Ottawa Law Enforcement and Reasonable Time for Mobile Phone Access

February 5, 2024

green-dino_thumb_thumb_thumbThis essay is the work of a dumb dinobaby. No smart software required.

The challenge of mobile phones is that it takes time to access the data if a password is not available to law enforcement. As more mobiles are obtained from alleged bad actors, the more time is required. The backlog can be onerous because many law enforcement agencies have a limited number of cyber investigators and a specific number of forensic software licenses or specialized machines necessary to extract data from a mobile device.

Time is not on their side. The Ottawa Citizen reports, “Police Must Return Phones After 175 Million Passcode Guesses, Judge Says.” It is not actually about the number of guesses, but about how long investigators can retain suspects’ property. After several months trying to crack the passwords on one suspect’s phone, Ottawa police asked Ontario Superior Court Justice Ian Carter to allow them to retain the device for another two years. But even that was a long shot. Writer Andrew Duffy tells us:

“Ontario Superior Court Justice Ian Carter heard that police investigators tried about 175 million passcodes in an effort to break into the phones during the past year. The problem, the judge was told, is that more than 44 nonillion potential passcodes exist for each phone. To be more precise, the judge said, there are 44,012,666,865,176,569,775,543,212,890,625 potential alpha-numeric passcodes for each phone. It means, Carter said, that even though 175 million passcodes were attempted, those efforts represented ‘an infinitesimal number’ of potential answers.”

The article describes the brute-force dictionary attacks police had used so far and defines the term leetspeak for curious readers. Though investigators recently added the password-generating tool Mentalist to their arsenal, the judge determined their chances of breaking into the phone were too slim. We learn:

“In his ruling, Carter said the court had to balance the property rights of an individual against the state’s legitimate interest in preserving evidence in an investigation. The phones, he said, have no evidentiary value unless the police succeed in finding the right passcodes. ‘While it is certainly possible that they may find the needle in the next two years, the odds are so incredibly low as to be virtually non-existent,’ the judge wrote. ‘A detention order for a further six months, two years, or even a decade will not alter the calculus in any meaningful way.’ He denied the Crown’s application to retain the phones and ordered them returned or destroyed.”

The judge suggested investigators instead formally request more data from Google, which supplied the information that led to the warrants in the first place. Good idea, but techno feudal outfits are often not set up to handle a large number of often-complex requests. The result is that law enforcement is expected to perform certain tasks while administrative procedures and business processes slam on the brakes. One would hope that information about the reality of accessing mobile devices were better understood and supported.

Cynthia Murrell, February 5, 2024

It Is Here: The AI Generation

February 2, 2024

green-dino_thumb_thumb_thumbThis essay is the work of a dumb dinobaby. No smart software required.

Yes, another digital generation has arrived. The last two or three have been stunning, particularly when compared to my childhood in central Illinois. We played hide and seek; now the youthful create fake Taylor Swift videos. Ah, progress.

I read “Qustodio Releases 5th Annual Report Studying Children’s Digital Habits, Born Connected: The Rise of the AI Generation.” I have zero clue if the data are actual factual. With the recent information about factual creativity at the Harvard medical brain trust, nothing will surprise me. Nevertheless, let me highlight several factoids and then, of course, offer some unwanted Beyond Search comments. Hey, it is a free blog, and I have some friskiness in my dinobaby step.

image

Memories. Thanks, MSFT Copilot Bing thing. Not even close to what I specified.

The sample involved “400,000 families and schools.” I don’t remember too much about my Statistics 101 course 60 years ago, but the sample size seems — interesting. Here’s what Qustodio found:

YouTube is number one for streaming, kiddies spent 60 percent more time on TikTok

How much time goes to couch potato-ing? Here’s the answer:

TikTok continued to captivate with children spending a global average of 112 minutes daily on the app – up from 107 in 2022. UK kids were particularly fond of the bottomless scroll as they racked up 127 mins/day.

Why read, play outdoors, or fiddle with a chemistry set? Just kick back and check out ASMR, being thin, and dance move videos. Sounds tasty, doesn’t it?

And what is the most popular kiddie app? Here’s the answer:

Snapchat.

If you want to buy the full report, click this link.

Several observations:

  1. The smart software angle may be in the full report, but the summary skirts the issue, recycling the same grim numbers: More video, less of other activities like being a child
  2. Will this “generation” of people be able to differentiate reality from fake anything? My hunch is that the belief that these young folks have super tuned baloney radar may be — baloney.
  3. A sample of 400,000? Yeah.

