phre4k has quit [Remote host closed the connection]
nox- has quit [Quit: Leaving]
j4s0nmchr1st0s has joined #neo900
j4s0nmchr1st0s has left #neo900 [#neo900]
sparetire_ has quit [Quit: sparetire_]
<Oksana>
Quuiiieeeettttt.......
<wpwrak>
you should move to french polynesia :) then your weekend would end very late and the would would be buzzing with activity by the time you even get up :)
jonwil has quit [Read error: Connection reset by peer]
DocScrutinizer05 has joined #neo900
jonwil has joined #neo900
JoHnY has joined #neo900
jonwil has quit [Quit: ChatZilla 0.9.91.1 [SeaMonkey 2.31/20141202220728]]
<DocScrutinizer05>
[general sidenote] for clarification, the terms "Hacker" and "hacking" as used in context of Neo900:
<DocScrutinizer05>
A hacker is an adherent of the subculture that originally emerged in academia in the 1960s, around the Massachusetts Institute of Technology (MIT)'s Tech Model Railroad Club (TMRC)[1] and MIT Artificial Intelligence Laboratory.[2]
<DocScrutinizer05>
A hacker is one who enjoys the intellectual challenge of creatively overcoming and circumventing limitations of programming systems and who tries to extend their capabilities.[3] The act of engaging in activities (such as programming or other media[4]) in a spirit of playfulness and exploration is termed hacking. However the defining characteristic of a hacker is not the activities performed themselves (e.g. programming), but the manner
<DocScrutinizer05>
in which it is done: Hacking entails some form of excellence, for example exploring the limits of what is possible,[5] thereby doing something exciting and meaningful.
<DocScrutinizer05>
dos1: seems our website could use a footnote making this aspect more clear
<DocScrutinizer05>
or simply a link to the above URL behind every term including "hack"
phre4k has quit [Ping timeout: 244 seconds]
phre4k has joined #neo900
mvaenskae has joined #neo900
phre4k has quit [Ping timeout: 264 seconds]
<DocScrutinizer05>
actually the short statement is: each use of the terms "hacker" "hack" etc in context of Neo900 is according to http://tools.ietf.org/html/rfc1392
<DocScrutinizer05>
hacker
<DocScrutinizer05>
A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. The term is often misused in a pejorative context, where "cracker" would be the correct term.
Pali has quit [Remote host closed the connection]
<wpwrak>
maybe s/Hacking/Tinkering/ ? that should avoid the confusing term altogether. or to make it sound more serious, one of "Experiments", "Exploration", "Investigation", or "Research" ?
<wpwrak>
the ~bility forms would be tricky. there is actually "experimentability" (very rare, it seems) but it seems to refer more to something being accessible to step-by-step construction than to letting people tweak it
<kerio>
almost all the smartphones produced today are hackable, in the sense that they don't resist being whacked with a sharp blade
sparetire_ has joined #neo900
che1 has quit [Remote host closed the connection]
<DocScrutinizer05>
our website has "hacker friendly"
che1 has joined #neo900
<DocScrutinizer05>
I don't see a good alternative to this term
<DocScrutinizer05>
it however insinuates "particularly vulnerable to crackers intruding into it" to those who have no idea about the real meaning of "hacker"
<kerio>
"the smartphone for the tinfoil hat conspiracy theorists"
<DocScrutinizer05>
that would be a brick, with nice painting
<DocScrutinizer05>
Neo900 is explicitly NOT for those guys
<kerio>
don't you know that paint is how the government controls you?
<wpwrak>
that "real meaning" thing is dubious anyway. words change their meaning, depending on use. one could say "original meaning", but then there are countless words that have become torn and twisted in common use, and only language nerd could really appreciate all these subtleties.
che1 has quit [Ping timeout: 264 seconds]
<wpwrak>
kerio: hah, so that's where they're hiding the chemtrails now !
<DocScrutinizer05>
Neo900 is for those who understand the security threats immanent to smartphones and want t device that deals with them on the most investigated and engineered level
<DocScrutinizer05>
wpwrak: this approach forbids communication completely, in last consequence
<DocScrutinizer05>
I think basing communication on a perceived common vocabulary, clarifying terms that might be uncommon or ambiguous to some of the audience, is the way to go
<DocScrutinizer05>
from another perspective: I won't pick the words according to what others left over for me and haven't hijacked them yet. I use the words I'm used to and I defend their meaning against anybody trying to pervert their meaning
<wpwrak>
(forbid communication) yes, at the end each tribe only understands the dialect / jargon spoken in their valley and whatever the neighbours say may sound familiar on the level of words, but the meaning will be incomprehensible.
<DocScrutinizer05>
otherwise soon you can't use a single word anymore since every possible term been "owned" by industry and advertising fools
<DocScrutinizer05>
soon "flat rate" means you don't get more than what you paid for but maybe you get less, and "freedom" means you don't have to join, you're free to stand back
<wpwrak>
(and yes, i intentionally avoided the use of "security research" :)
<DocScrutinizer51>
hmm, let's see. privatepaste might work on microB
<DocScrutinizer51>
looks good
<DocScrutinizer51>
~ping
<infobot>
~pong
<DocScrutinizer51>
grrrr
<DocScrutinizer51>
ooh
<DocScrutinizer51>
sorry, lag
<DocScrutinizer51>
wpwrak: already shate an URL for sneak preview?
