• Home
• About
• Writers
• Landscape
• Wizards Index
• Fraud
• Wanna Be Like Larry?

Signal and Cellebrite: Raising Difficult Questions

Signal published an summary of its exploration of the Cellebrite software. Founded in Israel and now owned by the Japanese company Sun Corporation, Cellebrite is a frequent exhibitor, speaker, and training sponsor at law enforcement and intelligence conferences. There are units and subsidiaries of the company, which are not germane to this short blog post. The company’s main business is to provide specialized services to make sense of data on mobile devices. Yes, there are other use cases for the company’s technology, but phones are a magnet at the present time.

“Exploiting Vulnerabilities in Cellebrite UFED and Physical Analyzer from an App’s Perspective” makes clear that Cellebrite’s software is probably neither better nor worse than the SolarWinds, Microsoft Exchange Server, or other vendors’ software. Software has bugs, and once those bugs are discovered and put into circulation via a friendly post on a Dark Web pastesite or a comment in a tweet, it’s party time for some people.

Signal’s trope is that the Cellebrite “package” fell off a truck. I am not sure how many of those in my National Cyber Crime 2021 lectures will find that explanation credible, but some people are skeptics. Signal says:

[Cellebrite’s] products have often been linked to the persecution of imprisoned journalists and activists around the world, but less has been written about what their software actually does or how it works. Let’s take a closer look. In particular, their software is often associated with bypassing security, so let’s take some time to examine the security of their own software.

The write up then points out vulnerabilities. The information may be very useful to bad actors who want to configure their mobile devices to defeat the Cellebrite system and method. As readers of this blog may recall, I am not a big fan of disclosures about specialized software for certain government entities. Others — like the Signal analysts — have a different view point. I am not going to get involved in a discussion of this issue.

What I want to point out is that the Signal write up, if accurate, is another example of a specialized services vendor doing the MBA thing of over promising, overselling, and over marketing a cyber security solution.

In the context of the cyber security threat intelligence services which failed to notice the not-so-trivial SolarWinds, Microsoft Exchange Server, and Pulse Secure cyber missteps — the Signal essay is important.

Let me express my concern in questions:

What if the cyber security products and services are not able to provide security? What if the indexes of the Dark Web are not up to date and complete so queries return misleading results? What if the auto-generate alerts are based on flawed  methods?

The cyber vendors and their customers are likely to respond, “Our products are more than 95 percent effective.” That may be accurate in some controlled situations. But at the present time, the breaches and the Signal analysis may form the outlines of a cyber environment in which expensive cyber tools are little more than plastic hammers and saws. Expensive plastic tools which break when subjective to real world work.

Stephen E Arnold, April 22, 2021

McKinsey: MBAs Are a Fascinating Group to Observe

Watching blue chip consulting firms is more enjoyable than visiting a zoo. Here’s a good example of the entertainment value of individuals who strive to apply logic to business. Logic is definitely good, right?

“AP Source: McKinsey to Pay $573M for Role in Opioid Crisis” explains that the McKinsey wizards somehow became involved in the “opioid crisis.” Crisis is self explanatory because most people have been ensnared in the Covid Rona thing. But opioid is difficult to appreciate. Think of addiction, crime, prostitution, trashed families, abandoned children, etc. You get the idea.

How could a blue chip consulting firm become involved in crimes which do not appear in the McKinsey collateral, on its Web site, or in its presentations to potential and current clients?

The write up says in the manner of “real” news outfits:

The global business consulting firm McKinsey & Company has agreed to a $573 million settlement over its role in advising companies on how to “supercharge” opioid sales amid an overdose crisis…

I interpret this to mean that the MBAs used their expertise to incentivize those in the legal pharma chain to move product. “Moving product” is a phrase used by narcotics dealers and MBAs alike, I believe.

