STE WILLIAMS

Cellphone tower data protected by US Constitution

A federal judge has ruled that subscriber data captured from cellphone towers is protected by the US Constitution’s Fourth Amendment guarantee against illegal searches and seizures.

The decision is part of a sea change from half a decade worth of previous rulings, in which police weren’t required to obtain search warrants based on probable cause before accessing the subscriber information. US Magistrate Judge Stephen Wm Smith of the Southern District of Texas said recent changes in case law and rapidly evolving mobile technology required a departure from the outcomes in that long line of cases.

“In 1789 it was inconceivable that every peripatetic step of a citizen’s life could be monitored, recorded, and revealed to the government,” he wrote in a decision that was released late last month but only noticed in the last few days. “For a cell phone user born in 1984, however, it is conceivable that every movement of his adult life can be imperceptibly captured, compiled, and retrieved from a digital dossier somewhere in a computer cloud. Now as then, the Fourth Amendment remains our polestar.”

The ruling – which seemed to make reference to the year the Constitution went into effect and the George Orwell novel – is a huge victory for privacy advocates, who have long argued that historical cell-site information gives the government the ability to track users’ location each time they make a call or send a text message. In this case, however, it would appear the government was seeking to electronically surveil targets “whether the phone was in active use or not,” Smith said.

The government’s request for permission to capture 60 days worth of tower data didn’t sit well with the judge, who likened the electronic record to “a continuous reality TV show, exposing two months’ worth of a person’s movements, activities, and associations in relentless detail.”

The decision follows August’s landmark decision in which a federal appeals court bashed warrantless GPS surveillance, ruling FBI agents should have obtained a search warrant before planting a GPS device on the vehicle of a suspected drug dealer. A few weeks later, a federal judge in New York ruled cell-tower data was also protected by the Fourth Amendment, rebuffing investigators who said there was no reasonable expectation such data is private.

The American Civil Liberties Union, hailed Smith’s decision.

“The court reached this conclusion both because cell tracking reveals information about constitutionally protected spaces such as the home, and because the prolonged nature of such surveillance is very invasive,” Catherine Crump, of the ACLU’s Speech, Privacy and Technology Project, blogged.

A PDF of Smith’s ruling is here ®

  • 12/01/2011
  • adm

Cell Phone Search Needs No Warrant – California

California’s high court said police don’t need a warrant to read text messages stored on the cell phones of people taken into custody.

Monday’s 5-2 decision (PDF) relied on separate decisions from the 1970s by the US Supreme Court that upheld warrantless searches of cigarette packs and clothing taken from suspects after they were arrested.

Cell phones are no different, California Supreme Court Justice Ming Chin wrote for the majority in Monday’s decision. They went on to uphold an appeals court decision that the retrieval of an incriminating text message from a drug suspect’s handset didn’t violate the US Constitution’s protection against unreasonable searches and seizures.

The ruling came in the case of Gregory Diaz, who was arrested in 2007 for conspiracy to sell Ecstasy. Officers who confiscated his phone found a message that read “6 4 $80,” which was interpreted to mean the defendant would sell six pills for $80.

In a dissenting opinion, two associate justices said cell phones should be treated differently than other personal effects confiscated from a suspect because they’re capable of storing so much more information.

“A contemporary smartphone can hold hundreds or thousands of messages, photographs, videos, maps, contacts, financial records, memoranda and other documents, as well as records of the user‟s telephone calls and Web browsing,” Kathryn M. Werdegar wrote in the dissent. “Never before has it been possible to carry so much personal or business information in one’s pocket or purse. The potential impairment to privacy if arrestees’ mobile phones and handheld computers are treated like clothing or cigarette packages, fully searchable without probable cause or a warrant, is correspondingly great.”

The warrantless seizure of cell phones has already been heard by other courts with varying outcomes, according to The San Francisco Chronicle. The split may prompt the US Supreme Court to take up the issue. ®

  • 12/01/2011
  • adm

Lawyers fear Assange faces death penalty in US

WikiLeaks founder Julian Assange could be imprisoned at Guantanamo Bay or face the death penalty if he’s extradited to the US, his attorneys argued in court papers released Tuesday.