<DocScrutinizer51>
you know how long it usually takes to publish the tiniest newsletter
<Steven__>
DocScrutinizer51: Is there a defined threat model for the Neo900?
<bencoh>
a threat model ?
<Steven__>
An outline of the possible attackers and attacks against the phone that are considered to be within the purview of the hardware to defend against.
<Steven__>
Could be either general or specific.
<Steven__>
E.g. a general one would be "prevent subverted firmware from being installed undetected". A specific one might be "prevent autonomous DMA access without approval of the kernel".
<wpwrak>
DocScrutinizer51: let's give nik a couple more hours to yell "NOOOOO !!!!" in case he bumps into something that frightens him :) then i'll make a "proper" public release. i guess i should also move the sources (without history) over from the private repo to the public "misc"
<DocScrutinizer51>
installation of sw is up to the user
<DocScrutinizer51>
Nik won't bother what Neo900 UG and its members publish
<DocScrutinizer51>
unless you explicitly ask for review, he prolly won't even read the draft
<DocScrutinizer51>
and I guess a review of that whitepaper would cost us some paid 4h
<DocScrutinizer51>
I don't see any threat whatsoever in that paper
<DocScrutinizer51>
and I want that document published before it's 6th of Jan antwhere on this globe
<DocScrutinizer51>
you know, the day on which large parts of this world unpack the xmas gifts
<DocScrutinizer51>
(frightens him) particularly Nik doesn't feel frightened by any activity of Neo900 UG that doen't involve GDC directly
<DocScrutinizer51>
which been the whole purpose of the reorg
<kerio>
"you know, the day on which large parts of this world unpack the xmas gifts"
<kerio>
u wot m8
<Steven__>
Is there any way to authenticate the cell base stations?
<Steven__>
Or identify them uniquely.
<Steven__>
There have been some issues in the US with different agencies spoofing base stations to do dragnet surveillance. AFAIK, cell phones just blindly connect to them without any modifications if their signal strength is higher than the legit stations.
<bencoh>
Steven__: dunno if there is a proper way, but you'd have to trust your modem first :)
<Steven__>
Well, at this point phones will fall for that trick without any subversion going on with the modem.
<mvaenskae>
Steven__: i would recommend using location based maps with timestamps
<mvaenskae>
if a base station is active at irregular intervalls it isn't really a base station you should trust imho
<mvaenskae>
also visual inspection of the area for the base station
<Steven__>
mvaenskae: That is what I was thinking, but you would still have to have a way of identifying the different base stations.
<mvaenskae>
Steven__: usually they broadcast their IDs i believe
<mvaenskae>
or at least there should be a unique profile to them
<Steven__>
Hmm, is that difficult to spoof like the IMEI is?
<mvaenskae>
or was that on sattelites?
<mvaenskae>
i cannot recall :(
<mvaenskae>
Steven__: android has something on cell sites i believe, google can likely help you out there
<Steven__>
I thought there would be a station ID, but I don't recall wether it participates in the cryptographic hand shake. IIRC the IMEI is used in the handshake, and it cannot be spoofed unless you either break the crypto or remove the secret key from the SIM card (which it is not designed to allow).
<Steven__>
It has been a while since I read about the protocol though.
<Steven__>
mvaenskae: Actually finding out the data on cell sites is the nitty-gritty practical details. It would be nice to know whether it is even possible with off the shelf modems first.
<mvaenskae>
Steven__: depending on how "open" imsi catcher and such are they should be able to allow near flawless copies of base stations
<mvaenskae>
it's not a violation of law if the police do it sadly :(
<Steven__>
It might be a violation of what the cheap hardware allows though. What I mean is that if we look at how the SIM card works (if I am remembering this correctly), it has an onboard crypto chip for authenticating with the network using a secret key that is only present on the chip. It would be quite difficult to spoof that even if you were the police.
<Steven__>
If the towers operate similarly, then they would have different IDs. Also, there are reasons why they would have different IDs even if they didn't operate similarly. Two reasons: this spoofing can currently be done (IIRC) without any interaction with the cell service to get the IDs of their base stations; also, even if they did share that information it might negatively impact the network in the area to have to base stations with
<mvaenskae>
negative impact shouldn't matter to them, right?
<Steven__>
I think it would, for various reasons.
<Steven__>
The biggest one being that it would be detected and then there would be a huge PR disaster.
<mvaenskae>
also there is still one opensource 2g modem you could use but changing it might result in violations of local law
<mvaenskae>
Steven__: the nsa still exists
<Steven__>
What if someone dialed emergancy services and couldn't get through because their phone was confused about what it was talking to? Someone could die from that.
<mvaenskae>
also police departments where imsi-catchers have been used still stand
<Steven__>
AFAIK, those just forward communications after recording what they want.
<Steven__>
If you spoof the same ID, you can't ensure that the protocols work correctly.
