German researchers have discovered security flaws that could let hackers, spies and criminals listen to private phone calls and intercept text messages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available.
The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS7, the global network that allows the world’s cellular carriers to route calls, texts and other services to each other. Experts say it’s increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world’s billions of cellular customers.
The flaws discovered by the German researchers are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network.
When I learned that the Intelligence Authorization Act for FY 2015 was being rushed to the floor for a vote—with little debate and only a voice vote expected (i.e., simply declared “passed” with almost nobody in the room)—I asked my legislative staff to quickly review the bill for unusual language. What they discovered is one of the most egregious sections of law I’ve encountered during my time as a representative: It grants the executive branch virtually unlimited access to the communications of every American.
The next time you call for assistance because the internet service in your home is not working, the “technician” who comes to your door may actually be an undercover government agent. He will have secretly disconnected the service, knowing that you will naturally call for help and — when he shows up at your door, impersonating a technician — let him in. He will walk through each room of your house, claiming to diagnose the problem. Actually, he will be videotaping everything (and everyone) inside. He will have no reason to suspect you have broken the law, much less probable cause to obtain a search warrant. But that makes no difference, because by letting him in, you will have “consented” to an intrusive search of your home.
Usually, deleting emails is a no-fanfare, one-click affair — but not when you’re the Central Intelligence Agency or the Department of Homeland Security. Both agencies have recently submitted proposals to the National Archives and Records Administration that outline their plans to delete years’ worth of emails, which the Archives has already tentatively approved. The CIA apparently turned one in to comply with the administration’s directive, ordering federal agencies to conjure up viable plans to better manage government emails by 2016. If approved, all the correspondences of every person to ever be employed by the CIA will be flushed down the digital toilet three years after they leave. All messages older than seven years old will also be nuked, and only the digital missives of 22 top officials will be preserved — something which several senators do not want to happen.
If They Are Not Doing Anything Wrong, Why Are They Worried?
This week the Wall Street Journal reported that Department of Justice officials recently met with Google and Apple, and basically told them that their decision to empower consumers would result in the death of children:
The No. 2 official at the Justice Department delivered a blunt message last month to Apple Inc. executives: New encryption technology that renders locked iPhones impervious to law enforcement would lead to tragedy. A child would die, he said, because police wouldn’t be able to scour a suspect’s phone, according to people who attended the meeting.
The Journal reports that Apple wasn’t moved by the DOJ’s argument, and found the “dead-child scenario” to be “inflammatory.”
Recently, Verizon was caught tampering with its customer’s web requests to inject a tracking super-cookie. Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers’ data to strip a security flag—called STARTTLS—from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.1
By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco’s PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception.
A strange looking website is letting anyone in the world stream from more than 73,000 IP cameras whose respective owners have not yet changed their default passwords. Whether or not this website is highlighting an important security problem as they are claiming to do, this appears to be a serious breach of privacy.
Insecam has access to more than 73,000 cameras all around the globe which includes more than 11,000 cameras in the United States, 6500 in Republic of Korea and almost 5000 in China. Even though the website states that it is trying to emphasize on an important security issue, it is clearly profiting from advertisements as well.
On Thursday, FBI boss James Comey displayed not only a weak understanding of privacy and encryption, but also what the phrase “above the law” means, in slamming Apple and Google for making encryption a default:
“I am a huge believer in the rule of law, but I am also a believer that no one in this country is above the law,” Comey told reporters at FBI headquarters in Washington. “What concerns me about this is companies marketing something expressly to allow people to place themselves above the law.”
“There will come a day — well it comes every day in this business — when it will matter a great, great deal to the lives of people of all kinds that we be able to with judicial authorization gain access to a kidnapper’s or a terrorist or a criminal’s device. I just want to make sure we have a good conversation in this country before that day comes. I’d hate to have people look at me and say, ‘Well how come you can’t save this kid,’ ‘how come you can’t do this thing.'”
First of all, nothing in what either Apple or Google is doing puts anyone “above the law.” It just says that those companies are better protecting the privacy of their users. There are lots of things that make law enforcement’s job harder that also better protect everyone’s privacy. That includes walls. If only there were no walls, it would be much easier to spot crimes being committed. And I’m sure some crimes happen behind walls that make it difficult for the FBI to track down what happened. But we don’t see James Comey claiming that homebuilders are allowing people to be “above the law” by building houses with walls.
