In the June 2013 announcement of iOS 7, Apple emphasized changes in the Find My iPhone app and service. With good reason: the new version makes any iOS device far less attractive to steal, erase, and resell, plus it provides more location-tracking data. These improvements should reduce thieves’ interest in iOS devices because they won’t be easy to sell or fence, and might help law enforcement track down less-wary criminals more often.
Apple added this feature because mobile carriers (at least in the United States and several other countries) have shown little interest in helping their customers recover stolen mobile phones or eliminate the value of those phones at resale. Both GSM and CDMA phones have unique, burned-in hardware identifiers — the IMEI and MEID, respectively — and carriers know which ID is associated with your account. If you report a phone as stolen, the carrier could prevent that ID from being reactivated, provide you with information about its location, notify law enforcement, seize it when brought into a store, and so forth. Carriers do essentially none of that.
As a result, expensive smartphones with high resale value, like the iPhone, have become desirable targets for thieves, and account for a significant percentage of serious crimes in many cities. For instance, cellphone-related thefts accounted for 41 percent of serious crimes for six months earlier this year in San Francisco, 40 percent of robberies in Washington, D.C., and over 50 percent of all street crime in New York City.
With iOS 7 and Find My iPhone, Apple now has the technology to stop iOS device theft in its tracks, although the company couches these capabilities in terms of “lost” iPhones, not stolen ones. No one wants to think about theft, but we all misplace things.
(…snip…) While once the flow of data across the Internet appeared too overwhelming for N.S.A. to keep up with, the recent revelations suggest that the agency’s capabilities are now far greater than most outsiders believed. “Five years ago, I would have said they don’t have the capability to monitor a significant amount of Internet traffic,” said Herbert S. Lin, an expert in computer science and telecommunications at the National Research Council. Now, he said, it appears “that they are getting close to that goal.”
Thanks to Tyler Cowen for the link to this NYT piece by James Risen and Eric Lichtblau. I've been casually following Palantir Technologies for some time. They are arguably one of the “new disruptors” and by chance happen to be headquartered next to the Phillz Coffee that we favor in Palo Alto (Phillz is of course full of Palantir and other denizens of the brain-powered companies based around Palo Alto). From listening to a couple of podcast interviews with CEO Dr. Alex Karp, I understood Palantir's specialty was to help clients such as drug developers or intelligence agencies discern patterns in mountains of data. Palantir is not an automated data-mining algorithms company. Their secret sauce is enabling human brainpower to analyze enormous and often separate data sets. So visualization of relationships is an important part of their solutions.
Palantir has a large number of YouTube videos - conference lectures, demos, and “Palantir 101″ type overviews.
I'll close with an apt Alex Karp quote from the Palantir website:
“There is no point in having a war on terrorism if civil liberties are being undermined to the extent that we aren’t willing to fight that war.”
Further to the cognitive computing topic, I'll also note that IBM Research Director John Kelly is speaking tonight at the Computer History Museum in nearby Mountain View. We immediately tried to reserve seats, but Kelly's talk is already sold out. His book Smart Machines: IBM’s Watson and the Era of Cognitive Computing , will be published in the fall by Columbia University Press. You can read a free chapter here.
We’re calling for greater transparency–asking the government to let us publish in our Transparency Report aggregate numbers of national security requests, including their scope. Here’s our letter to the US government.
This morning we sent the following letter to the offices of the Attorney General and the Federal Bureau of Investigation. Read the full text below. -Ed.
Dear Attorney General Holder and Director Mueller
Google has worked tremendously hard over the past fifteen years to earn our users’ trust. For example, we offer encryption across our services; we have hired some of the best security engineers in the world; and we have consistently pushed back on overly broad government requests for our users’ data.
We have always made clear that we comply with valid legal requests. And last week, the Director of National Intelligence acknowledged that service providers have received Foreign Intelligence Surveillance Act (FISA) requests.
Assertions in the press that our compliance with these requests gives the U.S. government unfettered access to our users’ data are simply untrue. However, government nondisclosure obligations regarding the number of FISA national security requests that Google receives, as well as the number of accounts covered by those requests, fuel that speculation.
We therefore ask you to help make it possible for Google to publish in our Transparency Report aggregate numbers of national security requests, including FISA disclosures—in terms of both the number we receive and their scope. Google’s numbers would clearly show that our compliance with these requests falls far short of the claims being made. Google has nothing to hide.
Google appreciates that you authorized the recent disclosure of general numbers for national security letters. There have been no adverse consequences arising from their publication, and in fact more companies are receiving your approval to do so as a result of Google’s initiative. Transparency here will likewise serve the public interest without harming national security.
We will be making this letter public and await your response.