Net net: I am glad to be an old dinobaby. Really, really happy.

Stephen E Arnold, February 2, 2024

Apple, Now Number One, But Maybe Not in Mobile Security?

January 26, 2024

green-dino_thumb_thumb_thumbThis essay is the work of a dumb dinobaby. No smart software required.

MIT Professor Stuart E. Madnick allegedly discovered that iPhone data breaches tripled between 2013-2022. Venture Beat explains more in the article “Why Attackers Love To Target Misconfigured Clouds And Phones.”

Hackers use every method to benefit from misconfiguration, but ransomware is their favorite technique. Madnick discovered a near 50% increase in ransomware attacks in organizations in the first six months of 2023 compared to 2022. After finding the breach, hackers then attack organizations’ mobile phone fleets. They freeze all communications until the ransom is paid.

Bad actors want to find the easiest ways into clouds. Unfortunately organizations are unaware that attacks happen when they don’t monitor their networks:

Merritt Baer, Field CISO at Lacework, says that bad actors look first for an easy front door to access misconfigured clouds, the identities and access to entire fleets of mobile devices. “Novel exploits (zero-days) or even new uses of existing exploits are expensive to research and discover. Why burn an expensive zero-day when you don’t need to? Most bad actors can find a way in through the “front door”– that is, using legitimate credentials (in unauthorized ways).”

Baer added, ‘This avenue works because most permissions are overprovisioned (they aren’t pruned down/least privileged as much as they could be), and because with legitimate credentials, it’s hard to tell which calls are authorized/ done by a real user versus malicious/ done by a bad actor.’”

Almost 99% of cloud security breaches are due to incorrectly set manual controls. Also nearly 50% of organizations unintentionally exposed storage, APIs, network scents, and applications. These breaches cost an average of $4 million to solve.

Organizations need to rely on more than encryption to protect their infrastructures. Most attacks occur because bad actors use authenticate credentials. Unified endpoint management, passwordless multi-factor authentication, and mobile device management housed on a single platform is the best defense.

How about these possibly true revelations about Apple?

Whitney Grace, January 26, 2024

The NSO Group Back in the News: Is That a Good Thing?

January 24, 2024

green-dino_thumb_thumb_thumbThis essay is the work of a dumb dinobaby. No smart software required.

Some outfits struggle to get PR, not the NSO Group. The situation is no “dream.” I spotted this write up in 9 to 5 Mac: “Apple Wins Early Battle against NSO after Suing Spyware Mercenaries for Attacking iPhone Users.” For me, the main point of the article is:

Judge Donato ruled that NSO Group’s request for dismissal in the US in favor of a trial in Israel didn’t meet the bar. Instead, Judge Donato suggested that Apple would face the same challenges in Israel that NSO faces in the US.

image

A senior manager who is an attorney skilled in government processes looks at the desk in his new office. Wow, that looks untidy. Thanks, MSFT Copilot Bing thing. How’s that email security issue coming along? Ah, good enough, you say?

I think this means that the legal spat will be fought in the US of A. Here’s the sentence quoted by 9 to 5 Mac which allegedly appeared in a court document:

NSO has not demonstrated otherwise. NSO also overlooks the fact that the challenges will be amenable to a number of mitigating practices.

The write up includes this passage:

An Apple spokesperson tells 9to5Mac that the company will continue to protect users against 21st century mercenaries like the NSO Group. Litigation against the Pegasus spyware maker is part of a larger effort to protect users…

From my point of view, the techno feudal outfit has surfed on the PR magnetism of the NSO Group. Furthermore, the management team at NSO Group faces what seems to be a bit of a legal hassle. Some may believe that the often ineffective Israeli cyber security technology which failed to signal, thwart, or disrupt the October 2023 dust up requires more intense scrutiny. NSO Group, therefore, is in the spotlight.

More interesting from my vantage point is the question, “How can NSO Group’s lawyering-savvy senior management not demonstrate its case in such a way to, in effect, kill some of the PR magnetism. Take it from me. This is not a “dream” assignment for NSO Group’s legal eagles. I would also be remiss if I did not mention that Apple has quite a bit of spare cash with which to feather the nest of legal eagles. Apple wants to be perceived as the user’s privacy advocate and BFF. When it comes to spending money and rounding up those who love their Apple devices, the estimable Cupertino outfit may be a bit of a challenge, even to attorneys with NSA and DHS experience.