<Steven__>
Because you can no longer know if your transmission is acknowledge by the correct party.
<Steven__>
You might make two transmissions to one ID and they get recieved by different equipment.
<Steven__>
And then your phone gets confused.
<mvaenskae>
i still am not quite sure people copying cell towers really care :)
<mvaenskae>
they are doing criminal stuff :)
<Steven__>
It isn't criminal in their eyes.
<mvaenskae>
true :)
<Steven__>
Well, anyway, if it is a crypto protocol you might not be able to get the same ID without A: breaking the crypto or B: accessing the base station.
<Steven__>
That increases the cost to the attacker, which is what this is all about.
<mvaenskae>
i believe in last year's ccc someone demonstrated hacking sim cards
<Steven__>
And the publicity of their use of the spoofing equipment, which is very important too.
<Steven__>
mvaenskae: was this just running their code on the SIM, or actually getting a copy of its secret key? I think the crypto part is designed to be tamper resistant, but the processor might not be.
<Steven__>
However, that is taking a blacklist approach. I suspect that a whitelist approach might be doable, since there are a limited number of legit base stations.
<Steven__>
They could probably all be stored on your phone.
<Steven__>
(not on internal storage, but on say... an SD-card)
<mvaenskae>
Steven__: whitelists are a bad approach, how can you trust that whitelist?
<Steven__>
By making it open and transparent. Since you don't have the ability to get very good security due to not being able to control the modem and network, the level of security that should be considered I think is going from "a thin layer of obscurity" to "doing this attack requires some actual planning and work for each major attempt".
<mvaenskae>
ah, so we assume the whitelisted towers to be ok
<Steven__>
Like the difference between self-signed HTTPS and certificate authorities. The CA system is really insecure, but it is better than just blindly trusting anyone you connect to.
<mvaenskae>
the ca system is about as secure as TP on a toilet seat
<mvaenskae>
TP == toilet paper
<Steven__>
Lol. That is better than sitting where someone else's ass has been though.
<bencoh>
:]
<bencoh>
I've gotta say the comparison is pretty accurate
<Steven__>
The CA system does prevent HTTPS attacks from being trivial.
<Steven__>
And that is really really important.
<Steven__>
Going from "trivial" to "a minor expense per attack" allows you to go from "you are getting attacked in dragnet survellance" to "you are getting attacked because someone thinks that YOU are interesting".
<mvaenskae>
Steven__: that is indeed true, increases the overhead to slighly annoying
<mvaenskae>
and people are lazy
lexik has joined #neo900
<DocScrutinizer05>
imsi catchers per deign of GSM network cannot take over a BTS identity, so you allways identify IMSI catchers by their "unusual" Cell-ID
<Steven__>
It isn't about lazyness. If you budget $20,000 for a surveillance project, and the cost per person surveilled drops to zero, the number of people you can surveil asymptotes.
<DocScrutinizer05>
however there's no reason to trust a legit BTS any more than a IMSI-catcher or whatever else "spoofed" BTS
phre4k has joined #neo900
<Steven__>
DocScrutinizer05: The reasoning I gave above is that doing this would prevent trivial attacks, like going from self-signed HTTPS to CA authentication. Preventing trivial attacks would go a long way towards preventing dragnet surveillance.
<DocScrutinizer05>
since about *every* official and not so official authority worldwide logs in to any arbitrary BTS worldwide, thanks to a standardized interception interface invented by ... the Germans
<DocScrutinizer05>
absolutely not. dragnet attacks are exactly what's NOT done by IMSI catchers
<Steven__>
I am not suggesting that this would be trustworthy authentication method. It is all about increasing the costs of the attack (like all security).
<DocScrutinizer05>
IMSI catchers basically only are used anymore by "the losers"
<Steven__>
DocScrutinizer05: They are used a lot by police in the US.
<DocScrutinizer05>
I.E. by those so far down the food chain that they are not even allowed to use the interception interface
<DocScrutinizer05>
those dudes are using IMSI catchers to survey a particular subhect
<Steven__>
Yes. And wouldn't it be nice if you didn't have to worry as much about any fool tracking you.
<DocScrutinizer05>
subject even
<DocScrutinizer05>
forget about that
<Steven__>
Why?
<DocScrutinizer05>
as long as you carry any transmitter, you better assume you're *being* tracked
<Steven__>
Yes, but it would be beneficial to shorten the list of people who are doing so.
<DocScrutinizer05>
well, for that there are the means as mentioned by others before up here
<DocScrutinizer05>
check the BTS Cell-ID against a database of "legit" CIDs for your region
<Steven__>
Which means? You mean the means that I proposed?
<Steven__>
Exactly what I am suggesting.
<DocScrutinizer05>
it's not you who invented that
<Steven__>
I came up with the idea myself. I am not proposing that it is original.
<mvaenskae>
DocScrutinizer05: in switzerland the police are requesting more and more imsi catchers
<varu|zZz>
could you not spoof the CID regardless if you're running a catcher?
