[HN Gopher] The FBI's internal guide for getting data from AT&T,...
___________________________________________________________________
The FBI's internal guide for getting data from AT&T, T-Mobile,
Verizon
Author : arkadiyt
Score : 790 points
Date : 2021-10-25 16:12 UTC (1 days ago)
(HTM) web link (www.vice.com)
(TXT) w3m dump (www.vice.com)
| NN88 wrote:
| Anyone get the sense we're in a post-Wikileaks era?
|
| These leaks seem... like they would get someone indicted...
| ab_testing wrote:
| Reading through these charts, it looks like MetroPCS is the most
| secure provider.
| lotsofpulp wrote:
| Metro is owned by T-Mobile, and operates using T-Mobile's
| network. Why would it be any more secure than T-Mobile?
|
| As far as I understand, there are 3 mobile networks in the US
| (Verizon, ATT, T-Mobile), and the MVNO's are just a mechanism
| to price discriminate. Different customers are sliced into
| various priorities and willingness/ability to pay, so the 3
| mobile networks can most accurately collect the most money
| according to each individual's ability and willingness to pay
| for a certain level of priority on the network.
| ramesh31 wrote:
| I love Metro, have used them for years. $60 for unlimited
| everything with 20GB tethered 4G hotspot data, and you get free
| Amazon Prime with your account. This chart has just solidified
| how great they are to me.
| einpoklum wrote:
| And as for the NSA internal guide for getting data from AT&T,
| T-Mobile and Verizon - that's a bit shorter:
|
| > _Do nothing, we already have this data loaded and indexed._
| fossuser wrote:
| In the US people are more pro-company and anti-government so
| retention policies tend to require the companies to retain the
| data for a period of time so warrants can request it if
| necessary.
|
| In the EU people are more pro-government and anti-company so the
| government is more likely to have access.
|
| The US process for access is sometimes tied to FISA.
|
| I'm not an expert on this stuff, but I think I'd generally prefer
| companies handling retention and government having to request
| access rather than the other way around. Assuming (probably a big
| assumption) that the companies do it securely and don't fuck it
| up.
|
| The chart does make me pretty happy with T-Mobile though, and
| their 5GUC speeds are wild!
| https://twitter.com/zachalberico/status/1449049818857459718?...
| 1970-01-01 wrote:
| Why are stingrays missing from the guide? Aren't they the most
| useful tool in the toolbox?
| gzer0 wrote:
| My claims are without evidence, but it certainly seems as if
| this document was created with the intentions/hope that it
| would be eventually leaked.
|
| The second slide seems rather suspicous in its placement of
| "CAST members are not qualified to testify after reading this";
| almost as if they were not speaking to an audience of CAST
| members, but rather, the public.
|
| Perhaps a decoy? to draw attention away from STINGRAY and other
| intricacies?
| Spooky23 wrote:
| It's pretty obvious the audience are consumers of the
| service. (ie other FBI agents)
|
| If you've ever had to testify as an expert, it's an art and a
| science. You need a lot of training to be able to respond to
| the traps attorneys will set for you.
| dragonwriter wrote:
| > The second slide seems rather suspicous in its placement of
| "CAST members are not qualified to testify after reading
| this"; almost as if they were not speaking to an audience of
| CAST members, but rather, the public.
|
| Sounds like they are doing advance witness tampering by
| trying to get CAST members to evade calls to testify on
| material facts known to them should they receive such, not
| lobbying the public via anticipated future leak.
|
| (I'm not even sure how the statement about testimony would be
| expected to manipulate the public.)
| gzer0 wrote:
| That is a valid consideration. Touche.
| fractal618 wrote:
| Clearly they are ubiquitous at this point, and I bet their data
| goes back to inception.
| jauer wrote:
| I'd consider stingrays one of the least useful tools since they
| require logistics: you need to have one installed somewhere or
| have logistics to deploy them quickly to an area.
|
| If you aren't careful, your target could become aware of their
| presence.
|
| If you are pulling data from the carrier, there's less
| logistics involved and your target shouldn't notice unless
| someone screws up.
| kjaftaedi wrote:
| This is an interesting point.
|
| My guess is that this looks like training material for low-
| level desk jockeys to help do all of the legwork gathering
| evidence that would be presented in court cases.
|
| Stingrays you would think would be more of a targeted operation
| and likely handled by a different group of people.
| imroot wrote:
| Also, wasn't US Cellular bought by Sprint in 2012?
|
| I did some work on their compliance team in 2010/2011 and the
| merger was one of the reasons why I left.