As nude celebrity photos spilled onto the web over the weekend, blame for the scandal has rotated from the scumbag hackers who stole the images to a researcher who released a tool used to crack victims’ iCloud passwords to Apple, whose security flaws may have made that cracking exploit possible in the first place. But one step in the hackers’ sext-stealing playbook has been ignored—a piece of software designed to let cops and spies siphon data from iPhones, but is instead being used by pervy criminals themselves.
On the web forum Anon-IB, one of the most popular anonymous image boards for posting stolen nude selfies, hackers openly discuss using a piece of software called EPPB or Elcomsoft Phone Password Breaker to download their victims’ data from iCloud backups. That software is sold by Moscow-based forensics firm Elcomsoft and intended for government agency customers. In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com. And as of Tuesday, it was still being used to steal revealing photos and post them on Anon-IB’s forum.
The fact that Apple isn’t complicit in law enforcement’s use of Elcomsoft’s for surveillance doesn’t make the tool any less dangerous, argues Matt Blaze, a computer science professor at the University of Pennsylvania and frequent critic of government spying methods. “What this demonstrates is that even without explicit backdoors, law enforcement has powerful tools that might not always stay inside law enforcement,” he says. “You have to ask if you trust law enforcement. But even if you do trust law enforcement, you have to ask whether other people will get access to these tools, and how they’ll use them.”
Apple issued a media advisory related to recent celebrity photo theft, saying the accounts were compromised by a very targeted attack on users names, password and security questions and was not related to any breach of Apple’s systems, including iCloud.
Over the weekend a number of nude celebrity photos appeared online. Jennifer Lawrence, Kate Upton, Lea Michele, Victoria Justice and Kirsten Dunst all had their photos comprised, among others.
We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website athttp://support.apple.com/kb/ht4232.
If you are a celebrity, it’s more likely that people know the name of your first pet, or your mothers maiden name…
Seventeen mysterious cellphone towers have been found in America which look like ordinary towers, and can only be identified by a heavily customized handset built for Android security – but have a much more malicious purpose, according to Popular Science.
The fake ‘towers’ – computers which wirelessly attack cellphones via the “baseband” chips built to allow them to communicate with their networks, can eavesdrop and even install spyware, ESD claims. They are a known technology – but the surprise is that they are in active use.
The towers were found by users of the CryptoPhone 500, one of several ultra-secure handsets that have come to market in the last couple of years, after an executive noticed his handset was “leaking” data regularly.
And here’s why:
“What we find suspicious is that a lot of these interceptors are right on top of U.S. military bases.” says Goldsmith. “Whose interceptor is it? Who are they, that’s listening to calls around military bases? The point is: we don’t really know whose they are.”
If you think a foreign agent can deploy one IMSI catcher (let alone 17) near a military base I’ve got some swamp land to sell you. And the US government itself doesn’t need them, they already have access.
So, this is likely just a story to boost sales of those cryptphones.
Returning students at Hillsborough County Public Schools in Tampa, Fla. found 20 new armed officers in the elementary schools in the first year of a plan costing about $1 million.
The school board also approved security training for employees, the hiring of a safety consultant and more measures to control school access, such as fencing and buzzers.
Meanwhile, all 16 schools in the Coeur d’Alene, Idaho, public school district have been enclosed in security fencing and each school limits visitors to a single entry point, officials said. This September, for the first time, two police officers will patrol elementary schools, at a cost of roughly $68,000 from the district’s state funding.
…officials continue to allow four anonymous employees to carry firearms on school property. Bulletproof glass and panic buttons have been installed, and officials held schoolwide assemblies for security training.
Because, clearly, the solution to “too many weapons in society” is “more weapons!”
