Signal and Cellebrite: Raising Difficult Questions

April 22, 2021

Signal published an summary of its exploration of the Cellebrite software. Founded in Israel and now owned by the Japanese company Sun Corporation, Cellebrite is a frequent exhibitor, speaker, and training sponsor at law enforcement and intelligence conferences. There are units and subsidiaries of the company, which are not germane to this short blog post. The company’s main business is to provide specialized services to make sense of data on mobile devices. Yes, there are other use cases for the company’s technology, but phones are a magnet at the present time.

Exploiting Vulnerabilities in Cellebrite UFED and Physical Analyzer from an App’s Perspective” makes clear that Cellebrite’s software is probably neither better nor worse than the SolarWinds, Microsoft Exchange Server, or other vendors’ software. Software has bugs, and once those bugs are discovered and put into circulation via a friendly post on a Dark Web pastesite or a comment in a tweet, it’s party time for some people.

Signal’s trope is that the Cellebrite “package” fell off a truck. I am not sure how many of those in my National Cyber Crime 2021 lectures will find that explanation credible, but some people are skeptics. Signal says:

[Cellebrite’s] products have often been linked to the persecution of imprisoned journalists and activists around the world, but less has been written about what their software actually does or how it works. Let’s take a closer look. In particular, their software is often associated with bypassing security, so let’s take some time to examine the security of their own software.

The write up then points out vulnerabilities. The information may be very useful to bad actors who want to configure their mobile devices to defeat the Cellebrite system and method. As readers of this blog may recall, I am not a big fan of disclosures about specialized software for certain government entities. Others — like the Signal analysts — have a different view point. I am not going to get involved in a discussion of this issue.

What I want to point out is that the Signal write up, if accurate, is another example of a specialized services vendor doing the MBA thing of over promising, overselling, and over marketing a cyber security solution.

In the context of the cyber security threat intelligence services which failed to notice the not-so-trivial SolarWinds, Microsoft Exchange Server, and Pulse Secure cyber missteps — the Signal essay is important.

Let me express my concern in questions:

What if the cyber security products and services are not able to provide security? What if the indexes of the Dark Web are not up to date and complete so queries return misleading results? What if the auto-generate alerts are based on flawed  methods?

The cyber vendors and their customers are likely to respond, “Our products are more than 95 percent effective.” That may be accurate in some controlled situations. But at the present time, the breaches and the Signal analysis may form the outlines of a cyber environment in which expensive cyber tools are little more than plastic hammers and saws. Expensive plastic tools which break when subjective to real world work.

Stephen E Arnold, April 22, 2021

McKinsey: MBAs Are a Fascinating Group to Observe

February 5, 2021

Watching blue chip consulting firms is more enjoyable than visiting a zoo. Here’s a good example of the entertainment value of individuals who strive to apply logic to business. Logic is definitely good, right?

AP Source: McKinsey to Pay $573M for Role in Opioid Crisis” explains that the McKinsey wizards somehow became involved in the “opioid crisis.” Crisis is self explanatory because most people have been ensnared in the Covid Rona thing. But opioid is difficult to appreciate. Think of addiction, crime, prostitution, trashed families, abandoned children, etc. You get the idea.

How could a blue chip consulting firm become involved in crimes which do not appear in the McKinsey collateral, on its Web site, or in its presentations to potential and current clients?

The write up says in the manner of “real” news outfits:

The global business consulting firm McKinsey & Company has agreed to a $573 million settlement over its role in advising companies on how to “supercharge” opioid sales amid an overdose crisis…

I interpret this to mean that the MBAs used their expertise to incentivize those in the legal pharma chain to move product. “Moving product” is a phrase used by narcotics dealers and MBAs alike, I believe.

The “real” news item reports:

McKinsey provided documents used in legal proceedings regarding OxyContin maker Purdue Pharma, including some that describe its efforts to help the company try to “supercharge” opioid sales in 2013, as reaction to the overdose crisis was taking a toll on prescribing. Documents made public in Purdue proceedings last year include include emails among McKinsey.

A wonderful engagement until it wasn’t. Blue chip consulting firms like to write checks to those who generate billable hours. My understanding is that writing checks for unbillable work irritates partners who expect bonuses and adulation for their business acumen.