<mvaenskae>
and use of those
<DocScrutinizer05>
mvaenskae: poor sods
<varu|zZz>
you could code the phone up to detect if dupes exist and temporarily blacklist both. better to drop signal than to have ambiguity
<DocScrutinizer05>
varu|zZz: nope, since it would collide with the existing legit BTS
<DocScrutinizer05>
and thus rather would take down the whole cell than catch any IMSI
<Steven__>
DocScrutinizer05: Is there a cryptographic identifier for the base stations that you know of? Sort of like what the SIM has.
<varu|zZz>
hmm, then it's a partially solved problem, assuming your list of legit CIDs is accurate and not seeded with 'reserved' provisions for nefarious purposes
<mvaenskae>
as long as the neo900 has a modem which can be truly shut off i think we can in the worst case just tell it to shut off if we don't want to get tracked ;)
<Steven__>
Is the modem on the Neo900 told which towers to connect to, or does it just switch around automatically?
b1101 has quit [Quit: b1101]
<DocScrutinizer05>
the modem has no way to officially accept a list of BTS it's allowed to associate to
<mvaenskae>
Steven__: i would think automatic, it's a black box supposed to run automagically
<DocScrutinizer05>
it will pick the BTS owned by your carrier with best signal
<mvaenskae>
DocScrutinizer05: i think he wants to know if one can tell the modem "hey buddy, connect to another tower, this one stinks!"
<Steven__>
Or something to that effect.
<DocScrutinizer05>
there is no way to do this
<DocScrutinizer05>
no official way
<Steven__>
Damn.
<DocScrutinizer05>
*maybe* we can convince cinterion to disclose the engineering mode to us
<Steven__>
But you can get a list of towers in the area, right?
<varu|zZz>
there's no way to talk to the modem & get it to match to a phone-carried list of CIDs?
<Steven__>
I mean, these guys logging the IDs are getting it somehow.
<Steven__>
At the worst you could keep asking it about what towers are in the area, and if it looks fake you could shut down the modem and ask the user what to do.
<varu|zZz>
ahh, so there is, but 'hidden' in the modem firmware.. nasty
<DocScrutinizer05>
the CID of serving cell and list of neighbour cells is officially available on AT interface of the modem
<mvaenskae>
DocScrutinizer05: that would be nice, but i think that would require you to settle maybe on one or two modems
<DocScrutinizer05>
mvaenskae: we're settling on one series of modems: P*S8
<Steven__>
Okay. So the thin layer of toilet-paper might look like: get CID, get CID, get CID, get CID (bad one!), disconnect!
<DocScrutinizer05>
Nokia and Siemens in ancient phones had engineering mode monitor
<DocScrutinizer05>
which allowed stuff like pinning modem onto one particular cell-ID
<bencoh>
Steven__: see pnatd and/or cellnet-info for n900/maemo btw
<mvaenskae>
DocScrutinizer05: well, that would be very nice to have at least :)
<bencoh>
(yeah, a bit offtopic)
<varu|zZz>
Steven__: i would be ok with this, as an alternative to direct CID selectivity
<varu|zZz>
of course ultimately it'd be nice to get the latter
<Steven__>
If this is the extent of the whitelisting, then it would probably not require any changes to the Neo900, just a daemon for your distro.
<Steven__>
Of course it would be nice if you could do a bit better.
<DocScrutinizer05>
those daemons already exists for android phones, and you can bet on them getting available for Neo900 as well
<DocScrutinizer05>
but again, our approach is not like this. We think you rather should act absolutely normal when detecting an IMSI catcher or whatever, maybe call your mother and ask if she feels well
<DocScrutinizer05>
deregistering from network when you detect a IMSI catcher will expose you as a very suspicious subject
<varu|zZz>
at the very least, then, turning off data
<DocScrutinizer05>
that's sth you can do, yeah
<kerio>
why?
<Steven__>
Is it possible to disconnect before you do the handshake with the catcher, but after you know what its ID is?
<kerio>
data is the least threatening thing, in your condition
<kerio>
i mean, you ARE using strong encryption, right
<kerio>
RIGHT
<DocScrutinizer05>
yeah, the ubiquitous question: WHY?
<varu|zZz>
sure, but your stack's still exposed
<kerio>
my what
<Steven__>
There will always be a certain proportion of users that disconnect at random times (shutting phone down), so disconnecting is not suspicious.
<DocScrutinizer05>
Steven__: you'll see the IMSI catcher in list of neighbour cells before the signal is strong enough to catch you
mvaenskae has quit [Ping timeout: 265 seconds]
<kerio>
i really don't understand what's so bad about IMSI catchers
<varu|zZz>
ip stack, you're still processing packets, regardless of how you're filtering them. connecting to a catcher opens you up to vulns from that angle if you don't kill off data
<kerio>
they save you battery!
<bencoh>
haha
<Steven__>
DocScrutinizer05: So the cell system would see an ordinary disconnect, and the catcher would not see you at all.
<DocScrutinizer05>
varu|zZz: so better wrap all electronics into 5mm lead sheets
<freemangordon>
varu|zZz: wait, you say that exposing the IP stack to the outside world makes you vulnerable?