The “real” news item reports:

McKinsey provided documents used in legal proceedings regarding OxyContin maker Purdue Pharma, including some that describe its efforts to help the company try to “supercharge” opioid sales in 2013, as reaction to the overdose crisis was taking a toll on prescribing. Documents made public in Purdue proceedings last year include include emails among McKinsey.

A wonderful engagement until it wasn’t. Blue chip consulting firms like to write checks to those who generate billable hours. My understanding is that writing checks for unbillable work irritates partners who expect bonuses and adulation for their business acumen.

An allegation of “supercharging” addictive products and producing the secondary effects itemize by me in paragraph two of this post is a bit of a negative. Even worse, the desired secondary effect like a zippy new Porsche conjured up on the Porsche Car Configurator, a position in a new investment fund, or a nice house and land in New Zealand does not arrive.

No word on jail time, but there’s a new administration now. The prostitution, child abandonment, and crime issues may become more consequential now.

Will this become a Harvard case? Who am I kidding? McKinsey in numero uno. Do los narcotraficantes operate with McKinsey’s acumen, logic, and efficiency. Good question.

Stephen E Arnold, February 5, 2021

What Is Next for Amazon Netradyne?

I noted the “real” news outfit CNBC story “Amazon Is Using AI-Equipped Cameras in Delivery Vans and Some Drivers Are Concerned about Privacy.” The use case is monitoring drivers. I have heard that some drivers work like beavers. Other comments suggest that some drivers play fast and loose with their time. These are lazy beavers. Other drivers misplace packages. These are crafty beavers. Another group driver like the route through the subdivision is a race. These are thrill-loving beavers. The Netradyne Driveri gizmo provides a partial solution with benefits; for example, imagery. My thought is that the Netradyne gizmo can hook into the Amazon AWS mother ship for a range of interesting features and functions. Maybe the data would be of use to those engaged in Amazon’s public sector work; for example, policeware services and solutions?

The story states:

Amazon is using an AI-powered camera made by Netradyne, a San Diego-based start-up that was founded in 2015 by two former senior Qualcomm employees. The camera, called Driveri, has four lenses that capture the road, the driver, and both sides of the vehicle.

I want to step away from the Netradyne and ask a few questions to which I don’t have answers at this time:

1. Will Amazon learn from the Netradyne deployment what product enhancements to include in the “son of Netradyne”?
2. What if a vehicle is equipped with multiple Netradyne type devices and shares these data with Amazon’s public sector partners and customers?
3. What if Amazon’s drone routing surveillance technology is adapted to function with Amazon delivery mechanisms; that is, robot carts, lockers at the local store, trunk centric delivery, Ring doorbells, etc.?

The drivers are the subjects of a Silicon Valley style A-B test. My hunch is that there will be further smart camera developments either by AWS itself, AWS and a partner, or a few startups taking advantage of AWS technology to provide a platform for an application of the Netradyne learnings.

Who competes with Amazon AWS in this sector? Google, Microsoft, got any ideas? Sure, you do.

Stephen E Arnold, February 4, 2021

Law Enforcement Content Acquisition Revealed

Everything you do with a computer, smartphone, wearable, smart speaker, or tablet is recorded. In order to catch bad actors, law enforcement issues warrants to technology companies often asking for users who searched for specific keywords or visited certain Web sites in a specific time frame. Wired explains how private user information is still collected despite big tech promising to protect their users in the article, “How Your Digital Trails Wind Up In The Police’s Hands.”

Big tech companies continue to host apps and sell technology that provides user data to law enforcement. Apple attempted to combat the unauthorized of user information by requiring all developers to have a “nutritional label” on its apps. The label will disclose privacy policies. It is not, however, a blanket solution.

Big tech companies pledge their dedication to ending law enforcement using unlawful surveillance, but their actions are hypocritical. Amazon is committed to racial equity, but they saw an uptick in police request for user information. Google promises the same equity commitment with Google Doodles and donations, but they provide police with geofence warrants.