Online sources confirmed Wednesday that every piece of 34-year-old Mark O’Connell’s personal data is currently protected by a reference to the third season of long-running NBC political drama The West Wing. Reports indicate that the reference, derived from the name of a guest character in an early-season episode of the Aaron Sorkin drama that went off the air in 2006, is, at present, all that stands in the way of strangers gaining total access to intimate details of the automotive insurance agent’s personal, professional, and financial life. In particular, sources noted that the security of everything from O’Connell’s banking and credit card accounts, to proprietary documents from his work, to his social media profiles, to all of his email correspondence, rests solely on the wry nod to a scene during the Emmy-nominated episode “On The Day Before,” in which the White House staff hosts a dinner for several Nobel laureates while President Bartlet works to veto an estate tax bill. Those close to the situation, however, noted that some of O’Connell’s most sensitive information is safeguarded by a secondary layer of protection in the form of a security question about his favorite character from Sports Night.
You got you this big-ass computer that was designed by big-brained dweebs to make money out of, I shit you not, thin-fucking-air.
Now, this ain’t folding money, this is the kind of money bankers and shit put down in ledgers, only there ain’t no more ledgers, that shit’s all computers on the internet now. So instead of hiring Sean and Vinnie to take a paper bag of the folding stuff to the bosses, it’s got to go over the internet, one computer to another.
Now, computers generally don’t talk to each other direct – they hand off like runners and bag-men. So, the big-ass computer pulls money almost literally out of it’s ass, and then hands it off to a bag-man, who stuffs it in a bag and puts the Boss’ name and organization on it. He hands it off to a runner, who runs up to the corner, and goes, “Hey, any of you guys know this dude?”
Bad-ass at the corner goes, “Nah, man, but I heard of the dude and his crew. Hard core motherfuckers. Head on over five blocks east, and ask there.”
This works, up until the runner comes across someone who got duped. He heard from someone important that the Boss works out of “The Cafe” out on the docks, but someone who seemed legit, but was a fucking weasel, just now told him that The Boss at the Organization was now running out of some garage just outside town.
“Who you running for, kid?”
“Big-Ass Computer’s bag-man, by way of the dude at that corner! This is for The Boss, at The Organization!”
“Hey, hey, you’re in luck! I know where that’s going! Just heard about it! Hand it over, guy, and you’re done for the night! My runner will take it from here! Good job!”
So, the next day, the Boss rolls on up to an abandoned garage, all the money the computer pulled out of its ass is gone. The weasel got snuffed, but even he didn’t know where the money was headed.
These modern times, I tell ya.
The secrets of one of the world’s most prominent surveillance companies, Gamma Group, spilled onto the Internet last week, courtesy of an anonymous leaker who appears to have gained access to sensitive corporate documents. And while they provide illuminating details about the capabilities of Gamma’s many spy tools, perhaps the most surprising revelation is about something the company is unable to do: It can’t hack into your typical iPhone.
Android phones, some Blackberries and phones running older Microsoft operating systems all are vulnerable to Gamma’s spyware, called FinSpy, which can turn your smart phone into a potent surveillance device. Users of the spyware are capable of listening to calls on targeted devices, stealing contacts, activating the microphone, tracking your location and more. But for FinSpy to hack into an iPhone, its owner must have already stripped away much of its built-in security through a process called “jailbreaking.” No jailbreak, no FinSpy on your iPhone, at least according to a leaked Gamma document dated April 2014.
Oracle’s much-ballyhooed data redaction feature in Database 12c is easy to subvert without needing to use exploit code, attendees at Defcon 22 in Las Vegas have heard.
The redaction features in 12c are designed to automatically protect sensitive database material by either totally obscuring column data or partially masking it – for example, recalling just the last four digits of a US social security number when a search query is run.
But according to David Litchfield, security specialist at Datacomm TSS and the author of The Oracle Hacker’s Handbook, the mechanism is so riddled with basic flaws that you don’t even need to execute native exploit code to defeat the redaction – some clever SQL is all that’s needed, we’re told.
“If Oracle has a decent security development lifecycle in place anyone would have found these flaws and stopped them in tracks,” Litchfield said.
“Anyone with a modicum of SQL would have found these bugs.”
Litchfield said that within five minutes of investigating the redactions system, he found serious flaws in the coding. He’s previously documented his findings here [PDF].