An allegation of “supercharging” addictive products and producing the secondary effects itemize by me in paragraph two of this post is a bit of a negative. Even worse, the desired secondary effect like a zippy new Porsche conjured up on the Porsche Car Configurator, a position in a new investment fund, or a nice house and land in New Zealand does not arrive.

No word on jail time, but there’s a new administration now. The prostitution, child abandonment, and crime issues may become more consequential now.

Will this become a Harvard case? Who am I kidding? McKinsey in numero uno. Do los narcotraficantes operate with McKinsey’s acumen, logic, and efficiency. Good question.

Stephen E Arnold, February 5, 2021

What Is Next for Amazon Netradyne?

February 4, 2021

I noted the “real” news outfit CNBC story “Amazon Is Using AI-Equipped Cameras in Delivery Vans and Some Drivers Are Concerned about Privacy.” The use case is monitoring drivers. I have heard that some drivers work like beavers. Other comments suggest that some drivers play fast and loose with their time. These are lazy beavers. Other drivers misplace packages. These are crafty beavers. Another group driver like the route through the subdivision is a race. These are thrill-loving beavers. The Netradyne Driveri gizmo provides a partial solution with benefits; for example, imagery. My thought is that the Netradyne gizmo can hook into the Amazon AWS mother ship for a range of interesting features and functions. Maybe the data would be of use to those engaged in Amazon’s public sector work; for example, policeware services and solutions?

The story states:

Amazon is using an AI-powered camera made by Netradyne, a San Diego-based start-up that was founded in 2015 by two former senior Qualcomm employees. The camera, called Driveri, has four lenses that capture the road, the driver, and both sides of the vehicle.

I want to step away from the Netradyne and ask a few questions to which I don’t have answers at this time:

  1. Will Amazon learn from the Netradyne deployment what product enhancements to include in the “son of Netradyne”?
  2. What if a vehicle is equipped with multiple Netradyne type devices and shares these data with Amazon’s public sector partners and customers?
  3. What if Amazon’s drone routing surveillance technology is adapted to function with Amazon delivery mechanisms; that is, robot carts, lockers at the local store, trunk centric delivery, Ring doorbells, etc.?

The drivers are the subjects of a Silicon Valley style A-B test. My hunch is that there will be further smart camera developments either by AWS itself, AWS and a partner, or a few startups taking advantage of AWS technology to provide a platform for an application of the Netradyne learnings.

Who competes with Amazon AWS in this sector? Google, Microsoft, got any ideas? Sure, you do.

Stephen E Arnold, February 4, 2021

Law Enforcement Content Acquisition Revealed

January 22, 2021

Everything you do with a computer, smartphone, wearable, smart speaker, or tablet is recorded. In order to catch bad actors, law enforcement issues warrants to technology companies often asking for users who searched for specific keywords or visited certain Web sites in a specific time frame. Wired explains how private user information is still collected despite big tech promising to protect their users in the article, “How Your Digital Trails Wind Up In The Police’s Hands.”

Big tech companies continue to host apps and sell technology that provides user data to law enforcement. Apple attempted to combat the unauthorized of user information by requiring all developers to have a “nutritional label” on its apps. The label will disclose privacy policies. It is not, however, a blanket solution.

Big tech companies pledge their dedication to ending law enforcement using unlawful surveillance, but their actions are hypocritical. Amazon is committed to racial equity, but they saw an uptick in police request for user information. Google promises the same equity commitment with Google Doodles and donations, but they provide police with geofence warrants.

Law makers and political activists cite that these actions violate people’s civil rights and the Fourth Amendment. While there are people who are rallying to protect the average user, the bigger problem rests with users’ lack of knowledge. How many users are aware about the breadcrumbs they are leaving around the Internet? How many users actually read privacy policies or terms of service agreements? Very few!

“The solution isn’t simply for people to stop buying IoT devices or for tech companies to stop sharing data with the government. But “equity” demands that users be aware of the digital bread crumbs they leave behind as they use electronic devices and how state agents capitalize on both obscure systems of data collection and our own ignorance.”

Perhaps organizations should concentrate on educating the public or require big tech companies to have more transparent privacy policies in shorter, readable English? With thumb typing and illiteracy prevalent in the US, ignorance pays data dividends.

Whitney Grace, January 22, 2020

MIT: In the News Again

January 18, 2021

I have used “high school science club management methods” to describe some of the decisions at Silicon Valley-type outfits. I have also mentioned that the esteemed Massachusetts Institute of Technology found itself in a bit of a management dither with regards to the infamous Jeffrey Epstein. If you are not familiar with the MIT Epstein adventure, check out “Jeffrey Epstein’s Money Bought a Coverup at the MIT Media Lab.” High school science club management in action.