Law makers and political activists cite that these actions violate people’s civil rights and the Fourth Amendment. While there are people who are rallying to protect the average user, the bigger problem rests with users’ lack of knowledge. How many users are aware about the breadcrumbs they are leaving around the Internet? How many users actually read privacy policies or terms of service agreements? Very few!

“The solution isn’t simply for people to stop buying IoT devices or for tech companies to stop sharing data with the government. But “equity” demands that users be aware of the digital bread crumbs they leave behind as they use electronic devices and how state agents capitalize on both obscure systems of data collection and our own ignorance.”

Perhaps organizations should concentrate on educating the public or require big tech companies to have more transparent privacy policies in shorter, readable English? With thumb typing and illiteracy prevalent in the US, ignorance pays data dividends.

Whitney Grace, January 22, 2020

MIT: In the News Again

I have used “high school science club management methods” to describe some of the decisions at Silicon Valley-type outfits. I have also mentioned that the esteemed Massachusetts Institute of Technology found itself in a bit of a management dither with regards to the infamous Jeffrey Epstein. If you are not familiar with the MIT Epstein adventure, check out “Jeffrey Epstein’s Money Bought a Coverup at the MIT Media Lab.” High school science club management in action.

I read a story dated January 14, 2021, with the fetching title “MIT Professor Charged with Hiding Work for China.” Yep, someone hired a person, failed to provide appropriate oversight, and created a side gig. I learned:

While working for MIT, Chen entered into undisclosed contracts and held appointments with Chinese entities, including acting as an “overseas expert” for the Chinese government at the request of the People’s Republic of China Consulate Office in New York, authorities said. Many of those roles were “expressly intended to further the PRC’s scientific and technological goals,” authorities said in court documents. Chen did not disclose his connections to China, as is required on federal grant applications, authorities said. He and his research group collected about $29 million in foreign dollars, including millions from a Chinese government funded university funded, while getting $19 million in grants from U.S federal agencies for his work at MIT since 2013, authorities said.

MIT is allegedly an institution with many bright people. Maybe that is part of the challenge. The high school science club mentality has ingrained itself into the unsophisticated techniques used to track donations and smart professors.

Harvard has a business school. Does it offer a discount for MIT administrative professionals?

Stephen E Arnold, January 18, 2021

How Will MindGeek Get Paid? Umm, Encrypted and Anonymous Digital Currencies Maybe

I have followed the strong MasterCard and Visa response to revelations about MindGeek’s less-than-pristine content offerings. The Gray Lady wrote about MindGeek and then other “real” news sites picked up the story. A good example is “Visa, MasterCard Dump Pornhub Over Abuse Video Claims.” The write ups appear to have sidestepped one question which seems obvious to me:

How will MindGeek collect money?

There are some online ad outfits which have been able to place ads on Dark Web sites and on some other sites offering specialized content, not very different from MindGeek’s glittering content array. Amped up advertising seems one play.

But what about MindGeek’s paying customers?

Perhaps MindGeek, nestled in the Euro-centric confines of Montréal, will come up with the idea to use a digital currency. Invoices can be disseminated in secret messaging systems like those favored by the Russian based Edward Snowden. The payments can flow via encrypted digital currencies. Now many transactions can be tracked by government authorities in a number of countries. Nevertheless, making this type of shift is likely to increase the burden on investigators.

Just as killing off Backpage created additional work for some law enforcement professionals. The MasterCard and Visa termination may have a similar effect. Yes, the backlog can be resolved. But that is likely to add friction to some enforcement activities. A failure by regulatory agencies to get a handle of payments systems (encrypted and unencrypted) is now evident to some.