<DocScrutinizer05>
Steven__: correct
<DocScrutinizer05>
freemangordon: indeed, he dies
<DocScrutinizer05>
does*
<DocScrutinizer05>
sorry
<Steven__>
DocScrutinizer05: I don't think there would be anything suspicious about disconnecting like that then.
<kerio>
or maybe you could just use encryption and love the bomb
<DocScrutinizer05>
Steven__: not if you do it once, no
<varu|zZz>
it does, but of course very implementation-dependent + haven't taken calipers to the thickness of my tinfoil hat yet :)
<Steven__>
DocScrutinizer05: If you pop up a warning to the user, they can decide on wether to have their modem on or off.
<DocScrutinizer05>
sure
<Steven__>
DocScrutinizer05: That's all software though, not Neo900 stuff.
<DocScrutinizer05>
yes
<DocScrutinizer05>
I'm interested in engineering mode / netmonitor for other reasons though: I want to know about stuff like T3212 timer etc
<freemangordon>
sorry, got a phone call. anyway, vulnerabilities in IP stack (or any other piece of SW in that regard) are no different no matteh what kind of connectivity you have, correct?
<freemangordon>
why different? what i sthe difference if you are connected to wifi vs gprs?
<freemangordon>
in regard to the IP stack I mean
<varu|zZz>
i'd say how easily you're identified
SylvieLorxu has joined #neo900
<freemangordon>
hmm, could you elaborate?
<freemangordon>
why gprs makes your identification (whatever that means) easier?
<DocScrutinizer05>
except that quite a large part of IP stack actually runs inside modem, the situation is the same. The fact that it runs on modem is rather on your favor regarding attack vectors
<freemangordon>
compared to wifi
<varu|zZz>
being located on the net with provider dhcp (especially since most are NAT in my experience) and attacked that way is much more difficult than intercepting/injecting directly into your stack via a catcher
<DocScrutinizer05>
*cough*
<freemangordon>
well, it is a bit different here, where my IP is a kind of static :P
<freemangordon>
but yeah, it might be different on other locations
<DocScrutinizer05>
doesn't change anything
<kerio>
they don't need an IMSI catcher to send you packets
<varu|zZz>
via an imsi catcher, assuming your imei is targeted, the somewhat difficult (depending on scenario) task of *finding* you has been found. beyond that point you want to minimize attack surfaces
<kerio>
in fact, such an attack would probably be done more simply by a dude on a computer in some office
<varu|zZz>
of course they don't.. if they already have provider access it's game over anyway though :)
<freemangordon>
kerio: actually I am not sure you can reach gprs modem via its IP address as seen over the inet
_whitelogger___ has joined #neo900
<DocScrutinizer05>
bbl
<Steven__>
Cya, thanks for answering some questions.
<kerio>
given endless free time, no irc channel is safe from trolling
<varu|zZz>
freemangordon: correct. on the feasibility list it's pretty low, your stack should be close to bulletproof anyway if you're running a neo900. it's under your control software-side anyway, if it's a feasible angle you're either dealing with government or your stack is really crap, aka miracle you haven't been rooted already
XDS2010 has joined #neo900
<varu|zZz>
i'm just throwing possibilities out there, not so much a cause for concern. *i'd* code it up to kill off data if it found an imsi catcher, and that's what prompted this
<freemangordon>
yep. and you you deal with the gov, you're already screwed, as they can order your MNO to track you ;)
<freemangordon>
*if you
<kerio>
if you deal with the gov, strong encryption
<kerio>
so they're forced to come with the guns at you
<kerio>
...wait
<Steven__>
Surveillance organizations don't have unlimited resources. They just have very very large amounts of resources. That is why security is still beneficial against them.
<varu|zZz>
crypto won't help you in this scenario :P
<varu|zZz>
but i think, if it's gotten that far, it's the least of your worries lol
<freemangordon>
kerio: the point is not data security, but your position and identity, iiuc
silviof has quit [Ping timeout: 250 seconds]
<Steven__>
If you allocate a budget to a project to surveil people, and the cost per-person is moderate (or even low) then you need to target specific people to some degree. If the cost is zero or near zero, you can target almost everyone.
silviof has joined #neo900
<Steven__>
Think of the plot of the function 1/x.
<Steven__>
Budget/targets.
<kerio>
calculus up in dis bitch
<Steven__>
Rather: budget/(target*costpertarget)
<freemangordon>
Steven__: sure, got that. But the protection should access the probability of an attack and take countermeasures agains the most probable ones, not those that could happen once in a lifetime, agree?
<varu|zZz>
^ + awareness of possibilities, & awareness of environment
<freemangordon>
Steven__: on another matter - did you read my post on #maemo regarding nokia PA modules?
<varu|zZz>
if there's an imsi catcher around and i have the possibility to know, i should be notified and have a choice to take whatever actions i want
<varu|zZz>
just an example
<Steven__>
freemangordon: Well for this point yes. In general no, because probability depends on the system and entity and question. If we are talking about large-scale attacks/surveillance, then everyone has to worry about it at once.
<Steven__>
Because it is not once in a lifetime, it is happening right now to you.