I read a story dated January 14, 2021, with the fetching title “MIT Professor Charged with Hiding Work for China.” Yep, someone hired a person, failed to provide appropriate oversight, and created a side gig. I learned:

While working for MIT, Chen entered into undisclosed contracts and held appointments with Chinese entities, including acting as an “overseas expert” for the Chinese government at the request of the People’s Republic of China Consulate Office in New York, authorities said. Many of those roles were “expressly intended to further the PRC’s scientific and technological goals,” authorities said in court documents. Chen did not disclose his connections to China, as is required on federal grant applications, authorities said. He and his research group collected about $29 million in foreign dollars, including millions from a Chinese government funded university funded, while getting $19 million in grants from U.S federal agencies for his work at MIT since 2013, authorities said.

MIT is allegedly an institution with many bright people. Maybe that is part of the challenge. The high school science club mentality has ingrained itself into the unsophisticated techniques used to track donations and smart professors.

Harvard has a business school. Does it offer a discount for MIT administrative professionals?

Stephen E Arnold, January 18, 2021

How Will MindGeek Get Paid? Umm, Encrypted and Anonymous Digital Currencies Maybe

December 11, 2020

I have followed the strong MasterCard and Visa response to revelations about MindGeek’s less-than-pristine content offerings. The Gray Lady wrote about MindGeek and then other “real” news sites picked up the story. A good example is “Visa, MasterCard Dump Pornhub Over Abuse Video Claims.” The write ups appear to have sidestepped one question which seems obvious to me:

How will MindGeek collect money?

There are some online ad outfits which have been able to place ads on Dark Web sites and on some other sites offering specialized content, not very different from MindGeek’s glittering content array. Amped up advertising seems one play.

But what about MindGeek’s paying customers?

Perhaps MindGeek, nestled in the Euro-centric confines of Montréal, will come up with the idea to use a digital currency. Invoices can be disseminated in secret messaging systems like those favored by the Russian based Edward Snowden. The payments can flow via encrypted digital currencies. Now many transactions can be tracked by government authorities in a number of countries. Nevertheless, making this type of shift is likely to increase the burden on investigators.

Just as killing off Backpage created additional work for some law enforcement professionals. The MasterCard and Visa termination may have a similar effect. Yes, the backlog can be resolved. But that is likely to add friction to some enforcement activities. A failure by regulatory agencies to get a handle of payments systems (encrypted and unencrypted) is now evident to some.

Stephen E Arnold, December 11, 2020

DHS Turns to Commercial Cellphone Data Vendors for Tracking Intelligence

November 18, 2020

Color us completely unsurprised. BuzzFeed News reports, “DHS Authorities Are Buying Moment-By-Moment Geolocation Cellphone Data to Track People.” In what privacy advocates are calling a “surveillance partnership” between government and corporations, the Department of Homeland Security is buying cellphone data in order to track immigrants at the southern border. This is likely to go way beyond the enforcement of immigration laws—once precedent is set, agencies across the law enforcement spectrum are apt to follow suit.

Citing a memo that came into their possession, reporters Hamed Aleaziz and Caroline Haskins reveal DHS lead attorney Chad Mizelle believes ICE officials are free to access locations and cellphone data activity without the need to obtain a warrant and without violating the Fourth Amendment (protection against unreasonable search and seizure). His reasoning? The fact that such data is commercially available, originally meant for advertising purposes, means no warrant is required. Consider that loophole as you ponder how much personal information most citizens’ cell phones hold, from our daily movement patterns to appointments with doctors and other professionals, to our communications. Aleaziz and Haskins write:

“When DHS buys geolocation data, investigators only know that phones and devices visited certain places — meaning, they don’t automatically know the identities of people who visited those locations. Investigators have to match a person’s visited locations with, say, property records and other data sets in order to determine who a person is. But this also means that, technically, moment-by-moment location tracking could happen to anyone, not just people under investigation by DHS. In particular, lawyers, activists, nonprofit workers, and other essential workers could get swept up into investigations that start with geolocation data. DHS officials said they do not comment on alleged leaked documents. The agency is aware of potential legal vulnerabilities under the Fourth Amendment. Mizelle states in his memo that there are ways for CBP and ICE to ‘minimize the risk’ of possible constitutional violations, pointing out that they could limit their searches to defined periods, require supervisors to sign off on lengthy searches, only use the data when more ‘traditional’ techniques fail, and limit the tracking of one device to when there is ‘individualized suspicion’ or relevance to a ‘law enforcement investigation.’”