Stephen E Arnold, December 11, 2020

DHS Turns to Commercial Cellphone Data Vendors for Tracking Intelligence

Color us completely unsurprised. BuzzFeed News reports, “DHS Authorities Are Buying Moment-By-Moment Geolocation Cellphone Data to Track People.” In what privacy advocates are calling a “surveillance partnership” between government and corporations, the Department of Homeland Security is buying cellphone data in order to track immigrants at the southern border. This is likely to go way beyond the enforcement of immigration laws—once precedent is set, agencies across the law enforcement spectrum are apt to follow suit.

Citing a memo that came into their possession, reporters Hamed Aleaziz and Caroline Haskins reveal DHS lead attorney Chad Mizelle believes ICE officials are free to access locations and cellphone data activity without the need to obtain a warrant and without violating the Fourth Amendment (protection against unreasonable search and seizure). His reasoning? The fact that such data is commercially available, originally meant for advertising purposes, means no warrant is required. Consider that loophole as you ponder how much personal information most citizens’ cell phones hold, from our daily movement patterns to appointments with doctors and other professionals, to our communications. Aleaziz and Haskins write:

“When DHS buys geolocation data, investigators only know that phones and devices visited certain places — meaning, they don’t automatically know the identities of people who visited those locations. Investigators have to match a person’s visited locations with, say, property records and other data sets in order to determine who a person is. But this also means that, technically, moment-by-moment location tracking could happen to anyone, not just people under investigation by DHS. In particular, lawyers, activists, nonprofit workers, and other essential workers could get swept up into investigations that start with geolocation data. DHS officials said they do not comment on alleged leaked documents. The agency is aware of potential legal vulnerabilities under the Fourth Amendment. Mizelle states in his memo that there are ways for CBP and ICE to ‘minimize the risk’ of possible constitutional violations, pointing out that they could limit their searches to defined periods, require supervisors to sign off on lengthy searches, only use the data when more ‘traditional’ techniques fail, and limit the tracking of one device to when there is ‘individualized suspicion’ or relevance to a ‘law enforcement investigation.’”

Earlier this year, The Wall Street Journal reported that DHS was purchasing this data for ICE and CBP. Federal records show both agencies have bought licenses and software from mobile-device-data-vendor Venntel. The House Committee on Oversight and Reform is now investigating the company for selling data to government agencies.

Interesting dynamics.

Cynthia Murrell, November 18, 2020

Size of the US Secret Service?

I read “Expansive White House Covid Outbreak Sidelines 10% of Secret Service.” If the headline is accurate, the US Secret service consists of 1,300 officers in the “uniformed division.” The key phrase is “uniformed division.” To the untrained eye, these officers appear in uniforms similar to those of other police. However, there are non-uniformed Secret Service officers. A list of USSS field offices is here. A year ago I learned at a law enforcement conference that there were more than 7,000 employees in the USSS. Net net: The USSS has a reasonably deep roster and can cooperate with the US Capitol Police to deal with events of interest. (The USCP is responsible for Congress; the USSS, the White House. When the vice president moves from the White House to Capitol Hill, the protective duties shift as well.) The article left me with the impression that Covid has impaired the USSS. In my opinion, the USSS is on duty and robust.

Stephen E Arnold, November 16, 2020

Germany Raids Spyware Firm FinFisher

Authorities in Germany have acted on suspicions that spyware firm FinFisher, based in Munich, illegally sold its software to the Turkish government. It is believed that regime used the tools to spy on anti-government protesters in 2017. The independent Turkish news site Ahval summarizes the raid and the accusations in, “Spyware Company that Allegedly Sold Spyware to Turkey Raided by German Police.” We’re told:

“Germany’s Customs Investigation Bureau (ZKA) searched 15 properties last week, both in Germany and other countries. Public prosecutors told German media that directors and employees of FinFisher and other companies were being investigated. The investigation follows complaints filed by NGOs Reporters Without Borders, Netzpolitik.org, the Society for Civil Rights (Gesellschafft für Freiheitsrechte, GFF) and the European Center for Constitutional and Human Rights. The NGOs believe that a spyware product used in 2017 to target anti-government protesters in Turkey was FinFisher’s FinSpy. Germany’s Economy Ministry has issued no new permits for spyware since 2015, while the software in question was written in 2016, meaning that if it was used, it must have been exported in violation of government license restrictions.”