The document, which outlines the defense Assange’s legal team intends to use next month at a hearing over Sweden’s request for extradition, says Assange could be subject to other types of maltreatment that would violate the European Convention on Human Rights. They include the possibility of torture or, they hinted, “extraordinary rendition,” in which the CIA forcibly transfers suspected terrorists to countries where prohibitions against torture aren’t in place.

“There is a real risk that, if extradited to Sweden, the US will seek his extradition and/or illegal rendition to the USA, where there will be a real risk of him being detained at Guantanamo Bay or elsewhere, in conditions which would breach Article 3 of the ECHR,” the document stated. “Indeed, if Mr. Assange were rendered to the USA, without assurances that the death penalty would not be carried out, there is a real risk that he could be made subject to the death penalty.”

The document went on to cite references from former Alaska Governor Sarah Palin and former Arkansas Governor Mike Huckabee, who have both called for Assange to be treated as a terrorist.

Assange, 39, remains confined to a country mansion outside London on about $410,000 surety while a London court decides whether Assange should be extradited to Sweden. Prosecutors in that country are investigating claims by two women that Assange sexually molested them while visiting Sweden in August. Assange was previously cleared to leave the country after prosecutors there closed their investigation. When it was reopened, prosecutors sought Assange’s extradition, which the WikiLeaks’ founder has opposed.

Assange hasn’t been charged with any crime.

In the defense preview, Assange’s attorneys took issue with the extradition application of Swedish prosecutor Marianne Ny. Requests can be made only after a suspect has been charged with a crime that is subject to extradition, the attorneys argued. What’s more, prosecutors must exhaust all “normal procedures” for interrogating Assange, which has yet to happen, they argued.

“In short, Ms. Ny went from informal discussions about arranging an interview of Mr. Assange straight to the issuance of [a European arrest warrant], without taking the reasonable and proportionate, intermediary step of formally summoning him for an interview or formally requesting his interrogation,” the wrote. “The proper, proportionate and legal means of requesting a person’s questioning in the UK in these circumstances is through Mutual Legal Assistance.”

The defense preview was issued a few hours after Assange appeared at a brief court hearing attended by supporters including Bianca Jagger and heiress/socialite/humanitarian Jemima Goldsmith. ®

WikiLeaks lawyer dubs US subpoena on Twitter ‘harassment’

US prosecutor demands that Twitter hand over data about WikiLeaks and a raft of supporters amounts to harassment, a lawyer for the whistle-blower website says.

The claim comes amid revelations of documents the US Department of Justice secretly filed in federal court seeking detailed information associated with the accounts of WikiLeaks and several of its supporters, including Icelandic Member of Parliament Birgitta Jónsdóttir, founder Julian Assange, and Rop Gonggrijp and Jacob Appelbaum, who are hackers who have worked with Assange in the past. Pfc. Bradley Manning, the US Army intelligence analyst suspected of supplying WikiLeaks with classified government documents was also targeted.

Mark Stephens, an attorney representing the secret-spilling website, told journalists over the weekend that the demands violate the US Constitution’s guarantee against unreasonable searches and seizures and amounts to a shake down.

“The Department of Justice is turning into an agent of harassment rather than an agent of law,” Stephens told Bloomberg News. “They’re shaking the tree to see if anything drops out, but more important they are shaking down people who are supporters of WikiLeaks.”

Stephens went on to tell Bloomberg that similar information was sought from Google, Facebook and eBay’s Skype division. Those companies have yet to confirm or deny that claim.

The government’s dragnet might never have come to light were it not for the actions of Twitter, which under the national security letters filed on December 14 in US District Court for the Eastern District of Virginia was forbidden from notifying its subscribers that their information was being demanded. Lawyers for the micro-blogging filed a motion to unseal the court order and won last week.

The company easily could have complied with the order and faced “zero” liability for doing so, said Christopher Soghoian, a Ph.D. candidate in Indiana University’s School of Informatics and Computing, where he is researching data security and privacy, cyber law.

“It is wonderful to see companies taking a strong stance, and fighting for their users’ privacy,” he blogged. “I am sure that this will pay long term PR dividends to Twitter, and is a refreshing change, compared to the actions by some other major telecommunications and internet application providers, who often bend over backwards to help law enforcement agencies.”

He went on to highlight comments made a few years ago by eBay’s director of compliance boasting that the online auction house “has probably the most generous policy of any internet company when it comes to sharing information.” The site doesn’t require a subpoena “except for very limited circumstances,” the official went on to say.