When Peter Ho, the senior defense official, met with John Poindexter back in 2002 about the Total Information Awareness program, Poindexter suggested that Singapore would face a much easier time installing a big-data analysis system than he had in the United States, because Singapore’s privacy laws were so much more permissive. But Ho replied that the law wasn’t the only consideration. The public’s acceptance of government programs and policies was not absolute, particularly when it came to those that impinged on people’s rights and privileges.
It sounds like an accurate forecast. In this tiny laboratory of big-data mining, the experiment is yielding an unexpected result: The more time Singaporeans spend online, the more they read, the more they share their thoughts with each other and their government, the more they’ve come to realize that Singapore’s light-touch repression is not entirely normal among developed, democratic countries — and that their government is not infallible. To the extent that Singapore is a model for other countries to follow, it may tell them more about the limits of big data and that not every problem can be predicted.
Former NSA Director Keith Alexander is patenting a variety of techniques to protect computer networks. We’re supposed to believe that he developed these on his own time and they have nothing to do with the work he did at the NSA, except for the parts where they obviously did and therefore are worth $1 million per month for companies to license.
No, nothing fishy here.
The 175th Wing, Maryland Air National Guard, located at Warfield Air National Guard Base, Baltimore, Maryland, intends to issue a Request for Proposal (RFP) to award a single firm fixed-price contract for Construction of a CYBER/ISR Facility. Project to be LEEDR Silver Certified. Construction services will consist of the construction of a new CYBER/ISR Facility. The purpose of this facility is to house a Network Warfare Group and ISR Squadron. The Cyber mission includes a set of capabilities, expertise to enable the cyber operational need for an always-on, net-speed awareness and integrated operational response with global reach. It enables operators to drive upstream in pursuit of cyber adversaries, and is informed 24/7 by intelligence and all-source information
Let’s get real, how many guardsmen speak Farsi, Chinese, Russian, Swahili or Hindi?
How many know anything about NZ, Australia, GB or Canada worth knowing in a cyber context.
So who does that leave for adversaries?
Right. You and me.
In the latest cautionary tale involving the so-called Internet of things, white-hat hackers have devised an attack against network-connected lightbulbs that exposes Wi-Fi passwords to anyone in proximity to one of the LED devices.
According to a blog post published over the weekend, LIFX has updated the firmware used to control the bulbs after researchers discovered a weakness that allowed hackers within about 30 meters to obtain the passwords used to secure the connected Wi-Fi network. The credentials are passed from one networked bulb to another over a mesh network powered by 6LoWPAN, a wireless specification built on top of the IEEE 802.15.4 standard. While the bulbs used the Advanced Encryption Standard (AES) to encrypt the passwords, the underlying pre-shared key never changed, making it easy for the attacker to decipher the payload.
The odds are you can’t make out the PIN of that guy with the sun glaring obliquely off his iPad’s screen across the coffee shop. But if he’s wearing Google Glass or a smartwatch, he probably can see yours.
Researchers at the University of Massachusetts Lowell found they could use video from wearables like Google Glass and the Samsung smartwatch to surreptitiously pick up four-digit PIN codes typed onto an iPad from almost 10 feet away—and from nearly 150 feet with a high-def camcorder. Their software, which used a custom-coded video recognition algorithm that tracks the shadows from finger taps, could spot the codes even when the video didn’t capture any images on the target devices’ displays.
“I think of this as a kind of alert about Google Glass, smartwatches, all these devices,” says Xinwen Fu, a computer science professor at UMass Lowell who plans to present the findings with his students at the Black Hat security conference in August. “If someone can take a video of you typing on the screen, you lose everything.”
Shortly after the initial news came out that NSA fakes google and yahoo servers with stolen or faked certificates:
the german computer magazine C’T issued a warning that it is a security risk, when microsoft automatically updates its list of certificates without any noticing of the users, so that dubious certificates could easily get into the windows certificate list, which is thrusted by webbrowsers like internet explorer or google chrome for windows:
After reading this, I filed a bug in chromium, which then was dismissed as a “won’t fix”, with the chromium developers saying that the certificate list is “signed by Microsoft” and there would not be any break in the “chain of thrust”.
And now I see this message from google:
“On Wednesday, July 2, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by the National Informatics Centre (NIC) of India, which holds several intermediate CA certificates trusted by the Indian Controller of Certifying Authorities (India CCA).
The India CCA certificates are included in the Microsoft Root Store and thus are trusted by the vast majority of programs running on Windows, including Internet Explorer and Chrome. Firefox is not affected because it uses its own root store that doesn’t include these certificates.
We are not aware of any other root stores that include the India CCA certificates, thus Chrome on other operating systems, Chrome OS, Android, iOS and OS X are not affected. Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although misissued certificates for other sites may exist.”
Update Jul 9: India CCA informed us of the results of their investigation on July 8. They reported that NIC’s issuance process was compromised and that only four certificates were misissued; the first on June 25. The four certificates provided included three for Google domains (one of which we were previously aware of) and one for Yahoo domains. However, we are also aware of misissued certificates not included in that set of four and can only conclude that the scope of the breach is unknown.”
Now microsoft has removed the certificates in question and it turnes out that the issue affected 45 domains:
In view of this list, the advice from google looks especially funny:
“Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of widespread abuse and we are not suggesting that people change passwords.”
The microsoft certificate list is used in the browser chrome. Faking of a google server is difficult, since chrome checks its certificate by different means and that was how the attack was revealed. But chrome does not have a similar check for yahoo. If that attack would not be working after all, the hackers would not have used it.
But still, google does explicitely not suggesting anyone that they should change passwords…
William Binney is one of the highest-level whistleblowers to ever emerge from the NSA. He was a leading code-breaker against the Soviet Union during the Cold War but resigned soon after September 11, disgusted by Washington’s move towards mass surveillance.
On 5 July he spoke at a conference in London organised by the Centre for Investigative Journalism and revealed the extent of the surveillance programs unleashed by the Bush and Obama administrations.
“At least 80% of fibre-optic cables globally go via the US”, Binney said. “This is no accident and allows the US to view all communication coming in. At least 80% of all audio calls, not just metadata, are recorded and stored in the US. The NSA lies about what it stores.”
The National Security Agency and FBI have covertly monitored the emails of prominent Muslim-Americans—including a political candidate and several civil rights activists, academics, and lawyers—under secretive procedures intended to target terrorists and foreign spies.
According to documents provided by NSA whistleblower Edward Snowden, the list of Americans monitored by their own government includes:
• Faisal Gill, a longtime Republican Party operative and one-time candidate for public office who held a top-secret security clearance and served in the Department of Homeland Security under President George W. Bush;
• Asim Ghafoor, a prominent attorney who has represented clients in terrorism-related cases;
• Hooshang Amirahmadi, an Iranian-American professor of international relations at Rutgers University;
• Agha Saeed, a former political science professor at California State University who champions Muslim civil liberties and Palestinian rights;
• Nihad Awad, the executive director of the Council on American-Islamic Relations (CAIR), the largest Muslim civil rights organization in the country.
The official NSA reply is predictable:
No U.S. person can be the subject of surveillance based solely on First Amendment activities, such as staging public rallies, organizing campaigns, writing critical essays, or expressing personal beliefs.
On the other hand, a person who the court finds is an agent of a foreign power under this rigorous standard is not exempted just because of his or her occupation.
The United States is as committed to protecting privacy rights and individual freedom as we are to defending our national security.
Back in the day there was talk about “jamming echelon” by adding keywords to email that the echelon system was supposedly looking for. We can do the same thing for XKeyScore: jam the system with more information than it can handle.
Ironischerweise sind es nach den speziellen Regeln, die NDR und WDR vorliegen, also ausgerechnet Personen mit dem Wunsch nach Anonymisierung, die zum Ziel der NSA werden. In den Augen des Geheimdienstes: Extremisten. Das ist keine Rhetorik, keine journalistische Zuspitzung. Der Begriff befindet sich sogar in der Kommentarspalte des Quelltexts, notiert von Programmierern der NSA.
Extremisten? Das Gegenteil ist der Fall, wie die Recherchen zeigen. Die deutschen Opfer sind politisch keinesfalls am äußeren Rand zu finden. Extrem sind sie allein in einem Punkt: Sie sind besorgt um die Sicherheit ihrer Daten. Und genau das macht sie in den Augen des US-Geheimdienstes verdächtig.
Darko Medic, 18, kurze braune Haare, sitzt vor seinem Laptop. Er gibt “Tails” und “USB” in die Maske seiner Suchmaschine ein. Was Darko nicht weiß: Er ist damit gerade ebenfalls in einer Datenbank der NSA gelandet. Markiert als einer der Extremisten, nach denen die Geheimdienstler so fleißig suchen.
Denn was die Regeln des Quellcodes ebenfalls verraten: Die NSA beobachtet im großen Stil die Suchanfragen weltweit – auch in Deutschland. Allein schon die einfache Suche nach Verschlüsselungssoftware wie “Tails” reicht aus, um ins Raster der NSA zu geraten. Die Verbindung der Anfrage mit Suchmaschinen macht verdächtig. Seine Suche nach “Tails” öffnet eine Tür, einen Zugang zu Darko und seiner Welt. Einmal in der Datenbank, kann jede Anfrage von Darko gezielt abgerufen werden. Darko ist unter Beobachtung.
A federal privacy watchdog is largely putting its support behind a major pillar of the National Security Agency’s foreign snooping.
A draft version of a new Privacy and Civil Liberties Oversight Board (PCLOB) report released late Tuesday said that NSA programs targeting foreigners are effective, legal and show “no trace” of “illegitimate activity,” though some changes should be made to better protect Americans’ privacy.
The conclusion stands in stark contrast to a previous blistering report from the PCLOB, which ruled the NSA’s bulk collection of Americans’ phone records illegal earlier this year.
Makes you wonder what kind of dirt does the NSA has on the board members…
In Sachen Ausspähen scheint die NSA wieder einen Schritt voraus zu sein: Medienberichten zufolge belauscht der amerikanische Geheimdienst auch das neue Krypto-Handy der Kanzlerin.
Nach Bekanntwerden des NSA-Lauschangriffs auf die Bundesregierung sollten neue Verschlüsselungs-Smartphones des Typs BlackBerry 10 die Gespräche der Kanzlerin und ihres Kabinetts vor unbefugtem Mithören schützen. Doch der amerikanische Geheimdienst hat auch die neuen Krypto-Telefone bereits entschlüsselt, berichtet die “Bild am Sonntag”. Ein ranghoher Mitarbeiter des US-Geheimdienstes in Deutschland habe das bestätigt. “Die technischen Veränderungen beeinträchtigen unsere Arbeit nicht” sagte der Abhör-Spezialist der Bild.
The million dollar question is now how the nsa got access to the new blackberry+secusmart…
And to go above the million dollar prize… I find it hard to believe the german government is stupid enough to buy an enhanced version of an insecure and subverted platform. If I were Merkel I would wonder who gave me this advice. Why not follow the same path as the French did – have a local defense contractor do a limited edition modification of the german cryptophone.
And for us peons, it’s safe to assume our smartphone usage is unsecurable and act accordingly.
In the latest gaffe to demonstrate the privacy perils of anonymized data, New York City officials have inadvertently revealed the detailed comings and goings of individual taxi drivers over more than 173 million trips.
City officials released the data in response to a public records request and specifically obscured the drivers’ hack license numbers and medallion numbers. Rather than including those numbers in plaintext, the 20 gigabyte file contained one-way cryptographic hashes using the MD5 algorithm. Instead of a record showing medallion number 9Y99 or hack number 5296319, for example, those numbers were converted to 71b9c3f3ee5efb81ca05e9b90c91c88f and 98c2b1aeb8d40ff826c6f1580a600853, respectively. Because they’re one-way hashes, they can’t be mathematically converted back into their original values. Presumably, officials used the hashes to preserve the privacy of individual drivers since the records provide a detailed view of their locations and work performance over an extended period of time.
It turns out there’s a significant flaw in the approach. Because both the medallion and hack numbers are structured in predictable patterns, it was trivial to run all possible iterations through the same MD5 algorithm and then compare the output to the data contained in the 20GB file. Software developer Vijay Pandurangan did just that, and in less than two hours he had completely de-anonymized all 173 million entries.