Activist group CitizenLab asserts the Turkish government spread the spyware to protesters through Twitter accounts. These accounts, we’re told, masqueraded as sources of information about upcoming protests. As far back as 2011, FinFisher was suspected of supplying regimes in the Middle East with spyware to track Arab Spring protestors. The software has since been found in use by several authoritarian governments, including Bahrain, Ethiopia, and he UAE. Just this September, Amnesty International reported FinFisher’s spyware was being used by Egypt. For its part, of course, the company denies making any sales to countries not approved by German law. We shall see what the investigation turns up.

Cynthia Murrell, November 3, 2020

Amazon Rekognition: Helping Make Work Safer

DarkCyber noted Amazon’s blog post “Automatically Detecting Personal Protective Equipment on Persons in Images Using Amazon Rekognition.” Amazon discloses:

With Amazon Rekognition PPE detection, you can analyze images from your on-premises cameras at scale to automatically detect if people are wearing the required protective equipment, such as face covers (surgical masks, N95 masks, cloth masks), head covers (hard hats or helmets), and hand covers (surgical gloves, safety gloves, cloth gloves). Using these results, you can trigger timely alarms or notifications to remind people to wear PPE before or during their presence in a hazardous area to help improve or maintain everyone’s safety.

The examples in the Amazon write up make sense. However, applications in law enforcement and security are also possible. For instance, consider saying, “Hands up” to a person of interest:

The system can detect objects held by an individual. You can get more information in the blog post. Policeware and intelware vendors working with Amazon at this time may generate other use cases.

Stephen E Arnold, October 22, 2020

« Previous Page — Next Page »

• 

• Search the site

•  

  Subscribe to Beyond Search

  • 
  • 
   
  • 
   
  
  Feature archive
  News archive
   
  
  
  Stephen E. Arnold monitors search, content processing, text mining and related topics from his high-tech nerve center in rural Kentucky. He tries to winnow the goose feathers from the giblets. He works with colleagues worldwide to make this Web log useful to those who want to go "beyond search". Contact him at sa [at] arnoldit.com. His Web site with additional information about search is arnoldit.com.

• Categories

  • 3D-Printing
  • Acquisition
  • Advertising
  • Aggregation
  • AI
  • Alexa
  • algorithms
  • Amazon
  • Amazonia
  • Analytics
  • Appliance
  • Applications
  • Audio
  • Augmented Reality
  • Big data
  • Bing
  • Bitcoin
  • Bitext
  • Book review
  • Business intelligence
  • Business process
  • Business strategy
  • Censorship
  • Cloud computing
  • Company Profile
  • Conferences
  • Connectors
  • Consulting
  • Consumer
  • Content processing
  • Copyright
  • Corporate Concerns
  • Cost
  • Crawl
  • Crowdfunding
  • cryptocurrency
  • Customer support
  • Cyber OSINT
  • cybercrime
  • cybersecurity
  • Dark Web
  • DarkCyber
  • Data
  • Data mining
  • Database
  • Deepfakes
  • Digital Assistant
  • Digital Library
  • E2EE
  • ECommerce
  • EDiscovery
  • Editorial opinion
  • Education
  • Emoticons
  • Enterprise
  • Enterprise search
  • Entity extraction
  • Ethics
  • Facebook
  • Faceted search
  • Factualities
  • Feature
  • Federated search
  • Financial
  • Fogint
  • Google
  • Governance
  • Government
  • Hackers
  • healthcare
  • IBM Watson
  • Image search
  • Indexing
  • Infrastructure
  • Innovation
  • Integration
  • intelware
  • Interface
  • Internet
  • Interview
  • Investment
  • law enforcement
  • Legal matters
  • Library automation
  • Management
  • Marketing
  • Mathematics
  • Metadata
  • Microsoft
  • Mobile
  • Natural language processing
  • News
  • NGIA
  • Online (general)
  • Open Access
  • Open source
  • OSINT
  • Osint Radar
  • Overflight
  • Palantir
  • Patents
  • Personnel
  • Podcast
  • Policeware
  • Portals
  • Predictive coding
  • Privacy
  • Profile
  • Publishing
  • Quotation
  • Real time search
  • Reference tool
  • Rich media
  • Robot Writer
  • Search
  • Search enabled applications
  • search engine
  • Search quality
  • Security
  • Semantic
  • Sentiment analysis
  • SEO
  • SharePoint
  • Short Honks
  • Smart Technology
  • Social
  • Social Media
  • software
  • Statistics
  • Taxonomy
  • Technology
  • Text analytics
  • Text processing
  • Tools
  • Tor
  • Training
  • Translation
  • Twitter
  • Uncategorized
  • Unstructured Data
  • User experience
  • User Interface
  • Vertical search
  • Video
  • visualization
  • Voice search
  • Voice technology
  • Web 3
  • Web Services
  • Webinar
  • Windows
  • Work flow
  • XML
  • Yahoo