Meanwhile Iceland’s Foreign Ministry has summoned the US Ambassador to Reykjavik to explain why investigators are dredging up the online activity of an Icelandic lawmaker. It’s not clear when the meeting will take place.

Stephens, the WikiLeaks attorney, said government investigators are using the data demands to learn as much as they can about the comings and goings of the targets, as well as their relationship to each other.

“What they will then do is take that data and analyze it in conjunction with data they get from Google, Facebook and the other social media, so that they can ascertain individuals that they feel they want to pay more attention to,” he told Bloomberg. ®

  • 12/01/2011
  • adm

Researcher cracks Wi-Fi passwords with Amazon cloud

A security researcher has tapped Amazon’s cloud computing service to crack Wi-Fi passwords in a fraction of the time and for a fraction of the cost of using his own gear.

Thomas Roth of Cologne, Germany told Reuters he used custom software running on Amazon’s Elastic Compute Cloud service to break into a WPA-PSK protected network in about 20 minutes. With refinements to his program, he said he could shave the time to about six minutes. With EC2 computers available for 28 cents per minute, the cost of the crack came to just $1.68.

“People tell me there is no possible way to break WPA, or, if it were possible, it would cost you a ton of money to do so,” Roth told the news service. “But it is easy to brute force them.”

Roth is the same researcher who in November used Amazon’s cloud to brute force SHA-1 hashes. Roth said he cracked 14 hashes from a 160-bit SHA-1 hash with a password of between one and six characters in about 49 minutes. He told The Register at the time he’d be able to significantly reduce that time with minor tweaks to his software, which made use of “Cluster GPU Instances” of the EC2 service.

As the term suggests, brute force cracks are among the least sophisticated means of gaining unauthorized access to a network. Rather than exploit weaknesses, they try huge numbers of possible passwords until the right phrase is entered. Roth has combined this caveman approach with a highly innovative technique that applies it to extremely powerful servers that anyone can rent at highly affordable rates.

Roth’s latest program uses EC2 to run through 400,000 possible passwords per second, a massive amount that only a few years ago would have required the resources of a supercomputer. He is scheduled to present his findings at next week’s Black Hat security conference in Washington, DC. ®

  • 12/01/2011
  • adm

Attacks on IE drive-by bug go wild

Microsoft on Tuesday warned that attackers have begun exploiting a critical vulnerability in Internet Explorer and rolled out a temporary fix until a permanent patch is issued.

The vulnerability in IE versions 6, 7 and 8, which involves the way the browser handles cascading style sheets, allows adversaries to perform drive-by malware attacks by luring victims to booby-trapped webpages. The exploits are triggered by recursive CSS pages, in which style sheets include their own addresses.

Microsoft confirmed the security flaw in late December. On Tuesday, it updated its advisory to reflect “reports of limited attacks attempting to exploit a vulnerability in all supported versions of Internet Explorer.”

Redmond also issued a workaround that large organizations can implement to protect themselves until a patch is released. It comes in the form of a Fix it that causes IE to reject CSS pages that contain the same URL as a style sheet that’s trying to load it.

“This change causes Internet Explorer to refuse to import a CSS style sheet if it has the same URL as the CSS style sheet from which it is being loaded,” Microsoft Security Response Center’s Keven Brown explained here. “Simply put, the workaround inserts a check to see if a style sheet is about to be loaded recursively, and if it so, it aborts the load of the style sheet.”

For the workaround to be effective, all existing security updates, particularly MS10-090 released on December 14, must be installed. The temporary fix causes a minor performance decrease – adding about 150 milliseconds to the browsers’ startup time – so it should be uninstalled once a patch is put in place. Third-party apps that work with IE should be thoroughly tested before putting the workaround into effect.

The workaround came on the first Patch Tuesday of 2011. As part of the regularly scheduled update release, Microsoft also issued two updates, one in the Windows Backup Manager and the other in Microsoft Data Access Components.

While it was one of the smallest Patch Tuesdays ever, it failed to address at least known vulnerabilities that put Microsoft users at risk. One of them allows attackers to remotely execute malicious code on machines running the XP, Server 2003, Vista, and Server 2008 versions of Windows. Exploit code for it is publicly available. The other, disclosed by Google researcher Michal Zalewski, leads to what he said was a “clearly exploitable crash.” ®

Feds subpoena Twitter for info on WikiLeaks backer

US authorities have subpoenaed Twitter for information about an Icelandic parliamentarian who until recently was a vocal supporter of WikiLeaks and its embattled founder Julian Assange.

Iceland Member of Parliament Birgitta Jónsdóttir disclosed the legal demand in a series of tweets on the micro blogging site on Friday. The former anarchist was a vocal supporter of the whistle-blower website until recently, when her enthusiasm for Assange cooled following allegations he sexually molested two women during a visit in August to Sweden.

“Just got this: Twitter has received legal process requesting information regarding your Twitter account in (relation to wikileaks),” she wrote in one dispatch. “USA government wants to know about all my tweets and more since november 1st 2009. Do they realize i am a member of parliament in iceland?” she quickly added.

She went on to say she is consulting with a lawyer and intends to fight the demand, which came from officials at the Justice Department.

“They are asking for a lot more then [sic] just my tweets,” she said. “I only got 10 days to stop this via legal process or [Twitter] will hand it over.

A Twitter spokeswoman declined to confirm the account, or say whether the service intends to comply.

“To help users protect their rights, it’s our policy to notify users about law enforcement and governmental requests for their information, unless we are prevented by law from doing so,” she said.

The demand makes Twitter the latest company to get embroiled in the US government’s heated campaign against WikiLeaks. Over the past month, a variety of companies – including PayPal, MasterCard, Visa, and Bank of America – have denied services to WikiLeaks following claims by the State Department that the site was engaged in illegal activity.

Charges have yet to be brought.

Jónsdóttir was the chief sponsor of the Icelandic Modern Media Initiative, which was passed in that country’s parliament in June. The measure reformed media laws to make Iceland an international safe haven for journalists.

According to The Telegraph, Jónsdóttir also managed to get Assange into a US Embassy cocktail party at the ambassador’s residence in Reykjavik. During the event, Assange sipped with Sam Watson, the embassy’s deputy chief of mission, whose embarrassing dispatches concerning the US and UK role following the collapse of Iceland’s bank would later be published on the site.

“He certainly had fun at the party,” Jónsdóttir was quoted as saying. “I said it would be a bit of a prank to take him and see if they knew who he was. I don’t think they had any idea.”

According to Wired.com, the subpoena was served on December 14 in US District Court in Alexandria, Virginia, the same venue of a federal grand jury deciding whether to bring charges against Assange for leaking classified State Department cables.

“I think I am being given a message, almost like someone breathing in a phone,” Jónsdóttir wrote. “If Twitter hands over my information – then no ones information is save [sic] with Twitter.” ®

  • 08/01/2011
  • adm

PlayStation 3 code signing cracked

Hardware hackers claim to have uncovered the private key used by Sony to authorise code to run on PlayStation 3 systems.

The hackers uncovered the hack in order to run Linux or PS3 consoles, irrespective of the version of firmware the games console was running. By knowing the private key used by Sony the hackers are able to sign code so that a console can boot directly into Linux. Previous approaches to running the open source OS on a games console were firmware specific and involved messing around with USB sticks.

The same code signing technique might also be used to run pirated or counterfeit games on a console. That isn’t the intention of the hackers even though it might turn out to be the main practical effect of the hack.

The group, fail0verflow, who also run the Wii’s Homebrew Channel, gave more information about the crack and a demo during the annual Chaos Communication Conference hacker congress in Berlin. Sony’s weak implementation of cryptography was exploited by fail0verflow to pull off the hack, as explained in a video on enthusiast site PSGroove here.

More discussion on the console jailbreaking hack can be found on a PlayStation forum here

  • 30/12/2010
  • adm

WikiLeaks’ Julian Assange Now Making $86k/year

WikiLeaks’ main financial arm, the Germany-based Wau Holland Foundation says it has collected about 1 million Euro ($1.3 million) in donations in 2010, the year in which WikiLeaks exploded into public prominence thanks to its release of thousands of classified U.S. documents, according to a new report from the Wall Street Journal.

Wau Holland is the primary but not sole financial provider for WikiLeaks, the Journal reports.

From those donations, Wau Holland has established a Greenpeace-like system of salary payments, as WikiLeaks attempts to legitimize its organization by moving away from purely volunteer-based work, the Journal reports. The move to make salaried employees allegedly comes after a year-long intense internal debate about whether to do so.

The main beneficiary has been founder Julian Assange, who has drawn 66,000 Euros (about $86,000) in salary thus far this year, the Journal reports. Wau Holland has paid a total of 100,000 Euros in salaries to the entire WikiLeaks staff, which means Assange is getting the lion’s share.

WikiLeaks will pay key personnel based on a salary structure developed by the environmental activist organization Greenpeace, the Journal reports. Under the structure, Greenpeace department heads are paid about 5,500 Euros in monthly salary, a Wau Holland spokesman said.

Among the many revelations from the Journal report are several indications that donations to WikiLeaks have dropped off significantly in the second half of the year.

By August, WikiLeaks had raised about 765,000 Euro, which means it has only raised about 235,000 Euro since then, the Journal reports.

Last summer, WikiLeaks said it operated on about 150,000 Euro a year. Now, however, the foundation says it has paid about 380,000 Euro in WikiLeaks expenses, with some invoices for the year still unprocessed. Some of that total is for hardware, Internet access and travel, a Wau Holland spokesman said. But a big factor in the leap is a recent decision to begin paying salaries to staff.

WikiLeaks had also allegedly promised to contribute half of the estimated $100,000 it will cost for the legal defense of Bradley Manning. Recently, however, a WikiLeaks spokesman said it would only donate around $20,000.

As of the writing of this report, it had still not contributed the funds. The Wau Holland Foundation is awaiting advice from its lawyers on whether the donation would be legal under German law, a spokesman told the Journal.

  • 24/12/2010
  • adm

School caretaker harassed after Islamists hack EDL

A school received hatemail targeting its caretaker after he was wrongly identified as a fascist by opponents of the English Defence League, based on data stolen by an Islamist hacking group.

The headmaster of the comprehensive school in Dorset, which The Register has agreed not to name, summoned the caretaker to his office early last week.

He was shown anonymous emails which accused his wife of being a member of the English Defence League (EDL) and urging that he be sacked. The couple live together with their children inside the school grounds.

The emails cited data recently exposed by an attack on the EDL’s website. The hacker posted his haul – lists of hundreds of members and financial supporters of the far-right group – on several sites frequented by anti-fascist activists.

“At first I was very confused and more than a little worried as the tone of one of the emails was threatening,” the caretaker told The Register.

“I was sure I wasn’t married to a fascist or a football hooligan as the email implied.”

He investigated online and quickly found the hacked database, which indeed named his wife as an EDL donor and gave their family address at the school. He then trawled through their bank statements and found that he had inadvertently donated £1 to the group via a PayPal account in his wife’s name.

The caretaker then recalled reading an article several months ago about “poppy burning or about the disruption of a military funeral”. The page had a button labelled “support the troops”, and he donated one pound. It gave no indication the money was destined for the far-right EDL, he claimed, but the caretaker admitted he had been “stupid”.

“It would have been to show my support for our armed forces and the fallen, the same thing I do every year when I buy a poppy for one pound,” he said.

“I never for one moment thought my money was being sent of to a bunch of football hooligans.”

“The school and my employer have been supportive, once I explained, and have even offered to call in the police if they should be needed. However given the nature of my employment with children allegations like this could have cost me my job and my family their home.”

Instead, he has spent the past week and a half issuing appeals for anti-fascists to remove his family’s address from their posting of the hacked database.

“Some have been very understanding and have done just that or even simply removed my details. Where this hasn’t happened or there has been no contact available I have had the list removed,” he said.

“My own simple polite requests are mostly listened to. However its all been very time consuming, very disruptive and it’s been a huge worry for my wife and I’ve had no small worry for my family’s safety.”

A hacker calling himself “TriCk”, aka “Saywhat?”, has claimed responsibility for raiding the EDL’s server. In notes appended to the member and donor lists, he said he acted on behalf of TeaMp0isoN, known for defacing websites with anti-Israel and anti-India propaganda, and on behalf of “Mujahideen Hacking Unit”.

“Yes I know I have broken the Data Protection Act and the Computer Misuse Act, I’m a hacker it’s what we do, deal with it,” he wrote.

The EDL is understood to have reported the hack to police. ®