As someone said about publicity, any publicity is good publicity. I am not sure the categorical affirmative is shared by everyone involved with NSO Group. And where is Hulio? He’s down by the school yard. He doesn’t know where he’s going, but Hulio is going the other way. (A tip of the hat to Paul Simon and his 1972 hit.)

Stephen E Arnold, January 24, 2024

An Astounding Finding! Who Knew This about Mobile Phone Usage by Kids?

January 22, 2024

green-dino_thumb_thumb_thumbThis essay is the work of a dumb dinobaby. No smart software required.

Let me answer the question, please. Every parent with a clue.

Why is anyone surprised that yet another round of research demonstrates that too much screen time is bad for kids? ABC News shares the not-so-resounding discovery in: “Screen Time For Kids Under 2 Linked To Sensory Differences In Toddlerhood: Study.” Kids under the age of two exhibit sensory differences when they are exposed to a lot of screen time.

JAMA Pediatrics published a study from Drexel University that analyzed 1500 surveys from parents and caregivers. The surveys asked about kids’ sensory preferences, including questions about preference or avoidance to textures, noises, and lights. The survey only focused on television and not mobile devices because the data was gathered before 2014. The survey results showed that kids who watched TV at 12 months were twice as a likely to develop “atypical sensory processing” by the time they were 3 years old. The more kids were exposed to the boob tube after 1.5 years had a 20% greater chance of having sensory processing differences.

Drexel University’s study augments previous research that found more screen time impacted how kids communicated and felt. Screen time exposure in young kids is linked to developmental delays in problem-solving, critical thinking, and other communication. Sensory processing disordered are linked to other mental aliments, such as autism spectrum disorder, attention deficit disorder, attention deficit hyperactivity disorder, and obsessive compulsive disorder. The study didn’t examine if the kids were diagnosed with these issues.

Johns Hopkins pediatrician and neonatal hospitalist Dr. Jade Cobern encourages parents and caregivers to be mindful of screen time. She notes it is impossible to avoid screens in modern society:

“Cobern also recommends tailoring approaches to the specific family and patient, and collaboratively brainstorming accessible ways to decrease non-interactive screen time and increase healthy developmental activities, such as reading, playing with objects, and socializing with other children, even if those activities might entail screens. “ ‘Everyone has to be realistic when we’re talking about how parents can support their children’s development,’ Cobern said, adding of research like the Drexel study, ‘It’s not to shame screentime exposure because the reality is we live in a world where screens are part of our daily lives.’

She continued,

‘It really is inevitable that most kids will see some screen time even early in life, but it is something I encourage families to be mindful of.’”

Why not pick up a picture book and read to the kid? Or play a game with the kid? Or take the kid outside? Or play an interactive screen game with the kid? It’s hard to find the time but other generations did it.

Whitney Grace, January 22, 2024

No Digital Map and Doomed to Wander Clueless

January 4, 2024

green-dino_thumb_thumb_thumbThis essay is the work of a dumb dinobaby. No smart software required.

I am not sure if my memory is correct. I believe that some people have found themselves in a pickle when the world’s largest online advertising outfit produces “free” maps. The idea is that cost cutting, indifferent Googlers, and high school science club management methods cause a “free” map to provide information which may not match reality. I do recall on the way to the home of the fellow responsible for WordStar (a word processing program), an online search system, and other gems from the early days of personal computers. Google Maps suggested I drive off the highway, a cliff, and into the San Francisco Bay. I did not follow the directions from the “do no evil” outfit. I drove down the road, spotted a human, and asked for directions. But some people do not follow my method.

image

No digital maps. No clue. Thanks, MSFT Copilot Bing thing.

Quairading Shire Erects Signs Telling Travelers to Ignore GPS Maps Including Google” includes a great photo of what appears to be a large sign. The sign says:

Your GPS Is Wrong. This is Not the Best Route to Perth. Turn Around and Travel via the Quairading-York Road.

That’s clear and good advice. As I recall, I learned on one of my visits to Australia that most insects, reptiles, mammals, and fish can kill. Even the red kangaroo can become a problem, which is — I assume — that some in Australia gun them down. Stay on the highway and in your car. That’s my learning from my first visit.

The write up says:

The issue has frustrated the Quairading shire for the past eight years.

Hey, the Google folks are busy. There are law suits, the Red Alert thing, and the need to find a team which is going nowhere fast like the dual Alphabet online map services, Maps and Waze.