Earlier this year, The Wall Street Journal reported that DHS was purchasing this data for ICE and CBP. Federal records show both agencies have bought licenses and software from mobile-device-data-vendor Venntel. The House Committee on Oversight and Reform is now investigating the company for selling data to government agencies.

Interesting dynamics.

Cynthia Murrell, November 18, 2020

Size of the US Secret Service?

November 16, 2020

I read “Expansive White House Covid Outbreak Sidelines 10% of Secret Service.” If the headline is accurate, the US Secret service consists of 1,300 officers in the “uniformed division.” The key phrase is “uniformed division.” To the untrained eye, these officers appear in uniforms similar to those of other police. However, there are non-uniformed Secret Service officers. A list of USSS field offices is here. A year ago I learned at a law enforcement conference that there were more than 7,000 employees in the USSS. Net net: The USSS has a reasonably deep roster and can cooperate with the US Capitol Police to deal with events of interest. (The USCP is responsible for Congress; the USSS, the White House. When the vice president moves from the White House to Capitol Hill, the protective duties shift as well.) The article left me with the impression that Covid has impaired the USSS. In my opinion, the USSS is on duty and robust.

Stephen E Arnold, November 16, 2020

Germany Raids Spyware Firm FinFisher

November 3, 2020

Authorities in Germany have acted on suspicions that spyware firm FinFisher, based in Munich, illegally sold its software to the Turkish government. It is believed that regime used the tools to spy on anti-government protesters in 2017. The independent Turkish news site Ahval summarizes the raid and the accusations in, “Spyware Company that Allegedly Sold Spyware to Turkey Raided by German Police.” We’re told:

“Germany’s Customs Investigation Bureau (ZKA) searched 15 properties last week, both in Germany and other countries. Public prosecutors told German media that directors and employees of FinFisher and other companies were being investigated. The investigation follows complaints filed by NGOs Reporters Without Borders, Netzpolitik.org, the Society for Civil Rights (Gesellschafft für Freiheitsrechte, GFF) and the European Center for Constitutional and Human Rights. The NGOs believe that a spyware product used in 2017 to target anti-government protesters in Turkey was FinFisher’s FinSpy. Germany’s Economy Ministry has issued no new permits for spyware since 2015, while the software in question was written in 2016, meaning that if it was used, it must have been exported in violation of government license restrictions.”

Activist group CitizenLab asserts the Turkish government spread the spyware to protesters through Twitter accounts. These accounts, we’re told, masqueraded as sources of information about upcoming protests. As far back as 2011, FinFisher was suspected of supplying regimes in the Middle East with spyware to track Arab Spring protestors. The software has since been found in use by several authoritarian governments, including Bahrain, Ethiopia, and he UAE. Just this September, Amnesty International reported FinFisher’s spyware was being used by Egypt. For its part, of course, the company denies making any sales to countries not approved by German law. We shall see what the investigation turns up.

Cynthia Murrell, November 3, 2020

Amazon Rekognition: Helping Make Work Safer

October 22, 2020

DarkCyber noted Amazon’s blog post “Automatically Detecting Personal Protective Equipment on Persons in Images Using Amazon Rekognition.” Amazon discloses:

With Amazon Rekognition PPE detection, you can analyze images from your on-premises cameras at scale to automatically detect if people are wearing the required protective equipment, such as face covers (surgical masks, N95 masks, cloth masks), head covers (hard hats or helmets), and hand covers (surgical gloves, safety gloves, cloth gloves). Using these results, you can trigger timely alarms or notifications to remind people to wear PPE before or during their presence in a hazardous area to help improve or maintain everyone’s safety.

The examples in the Amazon write up make sense. However, applications in law enforcement and security are also possible. For instance, consider saying, “Hands up” to a person of interest:

10 21 hands up

The system can detect objects held by an individual. You can get more information in the blog post. Policeware and intelware vendors working with Amazon at this time may generate other use cases.

Stephen E Arnold, October 22, 2020

Next Page »

  • Archives

  • Recent Posts

  • Meta