<freemangordon>
sure, no doubt about it
<freemangordon>
gov can have my location if they want
<freemangordon>
but we can do zero about it, give how GSM networks operate
<freemangordon>
*given
<freemangordon>
the moment I turn my modem and wifi off, they can no longer track me by using this method.
<Steven__>
Consider this: however benign these projects seem now, the data that they gather is not going to go away. What will happen in the next few decades? Can you be certain that the politcal situation in your country will not change radically? It could become very dangerous to express interest or affiliation with certain things, things that seem random or unrelated now. That data can be pulled out of the datacenter and used to target yo
<Steven__>
That sort of threat is both unpredictable and absolutely preventable, by ensuring propery security in the first place, even if you don't actually know the exact value of the data that you are securing.
<Steven__>
Protect all data if it is within your means to do so.
<Steven__>
(i.e. the cost is not high)
<freemangordon>
hmm, did I leave the impression that I underestimate the thread? :)
<freemangordon>
*threat
<DocScrutinizer05>
wouldn't it be simpler and more efficient to point to one or two of the 1500 very fine whitepapers and talks held to the topic, instead of discussing the basics again here?
<Steven__>
Well, I was mainly talking to Doc, and just came in to freeman's conversation at the end.
<freemangordon>
DocScrutinizer05: is that OT here?
Pali has joined #neo900
<DocScrutinizer05>
no, but kinda boring old
<Steven__>
DocScrutinizer05: Yes, but that assumes you have a defined threat model.
<DocScrutinizer05>
says who?
<Steven__>
Which was part of what I was trying to determine.
<Steven__>
i.e. would defending against a certain attack be within the Neo900's threat model, which we concluded "no, as long as we have standard access to the modem (it is the software's job)"
<DocScrutinizer05>
for our "threat model" please refer to Sebastian's ( dos1's ) very fine talk he held a year ago
<freemangordon>
wasn't it 1 month ago?
<Steven__>
Okay, thank you. I will take a look at that.
<freemangordon>
the recent one
<DocScrutinizer05>
that was another similar talk
<DocScrutinizer05>
but has the same fine info
<DocScrutinizer05>
regarding that topic
<Steven__>
I have to go for a bit. Thanks for the discussion guys.
<DocScrutinizer05>
the very simple general statement being: there are no threats in hardware, we take care about that. It's user to take care about whatever software they install
<DocScrutinizer05>
(well, no threats that could get avoided since they are not system immanent)
<DocScrutinizer05>
as already mentioned, when you operate a transmitter, you are inevitably disclosing your position
<DocScrutinizer05>
so for example blocking the GPS is snake oil
<DocScrutinizer05>
separating GPS from activated GPS: snake oil
<DocScrutinizer05>
those are "threats" we don't even bother to mitigate, since they are not real
<DocScrutinizer05>
as said above: Neo900 is not for the tinfoil crew, it's for those who have a thorough understanding of the *real* threats and want a device that knows how to deal with them
<kerio>
activated gps?
<DocScrutinizer05>
sorry
<kerio>
oh assisted?
<DocScrutinizer05>
separating GPS from activated GSM: snake oil
<kerio>
oh ok
<DocScrutinizer05>
for the GPS/GSM "threat": shutting down GPS while using GSM is like wearing a muffler on your ass so nobody can locate you from the sound of your farts, while you're shouting aloud so the guy a 500m away can understand you
<kerio>
yeah but the muffler costs battery :<
<kerio>
or farting, rather
<DocScrutinizer05>
that's up to the user
<DocScrutinizer05>
when you need to fart, you fart ;-D
<kerio>
not if they force you to fart
<DocScrutinizer05>
nobody ever did, afaik
<DocScrutinizer05>
who would want to do that?
<DocScrutinizer05>
and again: WHY?
<kerio>
i dunno, to better track you through the usage of wallchargers
<DocScrutinizer05>
yeah, or by bloodhounds
<kerio>
DocScrutinizer05: question: if simple wcdma idling is as accurate as gps, why can't the providers let you use that as gps?
<DocScrutinizer05>
"sorry sir we lost the track. He must have stopped farting"
<kerio>
it's effectively "free" on the battery
arcean has joined #neo900
<varu|zZz>
^ i think it depends on number of cells that can reach you
<DocScrutinizer05>
kerio: for all I know they do
<varu|zZz>
much worse accuracy than gps afaik, couldn't use your phone as a car gps for example
<DocScrutinizer05>
I think it's down to the 1m accuracy
<varu|zZz>
wow
<DocScrutinizer05>
note that yu can run LMUs that are completely passive and thus don't need to be known to *anybody*
<DocScrutinizer05>
particularly they don't need to be integrated into the carrier's BTS
<kerio>
you still need data from the BTS right?