Net net: Buy a printed book of road maps and ask for directions. The problem is that those under the age of 25 may not be able to read or do what’s called orienteering. The French Foreign Legion runs a thorough program, and it is available for those who have not committed murder, can pass a physical test, and enjoy meeting people from other countries. Oh, legionnaires do not need a mobile phone to find their way to a target or the local pizza joint.

Stephen E Arnold, January 2024

Is Your Phone Secure? Think Before Answering, Please

November 21, 2023

green-dino_thumb_thumb_thumbThis essay is the work of a dumb dinobaby. No smart software required.

I am not going to offer my observations and comments. The article, its information, and the list of companies from The Times of India’s “11 Dangerous Spywares Used Globally: Pegasus, Hermit, FinFisher and More” speaks for itself. The main point of the write up is that mobile phone security should be considered in the harsh light of digital reality. The write up provides a list of outfits and components which can be used to listen to conversations, intercept text and online activity, as well as exfiltrate geolocation data, contact lists, logfiles, and imagery. Some will say, “This type of software should be outlawed.” I have no comment.

image

Are there bugs waiting to compromise your mobile device? Yep. Thanks, MSFT Copilot. You have a knack for capturing the type of bugs with which many are familiar.

Here’s the list. I have alphabetized by the name of the malware and provided a possible entity name for the owner:

  • Candid. Maybe a Verint product? (Believed to be another product developed by former Israeli cyber warfare professionals)
  • Chrysaor. (Some believe it was created by NSO Group or NSO Group former employees)
  • Dark Tequila. (Requires access to the targeted device or for the user to perform an action. More advanced methods require no access to the device nor for the user to click)
  • FinFisher. Gamma Group  (The code is “in the wild” and the the German unit may be on vacation or working under a different name in the UK)
  • Hawkeye, Predator, or Predator Pain (Organization owning the software is not known to this dinobaby)
  • Hermit. RCS Lab (Does RCS mean “remote control service”?)
  • Pegasus. NSO Group Pegasus (now with a new president who worked at NSA and Homeland Security)
  • RATs (Remote Access Trojans) This is a general class of malware. Many variants.
  • Sofacy. APT28 (allegedly)
  • XKeyscore (allegedly developed by a US government agency)

Is the list complete? No.

Stephen E Arnold, November 21, 2023

Telegram: A Super App with Features Al Capone Might Have Liked

November 1, 2023

When I mention in my law enforcement lectures that Telegram, a frisky encrypted super app for thumb typers, is “off the radar” for some analysts, I get more than a few blank looks. Consider this: The “special conflict” or whatever some in the Land of Tolstoy call it, pivots on Telegram. And why not? It allows encrypted messages, both public and private. A safety conscious user can include an image or a video snippet and post it to the Musky service with a couple of taps. Those under attack can disseminate location data to a mailing list of Telegram contacts. The app makes it possible to pay for “stuff,” often that stuff is CSAM or information about where to pick up an order containing contraband.

11 1 soldiiers foxhole

The soldier with the mobile phone says, “Hey, this hot content video content is great on Telegram.” The other soldier says, “Jump to the Spies-R-Us service. I will give you the coordinates for the drone assault. Also, order some noodle latkes to Checkpoint Grhriba at 1800 hours.” Thanks, MidJourney. WW2 cartoonists would be proud of you.

Pivot to the Israel Hamas war. Yep, Telegram is in use. Civilians, war fighters, even those in prison with mobile devices are Telegramming away. The Russian brothers who created the original app may not have anticipated its utility in war zones.

My research team has noted that some Clear Web sites discuss slippery subjects like carding. Then the “buy now” or similar action points to a Telegram “location.” What about the Dark Web? Telegram makes it possible to do “Dark Web things” without the risk and hassle of operating a Dark Web site or service. Pretty innovative, right? And what about that Dark Web traffic? Our analysis suggests that one will find Dark Web bots, law enforcement from numerous countries, and a modest number of human bad actors who cannot or have not embraced Telegram.

Now the super app is getting some enhancements, if the information in Gadgets360 article is accurate. “Telegram Update Brings Advanced Reply Options, Link Preview Customizations, Account Colors, More.” Enhancements include:

Replying to a message from one chat to another. Will this be useful for certain extremist users doing fund raising or recruiting?

  • Customize shared links. Will this be useful to CSAM purveyors?
  • Fast forward and rewind videos in Telegram messages. Winner for some video content vendors.
  • Telegram also has a special feature. Some Telegram users pay for these services. Yep, money. Subscription money.

And the encryption thing? Reasonably good. Possibly less open than the UK Covid information allegedly from WhatsApp.

