities). But you’re better off having readily accessible metadata than losing it entirely.