• Archives

  Archives Select Month December 2024 November 2024 October 2024 September 2024 August 2024 July 2024 June 2024 May 2024 April 2024 March 2024 February 2024 January 2024 December 2023 November 2023 October 2023 September 2023 August 2023 July 2023 June 2023 May 2023 April 2023 March 2023 February 2023 January 2023 December 2022 November 2022 October 2022 September 2022 August 2022 July 2022 June 2022 May 2022 April 2022 March 2022 February 2022 January 2022 December 2021 November 2021 October 2021 September 2021 August 2021 July 2021 June 2021 May 2021 April 2021 March 2021 February 2021 January 2021 December 2020 November 2020 October 2020 September 2020 August 2020 July 2020 June 2020 May 2020 April 2020 March 2020 February 2020 January 2020 December 2019 November 2019 October 2019 September 2019 August 2019 July 2019 June 2019 May 2019 April 2019 March 2019 February 2019 January 2019 December 2018 November 2018 October 2018 September 2018 August 2018 July 2018 June 2018 May 2018 April 2018 March 2018 February 2018 January 2018 December 2017 November 2017 October 2017 September 2017 August 2017 July 2017 June 2017 May 2017 April 2017 March 2017 February 2017 January 2017 December 2016 November 2016 October 2016 September 2016 August 2016 July 2016 June 2016 May 2016 April 2016 March 2016 February 2016 January 2016 December 2015 November 2015 October 2015 September 2015 August 2015 July 2015 June 2015 May 2015 April 2015 March 2015 February 2015 January 2015 December 2014 November 2014 October 2014 September 2014 August 2014 July 2014 June 2014 May 2014 April 2014 March 2014 February 2014 January 2014 December 2013 November 2013 October 2013 September 2013 August 2013 July 2013 June 2013 May 2013 April 2013 March 2013 February 2013 January 2013 December 2012 November 2012 October 2012 September 2012 August 2012 July 2012 June 2012 May 2012 April 2012 March 2012 February 2012 January 2012 December 2011 November 2011 October 2011 September 2011 August 2011 July 2011 June 2011 May 2011 April 2011 March 2011 February 2011 January 2011 December 2010 November 2010 October 2010 September 2010 August 2010 July 2010 June 2010 May 2010 April 2010 March 2010 February 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 November 5

• Recent Posts

  • Pass a Law to Prevent Youngsters from Accessing Social Media. Yep, That Will Work Well
  • FOGINT: Telegram and Its Possible Latent Weakness
  • Deepfakes: An Interesting and Possibly Pernicious Arms Race
  • The Golden Fleecer of the Year: Boeing
  • Directories Have Value

• Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org