Chief Legal Officer
David Simon, creator of The Wire, wrote a commentary on this topic that may help readers understand the purpose of the NSA database. I don’t know that Simon has any special knowledge – beyond his experience as a Baltimore police reporter. But I thought he did a good job explaining the basics of the why and the how. First David outlines the equivalent procedures used by the Baltimore police and drug enforcement apparatus. Then he draws the parallels with this excerpt:
(…snip…) The question is not should the resulting data exist. It does. And it forever will, to a greater and greater extent. And therefore, the present-day question can’t seriously be this: Should law enforcement in the legitimate pursuit of criminal activity pretend that such data does not exist. The question is more fundamental: Is government accessing the data for the legitimate public safety needs of the society, or are they accessing it in ways that abuse individual liberties and violate personal privacy — and in a manner that is unsupervised.
And to that, the Guardian and those who are wailing jeremiads about this pretend-discovery of U.S. big data collection are noticeably silent. We don’t know of any actual abuse. No known illegal wiretaps, no indications of FISA-court approved intercepts of innocent Americans that occurred because weak probable cause was acceptable. Mark you, that stuff may be happening. As is the case with all law enforcement capability, it will certainly happen at some point, if it hasn’t already. Any data asset that can be properly and legally invoked, can also be misused — particularly without careful oversight. But that of course has always been the case with electronic surveillance of any kind.
Keep in mind that the FISA court was created as a means of having some definitive oversight into a world that previously had been entirely unregulated, and wiretapping abuses by the U.S. executive branch and by law enforcement agencies were in fact the raison d’etre for the creation of FISA and a federal panel of judges to review national security requests for electronic surveillance. Is it perfect? Of course not. Is it problematic that the court’s rulings are not public? Surely.
But the fact remains that for at least the last two presidential administrations, this kind of data collection has been a baseline logic of an American anti-terrorism effort that is effectively asked to find the needles before they are planted into haystacks, to prevent even such modest, grass-rooted conspiracies as the Boston Marathon Bombing before they occur.
So think for a minute about a scenario in which, say, a phone number is identified overseas as being linked to terror activity. It is so identified by, say, NSA overseas intercepts or through intelligence gathering by the CIA or the military. And say that there exists a database of billions and billions of telephonic contacts in the United States over a period of months or years. And say a computer could then run the suspect number through that data base and determine a pattern of communication between that overseas phone and several individuals in New York, or Boston, or Detroit. Would you want that connection to be made and made quickly? Or do you want to leave law enforcement to begin trying to acquire the call history on that initial phone from overseas carriers who may or may not maintain detailed retroactive call data or be unwilling to even provide that data fully to American law enforcement or do so while revealing the investigative effort to the targets themselves?
Keep in mind that law enforcement must still establish probable cause to then begin to actually monitor conversations on the domestic numbers, and that this request for electronic surveillance is then, of course, subject to judicial review by the FISA court.
Yes, I can hear the panicked libertarians and liberals and Obama-haters wailing in rare unison: But what about all the innocent Americans caught up in this voracious, overreaching dragnet? To which the answer is obvious if you think about the scale of this: What dragnet?
This is a longish essay – so you’ll profit from reading the whole thing. There are a few 4-letter words. If you are especially interested in this topic then you will probably find it very worthwhile to scan through the 430 comments to David’s essay. There you will find there is a good bit more nuance to his position than you might think.
Pretty much anything that can be remembered can be cracked
Bruce Schneier discusses how the increasing Power and Efficiency off password cracking makes careless users increasingly vulnerable.
…The article goes on to explain how dictionary attacks work, how well they do, and the sorts of passwords they find.
Steube was able to crack “momof3g8kids” because he had “momof3g” in his 111 million dict and “8kids” in a smaller dict.
“The combinator attack got it! It's cool,” he said. Then referring to the oft-cited xkcd comic, he added: “This is an answer to the batteryhorsestaple thing.”
What was remarkable about all three cracking sessions were the types of plains that got revealed. They included passcodes such as “k1araj0hns0n,” “Sh1a-labe0uf,” “Apr!l221973,” “Qbesancon321,” “DG091101%,” “@Yourmom69,” “ilovetofunot,” “windermere2313,” “tmdmmj17,” and “BandGeek2014.” Also included in the list: “all of the lights” (yes, spaces are allowed on many sites), “i hate hackers,” “allineedislove,” “ilovemySister31,” “iloveyousomuch,” “Philippians4:13,” “Philippians4:6-7,” and “qeadzcwrsfxv1331.” “gonefishing1125″ was another password Steube saw appear on his computer screen. Seconds after it was cracked, he noted, “You won't ever find it using brute force.”
So get yourself a secure password manager. As I write 1Password is still on half-price sale! And here is the referenced Ars Technica article: Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” For Ars, three crackers have at 16,000+ hashed passcodes—with 90 percent success.
Just the right ingredients for a new media frenzy: USA, internet traffic spying, Too-Powerful-Corporations. Megan McArdle has offered an analysis that is close to our view:
(…snip…) What to make of this? It would be stupid for them to deny this, and then get sued by their customers when it turns out it’s not true.
Last night on Twitter, my husband outlined five possibilities:
1. The companies are lying
2. Only a few people in the company know about this, and they aren’t issuing the statements
3. The Post and the Guardian are wrong and have been duped
4. PRISM was operating without the knowledge of the companies
5. The companies know, and those statements are very carefully worded.
All of these are in some way unbelievable. #1 is asking for a class action suit that destroys your company. #3 involves some very suspicious national security reporters at two different outlets simultaneously getting duped. And #2 strikes me as extremely unlikely. I can imagine one rogue employee doing this without telling his employers. I cannot imagine the exact same thing happening at nine of the biggest internet companies.
The most likely possibilities seem to be #4 or #5: the NSA is filtering this stuff at some point outside the companies, or the companies have issued some very, very carefully worded statements.
I recommend reading Megan’s entire essay, typically well-done. Something isn’t right about the headlined story, but I don’t have any knowledge of what (if anything) has actually been going on. It’s pretty much a non-issue for us as we assume governments have access to any electronic communication we use (including any phone or internet link). Presumably anyone wishing to prevent governments from “reading their mail” uses at least a VPN and, as insurance, robust encryption inside the VPN tunnel.
A friend alerted us today to this Security Ledger bulletin on Jeremi Gosney's GPU rig. For those concerned that their online accounts may not be secure there is a series of Seekerblog posts that may be helpful (all have the tag Security).
Regarding the risk posed by these ultra-fast cracking farms, check out Steve Gibson’s “password haystack”. And remember that these fast-crackers are only relevant to physical access cases — where the bad guys either have your computer/device, or they have physical access to a site's password hash files. If you have a 30-character passphrase you are probably safe from even the direct physical attacks. Do make sure your phrase is not in a dictionary, which you can easily ensure by adding say ….. somewhere.
Bandits trying to brute force your Gmail account over the internet are limited to a max attack rate of 100 to around 1000 guesses/second.
But we need to also protect ourselves from social engineering attacks, where even the security-aware could be tricked into revealing information that can be used in a penetration. E.g., How Apple and Amazon Security Flaws Led to My Epic Hacking
To foil that sort of attack we think it is important to “silo” key accounts with unique email addresses – which do help to create a higher security fence. E.g., we create a unique email address for each high-value account, such as Apple, Google, Gmail, bank, brokerage, etc..
So make sure each such account has a unique email/login and unique/strong passphrase. I expect someday one of our key accounts will be compromised, maybe by an insider. Then we will be really glad that account was in its own silo.
It's not difficult to accomplish this if you use 1Password to manage all of your sensitive data – see my post The only secure password is the one you can’t remember. Now go buy 1Password for each device that will have access to your password “wallet”.
Lastly, here is Steve Gibson's analysis of one of our 26 character passwords. Note that even the 25 GPU Monster will need about 10 trillion centuries to stumble on to this one (at 348 billion guesses / second).
Don’t let this hack happen to you!
Meet Mat Honan. He just had his digital life dissolved by hackers. Photo: Ariel Zambelich/Wired. Illustration: Ross Patton/Wired
In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.
Troy Hunt explains why you really, really need to start using 1Password:
Another week, another major security incident with a significant website. So the news this time is that Zappos – those guys who sell shoes (among other things) – to folks in the US may have, uh, accidentally disclosed somewhere in the order of 24 million user accounts. Bugger.
Now of course at the root of this is inevitably yet more evildoers intent on breaking through website security for financial gain, activism or just plain old kicks. Regardless of the modus operandi of these incidents, the fact remains that a significant number of accounts have been exposed and there’s now the real possibility that usernames and passwords – perhaps your username and password – are going to be floating around the internet being seen by who knows how many people.
Good advice from Troy Hunt — the hacking of Stratfor is a warning to all of us that we cannot assume that our username/password is safe at any site. If you reuse the same password you must assume that every site associated with that reuse will become public someday. Excerpt:
(…) Once you’ve been well and truly owned in Stratfor / Sony / Gawker style, that dirty laundry is going to become very, very public. Stratfor did a number of fundamentally stupid things in their website design and those practices are now on show for the world to see. Using MD5 as a hashing algorithm; bad form. No salts used; foolhardy. Storing credit cards in the clear; downright negligent.