<DocScrutinizer05>
and I know such LMU networks are already established by TLAs worldwide, for a lot of different signals. They can locate a lot of stuff with those, not only cellphones
<DocScrutinizer05>
kerio: nope
illwieckz has joined #neo900
<DocScrutinizer05>
a popular public U-TDOA network locating natural sources of radiation (which are unsuspicious of cooperating with any particular carrier or adhere to any particular standard or protocol): http://www.blitzortung.org/Webpages/index.php?lang=de&subpage_0=16
<varu|zZz>
^ found this fascinating when i came across it
<DocScrutinizer05>
you even can do exactly same with audio. They sort of did for the Kennedy assassination, to locate the positions of weapons fired
<DocScrutinizer05>
and they did and do all the time, for submarines, wales etc
<DocScrutinizer05>
and TLAs do for all sorts of radio emissions worldwide
<DocScrutinizer05>
all the time#
<varu|zZz>
of course, my curiosity was more over 'how accurate'
<DocScrutinizer05>
they just need to know what to look for
<DocScrutinizer05>
and don't be mistaken, they have records so they can get to know what to look for in 2 years and still look it up
<DocScrutinizer05>
((for all I know they do)) not on 2G, but quite obviously on 3G, at least in some networks
<DocScrutinizer05>
I couldn't think of any other means how my N900 "GPS" gets a cold TTFF of less than 5s
<DocScrutinizer05>
*indoors* (though admittedly close to the window)
<Steven__>
IIRC, in the US at least cell providers are *required* to forward location information within a certain number of minutes of placing a call to emergency services. I suspect most modems offer that through a built-in GPS, so turning it off would probably require modifying the firmware and thus creating an unlicensed (and illegal) device.
<Steven__>
So even if you ensure you cannot be tracked through other means, as long as it is going through the provider they can get your location.
<DocScrutinizer05>
GPS not involved in this at all
<Steven__>
Ah, okay.
<DocScrutinizer05>
and yes, they use U-TDOA for exactly those 911 services
<Steven__>
But my point was that to prevent tracking from working would be creating an illegal device (I am just a noob and what I say is too dumbed down).
<DocScrutinizer05>
and your point is incorrect
<Steven__>
Is it?
<DocScrutinizer05>
even the assumprion it's based on
<Steven__>
About it being illegal?
<DocScrutinizer05>
you cannot prevent tracking, no matter what you do to the device
* DocScrutinizer05
waits for kerio giving the jack-in-the-box, shouting "but, but, I can shut down my device!"
<Steven__>
I disagree with the statement that you could prevent tracking, though it would require quite a bit of engineering radio technology to be able to do so. At this point probably only appropriate for laboratory experiments.
<kerio>
joke's on you, i'm going to hide in a faraday cage
<DocScrutinizer05>
Steven__: what in >>Because U-TDOA is a network-based location technology, it does not require the mobile phone to have any special chip, hardware, or software in it. As a result, it can locate any type of mobile phone.<< is unclear?
<Steven__>
It is clear. It is also true in all typical cases. You *could* deploy countermeasures, but as I said the technology is unavailable and is only suitable for laboratory experiments.
<DocScrutinizer05>
there is exactly one way you *theoretically* could avoid/spoil U-TDOA: extremely directional antenna
<Steven__>
Yes, exactly. In a laboratory.
<DocScrutinizer05>
no other sekrit sauce available, not even on lab level
<Steven__>
Yes. I agree
<DocScrutinizer05>
and even on lab level antennas that are so extremely directional are virtually impossible to build
<Steven__>
It might be possible to do it with an array of antennae, but I don't know much about the design considerations for minaturized arrays.
<Steven__>
I do remember reading that you can adjust the phase to make it directional for arbitrary directions.
illwieckz has quit [Quit: Ça va couper chérie…]
<DocScrutinizer05>
you also need to make sure there's absolutely zilch near-field reflection and dispersion of your RF beam, which is almost impossible unless you're in outer space
<Steven__>
It depends on how much you want to fool the tracking. Even a little bit of directionality would probably add some error.
<DocScrutinizer05>
no, it doesn't
illwieckz has joined #neo900
<Steven__>
i.e. two antennae with spoofed latency and different directionalities.
<Steven__>
Well, the point is moot because neither of us (I presume) are in advanced radio laboratories.
<DocScrutinizer05>
you need to suppress off-direction transmission to a level well below detectability, to get *any* cloak for your location
<Steven__>
That depends on the detection hardware.
<DocScrutinizer05>
well, yes, two or rather three antennas with delay lines could actually do the trick, given you know which are the positions of the LMUs monitoring you
<Steven__>
Its possible that it is both sensitive/accurate and dumb and the same time, and will simply accept the strongest part of the signal as the "accurate" one.
<DocScrutinizer05>
but only as long as your "enemy" doesn't suspect such trick and implements counter measures which would be pretty easy to implement in software already
<Steven__>
Creating a lovely tech arms race which I'm sure the people providing the tracking hardware would love... their customers would have to keep buying new tracking hardware. Lol.
<DocScrutinizer05>
and then there's the environmental fingerprint of every single point a transmitter pretends to be at, consisting of echoes on landmarks etc
<Steven__>
That is true. It would require much more processing though.
<DocScrutinizer05>
anyway the whole scenario fails with the fact that you don't know the location of the LMUs
<Steven__>
The only way I could see of having a "good" solution to the problem is to have some kind of solution like Tor uses, where the geolocated tower doesn't actually get any information on you, but through collaboration of many computers (hosted by volunteers in different juristictions) it is able to discover that you are authenticated (somehow).