Stephen E Arnold, November 1, 2023

Those Mobile Phones Are Something, Are They Not?

May 23, 2023

Vea4_thumb_thumb_thumb_thumb_thumb_tNote: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.

Apple, Google, Samsung, and a covey of Chinese mobile phone innovators have improved modern life. Imagine. People have a phone. No sharing  one telephone in a fraternity house, a cheap flat, or at an airport, just call, text, vlog, or swipe.

Are their downsides? For a quarter century the American Psychological Association was not sure. Now an outfit called Sapien Labs provides additional information about mobile phone usage.

For me, there were several highlights in the article “Kids Who Get Smartphones Earlier Become Adults With Worse Mental Health.”

First, the idea that young people who tap, swipe, and suck down digital information are unlikely to emulate Jonathan Edwards, Mother Teresa, or the ambiguous St. Thomas of Aquinas. The article states:

the younger the age of getting the first smartphone, the worse the mental health that the young adult reports today.

Obvious to some, but a scientific study adds more credence to the parent who says no to a child’s demand for a mobile phone or tablet.

Second, women (females) are more affected by the mobile phone. The study points out six categories of impact. Please, consult the article and the full study for the academic details. Again. No big surprise, but I wouldn’t ignore the fact that in some male cohorts, suicides are increasing. Regardless of gender, mobile phones appear to nudge some into wackiness or the ultimate solution to having friends make fun of one’s sneakers.

Third, I was surprised to learn that some young people get phones when they are five years old. I have seen very young children poking at an iPad in a restaurant or playing games on the parental unit’s mobile phones in an airport. I did not know the child had a phone to call his own. Good marketing by Apple, Google, Samsung, and Chinese outfits!

The study identifies a number of implications. Again, I am okay with those identified, but the cyber crime crowd was not discussed. My own perception is that mobile devices are the catalyst for a wide range of cyber crime. Once again, the unintended consequences of a mobile device have the capacity to enable some societal modifications that may be impossible to remediate.

Again: Nice work!

Stephen E Arnold, May 23, 2023

Divorcing the Google: Legal Eagles Experience a Frisson of Anticipation

April 24, 2023

No smart software has been used to create this dinobaby’s blog post.

I have poked around looking for a version or copy of the contract Samsung signed with Google for the firms’ mobile phone tie up. Based on what I have heard at conferences and read on the Internet (of course, I believe everything I read on the Internet, don’t you?), it appears that there are several major deals.

The first is the use of and access to the mindlessly fragmented Android mobile phone software. Samsung can do some innovating, but the Google is into providing “great experiences.” Why would a mobile phone maker like Samsung allow a user to manage contacts and block mobile calls without implementing a modern day hunt for gold near Placer.

The second is the “suggestion” — mind you, the suggestion is nothing more than a gentle nudge — to keep that largely-malware-free Google Play Store front and center.

The third is the default search engine. Buy a Samsung get Google Search.

Now you know why the legal eagles a shivering when they think of litigation to redo the Google – Samsun deal. For those who think the misinformation zipping around about Microsoft Bing displacing Google Search, my thought would be to ask yourself, “Who gains by pumping out this type of disinformation?” One answer is big Chinese mobile phone manufacturers. This is Art of War stuff, and I won’t dwell on this. What about Microsoft? Maybe but I like to think happy thoughts about Microsoft. I say, “No one at Microsoft would engage in disinformation intended to make life difficult for the online advertising king. Another possibility is Silicon Valley type journalists who pick up rumors, amplify them, and then comment that Samsung is kicking the tires of Bing with ChatGPT. Suddenly a “real” news outfit emits the Samsung rumor. Exciting for the legal eagles.

The write up “Samsung Can’t Dump Google for Bing As the Default Search Engine on Its Phones” does a good job of explaining the contours of a Google – Samsung tie up.

Several observations:

First, the alleged Samsung search replacement provides a glimpse of how certain information can move from whispers at conferences to headlines.

Second, I would not bet against lawyers. With enough money, contracts can be nullified, transformed, or left alone. The only option which disappoints attorneys is the one that lets sleeping dogs lie.

Third, the growing upswell of anti-Google sentiment is noticeable. That may be a far larger problem for Googzilla than rumors about Samsung. Perceptions can be quite real, and they translate into impacts. I am tempted to quote William James, but I won’t.

Net net: If Samsung wants to swizzle a deal with an entity other than the Google, the lawyers may vibrate with such frequency that a feather or two may fall off.

Stephen E Arnold, April 24, 2023

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta