Hacking Police Bodycams

Suprising no one, the security of police bodycams is terrible. Mitchell even realized that because he can remotely access device storage on models like the Fire Cam OnCall, an attacker could potentially plant malware on some of the cameras. Then, when the camera connects to a PC for syncing, it could deliver all sorts of malicious code: a Windows exploit…

Suprising no one, the security of police bodycams is terrible.

Mitchell even realized that because he can remotely access device storage on models like the Fire Cam OnCall, an attacker could potentially plant malware on some of the cameras. Then, when the camera connects to a PC for syncing, it could deliver all sorts of malicious code: a Windows exploit that could ultimately allow an attacker to gain remote access to the police network, ransomware to spread across the network and lock everything down, a worm that infiltrates the department's evidence servers and deletes everything, or even cryptojacking software to mine cryptocurrency using police computing resources. Even a body camera with no Wi-Fi connection, like the CeeSc, can be compromised if a hacker gets physical access. "You know not to trust thumb drives, but these things have the same ability," Mitchell says.

BoingBoing post.

from https://www.schneier.com/blog/

Google Tracks its Users Even if They Opt-Out of Tracking

Google is tracking you, even if you turn off tracking: Google says that will prevent the company from remembering where you’ve been. Google’s support page on the subject states: "You can turn off Location History at any time. With Location History off, the places you go are no longer stored." That isn’t true. Even with Location History paused, some Google…

Google is tracking you, even if you turn off tracking:

Google says that will prevent the company from remembering where you've been. Google's support page on the subject states: "You can turn off Location History at any time. With Location History off, the places you go are no longer stored."

That isn't true. Even with Location History paused, some Google apps automatically store time-stamped location data without asking.

For example, Google stores a snapshot of where you are when you merely open its Maps app. Automatic daily weather updates on Android phones pinpoint roughly where you are. And some searches that have nothing to do with location, like "chocolate chip cookies," or "kids science kits," pinpoint your precise latitude and longitude ­- accurate to the square foot -­ and save it to your Google account.

On the one hand, this isn't surprising to technologists. Lots of applications use location data. On the other hand, it's very surprising -- and counterintuitive -- to everyone else. And that's why this is a problem.

I don't think we should pick on Google too much, though. Google is a symptom of the bigger problem: surveillance capitalism in general. As long as surveillance is the business model of the Internet, things like this are inevitable.

BoingBoing story.

Good commentary.

from https://www.schneier.com/blog/

Identifying Programmers by their Coding Style

Fascinating research de-anonymizing code — from either source code or compiled code: Rachel Greenstadt, an associate professor of computer science at Drexel University, and Aylin Caliskan, Greenstadt’s former PhD student and now an assistant professor at George Washington University, have found that code, like other forms of stylistic expression, are not anonymous. At the DefCon hacking conference Friday, the pair…

Fascinating research de-anonymizing code -- from either source code or compiled code:

Rachel Greenstadt, an associate professor of computer science at Drexel University, and Aylin Caliskan, Greenstadt's former PhD student and now an assistant professor at George Washington University, have found that code, like other forms of stylistic expression, are not anonymous. At the DefCon hacking conference Friday, the pair will present a number of studies they've conducted using machine learning techniques to de-anonymize the authors of code samples. Their work could be useful in a plagiarism dispute, for instance, but it also has privacy implications, especially for the thousands of developers who contribute open source code to the world.

from https://www.schneier.com/blog/

Hacking a Robot Vacuum

The Diqee 360 robotic vacuum cleaner can be turned into a surveillance device. The attack requires physical access to the device, so in the scheme of things it’s not a big deal. But why in the world is the vacuum equipped with a microphone?…

The Diqee 360 robotic vacuum cleaner can be turned into a surveillance device. The attack requires physical access to the device, so in the scheme of things it's not a big deal. But why in the world is the vacuum equipped with a microphone?

from https://www.schneier.com/blog/

California Passes New Privacy Law

The California legislature unanimously passed the strongest data privacy law in the nation. This is great news, but I have a lot of reservations. The Internet tech companies pressed to get this law passed out of self-defense. A ballot initiative was already going to be voted on in November, one with even stronger data privacy protections. The author of that…

The California legislature unanimously passed the strongest data privacy law in the nation. This is great news, but I have a lot of reservations. The Internet tech companies pressed to get this law passed out of self-defense. A ballot initiative was already going to be voted on in November, one with even stronger data privacy protections. The author of that initiative agreed to pull it if the legislature passed something similar, and that's why it did. This law doesn't take effect until 2020, and that gives the legislature a lot of time to amend the law before it actually protects anyone's privacy. And a conventional law is much easier to amend than a ballot initiative. Just as the California legislature gutted its net neutrality law in committee at the behest of the telcos, I expect it to do the same with this law at the behest of the Internet giants.

So: tentative hooray, I guess.

from https://www.schneier.com/blog/

Manipulative Social Media Practices

The Norwegian Consumer Council just published an excellent report on the deceptive practices tech companies use to trick people into giving up their privacy. From the executive summary: Facebook and Google have privacy intrusive defaults, where users who want the privacy friendly option have to go through a significantly longer process. They even obscure some of these settings so that…

The Norwegian Consumer Council just published an excellent report on the deceptive practices tech companies use to trick people into giving up their privacy.

From the executive summary:

Facebook and Google have privacy intrusive defaults, where users who want the privacy friendly option have to go through a significantly longer process. They even obscure some of these settings so that the user cannot know that the more privacy intrusive option was preselected.

The popups from Facebook, Google and Windows 10 have design, symbols and wording that nudge users away from the privacy friendly choices. Choices are worded to compel users to make certain choices, while key information is omitted or downplayed. None of them lets the user freely postpone decisions. Also, Facebook and Google threaten users with loss of functionality or deletion of the user account if the user does not choose the privacy intrusive option.

[...]

The combination of privacy intrusive defaults and the use of dark patterns, nudge users of Facebook and Google, and to a lesser degree Windows 10, toward the least privacy friendly options to a degree that we consider unethical. We question whether this is in accordance with the principles of data protection by default and data protection by design, and if consent given under these circumstances can be said to be explicit, informed and freely given.

I am a big fan of the Norwegian Consumer Council. They've published some excellent research.

from https://www.schneier.com/blog/

High Court Ruling a ‘Victory’ for Digital Privacy Rights, says ACLU

Americans have won a “ground breaking” victory for privacy rights in the digital age, thanks to last week’s Supreme Court decision requiring police to seek a warrant in most cases to access cell phone data, according to a privacy expert with the American Civil Liberties Union (ACLU). 

Americans have won a “ground breaking” victory for privacy rights in the digital age, thanks to last week’s Supreme Court decision requiring police to seek a warrant in most cases to access cell phone data, according to a privacy expert with the American Civil Liberties Union (ACLU). 

The ruling “opened up the path for future cases to apply the Fourth Amendment to all kinds of digital data that American’s can’t avoid using in their daily lives,” said Nathan Wessler, the ACLU attorney who represented Timothy Carpenter, the defendant in the case.

Timothy Carpenter, had been sentenced to 116 years in prison for his role in robberies of Radio Shack and T-Mobile stores in Michigan and Ohio. Cell tower records that investigators received without a warrant bolstered the case against Carpenter.

Investigators received the cell tower records with a court order that requires a lower standard than the “probable cause” needed to obtain a warrant.

See also: Cops Need Warrant to Obtain Cellphone Data, High Court Rules.

Wessler noted that as technology develops, privacy rights will have to follow.

In an interview with The Crime Report, he called the ruling “a strong rejection of the government’s position that by merely using modern technology (which results in data storing) we give up privacy rights to digital records.”

“The ruling strongly defends people’s privacy rights and cell phone location data, which can reveal so much private information about where we go an who we spend time with.”

According to Wessler, without proper privacy laws, law enforcement has access to a plethora of information through data sharing.

“Technology is giving police capabilities that were unimaginable a decade or two ago and right now there are many other ways police are gathering evidence,” he said.

He listed facial recognition, smart devices that monitor heart rate, news apps that reveal what you’re reading and what your politics are, and dating apps that reveal your relationship status as possible information that police could collect.

There are so many permutations of sensitive digital data that courts will have to be grappling with very soon, he warned.

“But going forward, cautious and responsible police and prosecutors should get warrants whenever they request phone data.”

“If they don’t, they are risking [having] their evidence thrown out when courts interpret what Supreme Court was talking about.”

Megan Hadley is a staff writer for The Crime Report. She welcomes comments from readers. 

from https://thecrimereport.org

The Effects of Iran’s Telegram Ban

The Center for Human Rights in Iran has released a report outlining the effect’s of that country’s ban on Telegram, a secure messaging app used by about half of the country. The ban will disrupt the most important, uncensored platform for information and communication in Iran, one that is used extensively by activists, independent and citizen journalists, dissidents and international…

The Center for Human Rights in Iran has released a report outlining the effect's of that country's ban on Telegram, a secure messaging app used by about half of the country.

The ban will disrupt the most important, uncensored platform for information and communication in Iran, one that is used extensively by activists, independent and citizen journalists, dissidents and international media. It will also impact electoral politics in Iran, as centrist, reformist and other relatively moderate political groups that are allowed to participate in Iran's elections have been heavily and successfully using Telegram to promote their candidates and electoral lists during elections. State-controlled domestic apps and media will not provide these groups with such a platform, even as they continue to do so for conservative and hardline political forces in the country, significantly aiding the latter.

From a Wired article:

Researchers found that the ban has had broad effects, hindering and chilling individual speech, forcing political campaigns to turn to state-sponsored media tools, limiting journalists and activists, curtailing international interactions, and eroding businesses that grew their infrastructure and reach off of Telegram.

It's interesting that the analysis doesn't really center around the security properties of Telegram, but more around its ubiquity as a messaging platform in the country.

from https://www.schneier.com/blog/