<DocScrutinizer05>
and you cannot create a holisitc fake field
<Steven__>
But of course, that would require actually reengineering the entire cell network.
<DocScrutinizer05>
wpwrak: blogged it :-) Thanks a ton!
<wpwrak>
no problem. now let's see what bugs people fish out of it ;-)
<DocScrutinizer05>
hah!
<DocScrutinizer05>
I just wonder where I add my cheeses about "NFC sessions are usually of limited duration. Usually sub-second"
<DocScrutinizer05>
to take some constraints from our design requirements
<DocScrutinizer05>
wpwrak: since you didn't promise a 1000 bucks to the first one to spot a bug in that paper, it would be an extreme honor when somebody actually found any. Would mean the paper is soooo good that the experts felt they can't help but reading it
<wpwrak>
hehe ;)
<DocScrutinizer05>
not sayinfg it isn't :-)
<Steven__>
I am tempted to say that I spotted "a bug" in 8.7p3, but it is a dumb joke. Please forgive me. =P
<DocScrutinizer05>
nah, we already ironed that out: we will flash an immutable bootloader
<DocScrutinizer05>
and fuse it
<DocScrutinizer05>
users have no way (other than using some testpoints for SWD) to ever tamper with it
<Steven__>
No, no, it was a stupid joke, not an actual bug.
* DocScrutinizer05
frowns at "Platinum 32GB uSD >quality tested in Germany<"
<DocScrutinizer05>
what been the tool to read out the controller's ID and stuff?
che1 has quit [Ping timeout: 245 seconds]
* DocScrutinizer05
suffers the blister pack headache
<DocScrutinizer05>
seems you're supposed to use a razorblade to open that crap
<ShadowJK>
DocScrutinizer05; I bet the QC went as far as putting it in a sd reader and checking it said 32GB
<DocScrutinizer05>
I wish I could get ^H peel it out of that blister pack to do at least the same
<wpwrak>
the quality was tested in germany, the card itself was tested in china ;-)
<ShadowJK>
Quality tested! good ones given back to sandisk, broken ones sold to kingston, crap ones sold as Platinum
<DocScrutinizer05>
no wonder we don't know the fontset and chars of that universe that critter came from
<wpwrak>
tried vulcan-traditional ?
<DocScrutinizer05>
not yet
<DocScrutinizer05>
Spock refused to install the extension to my PC
<DocScrutinizer05>
anyway, duck and cover, here comes dd
<DocScrutinizer05>
fuuuuuuu.... urandom eats one core
<DocScrutinizer05>
could somebody eventually remind me to map SIGUSR1 to a key in shell?
<kerio>
why are you writing urandom
<DocScrutinizer05>
I suspect optimizations when writing 0x00
* DocScrutinizer05
waits of overheating of uSD
<DocScrutinizer05>
for*
<DocScrutinizer05>
btw urandom meanwhile takes an outtime, every now and then, while waitio is busy on 3 or 4 cores
<DocScrutinizer05>
rather 2 cores, on average
<kerio>
yeah but you should write some huge chunk of urandom on a "safe" storage
<kerio>
and then write it
<kerio>
to check for "looping" storage
<DocScrutinizer05>
I know
<DocScrutinizer05>
I should do something useful
<DocScrutinizer05>
just killed dd, by accident
<wpwrak>
joerg, the accidental double dragon slayer !
_whitelogger has joined #neo900
<DocScrutinizer05>
ooooh
<DocScrutinizer05>
what about a >> for (n=1; n<32; n++); do echo "$n-------------------" >/mnt/uSD/$n; dd if=/mnt/uSD/$n of=/mnt/uSD/$n bs=1M count=2000; done << ?
<DocScrutinizer05>
dang, needs infile size of >= blocksize
<bencoh>
DocScrutinizer05: hmm yeah oflag on stdout is meaningless :)
<bencoh>
hmm actually I dunno when it sets the O_DIRECT
<DocScrutinizer05>
anyway that critter cost me 19 bucks, incl USB reader dongle (cheesy miniature one, incredible. wonder if there's anything except plastic in it). I hope when I spend as much for my dinner now, this will give me as much fun ;-)
<DocScrutinizer05>
bbl
<bencoh>
reminds me I lost mine (usb reader dongle)
* DocScrutinizer05
<--- fool; tries to write 32 2GB files onto a 30GB uSD
<Oksana>
((get CID, get CID, get CID, get CID (bad one!), disconnect!)) Is it possible that "bad one!" supports only one mode, but not the other (like, 2G vs 3G), and you can force the modem to connect to a different tower by forcing modem to work in a mode not supported by IMSI catcher?
<DocScrutinizer05>
yes, usually
<Oksana>
Ok, so you could theoretically disconnect from network when "bad one!" appears in the list of neighbour cells? Nice...
<DocScrutinizer05>
at least a few years ago
<DocScrutinizer05>
iirc the modem provides neighbor cells for other RAT (band) as well, so it's pretty easy to implement such approach