| selectodude wrote:
| USCC offloaded a bunch of spectrum and customers to Sprint
| awhile back but they're still independent.
|
| Funny enough, US Cellular divested their Chicago holdings
| back in 2012 to Sprint but never moved their HQ. None of
| their HQ employees have cell service through them.
| sathackr wrote:
| There exists a similar guide to this for obtaining subscriber
| information for an IP address.
|
| Including a table that listed which providers would hand over
| data without a subpoena and what the retention period was for
| each provider.
|
| One of the interesting things I remember seeing was that it was
| noted that T-Mobile had never been able to supply such
| information to LEO.
|
| I have seen it before but never had direct access to it.
| pkpioneer wrote:
| Should You Use Airbnb or Vrbo?
|
| https://pkpioneer.blogspot.com/2021/10/should-you-use-airbnb...
| sillycross wrote:
| > The slide also shows that AT&T retains "cloud storage
| internet/web browsing" data for 1 year.
|
| I never thought before that ISPs would really keep track of every
| user's browsing history, but apparently as cheap as the disks are
| today, this has become true. Can't think of any use of this data
| other than for mass surveillance.
| pedalpete wrote:
| I believe they can also sell the data, though there may be some
| regulations on anonymized, or sold as a group to develop
| profiles and understanding for advertising purposes.
|
| Perhaps that's what you mean by "mass surveillance", but I took
| that to mean specifically government surveillance.
| Threeve303 wrote:
| Well it is definitely more than "metadata"...
| breput wrote:
| I thought this was interesting and might involve some handset
| manufacturer involvement?
|
| Under the "Location Based Services" chart, US Cellular is listed
| "No. However, you can force a call without a ring to the target
| device to determine tower/sector"
| night862 wrote:
| There seem to be several methods employed for use in a location
| tracking campaign by various entities. Some entities might not
| be able to get the approval for the real-time data, and others
| might have much better relationships and tools. I have found
| this EFF article(linked, try section 3.4 for your question)[0]
| to be helpful in understanding the possibilities.
|
| It appears to be possible to do quite a bit of location
| tracking/location verification without any help at all from the
| telcos. The calls they are referring to seems to mean calling a
| phone and hanging up quickly. This causes the cell network to
| issue a high priority RRC paging request (someone is calling
| you!) which causes your handset to wake up and begin
| broadcasting to the cell network.
|
| This enables passive eavesdropping and coarse location
| detection via monitoring the RF lansdcape for TSMI/IMSI
| collection and correlation. It is then possible to narrow down
| a large area to the specific cell, ~2km area, from there you
| can use another beacon or maybe regular direction finding and
| trilateration to pinpoint a signal. This sounds like an
| operation which requires 3-5 operators, but I don't know about
| the procedures.
|
| Some cell network packets contain GPS location and other
| subscriber data, which could be intercepted and analyzed by
| this advanced threat.
|
| With the aid of a Cell Site Simulator/Stingray, it seems to be
| possible to use this method to sense the handset and then use
| the CSS to hijack a handset's tower association turning coarse
| location data into a normal MITM. There are many other location
| sensing techniques such as a GSM Tripwire device or packet
| analysis.
|
| Interesting stuff. The cell phones are rather evil.
|
| [0] - https://www.eff.org/ro/wp/gotta-catch-em-all-
| understanding-h...
| breput wrote:
| The no ring thing is very reminiscent of NGO's recently
| (discovered) no-click hacking efforts.
| night862 wrote:
| a bit, but the calls are simply meant to generate a high
| priority gsm packet (normal cell tower behavior) which will
| cause the handset to emit data in response to the cell
| network, allowing location fixing to move forward.
|
| It doesn't have to be a no-ring call, it can be anybody at
| all with a legit call, text message, etc. Its favorable for
| the operator to do so in a way that will not alert the
| user, hence the no-ring call stuff.
|
| In my experience some handsets will report fast hang-ups as
| a missed call, and others won't.
|
| You can probably enable airplane mode/rfkill to shut down
| this threat from the less spooky nerds who would use it. No
| GSM radio = no GSM packets.
| flowerwolf wrote:
| The "force a call without a ring" is just basic GSM. I don't
| know, but I'm guessing 3G, 4G or 5G support requesting the GPS
| position from the ME/handset.
| breput wrote:
| That might be true (I don't know), but US Cellular is a
| CDMA/4G/5G carrier so there is at least some non-GSM
| functionality in there.
| flowerwolf wrote:
| Yeah, by "basic GSM" I mean a common subset that is
| available regardless of 2G/3G/4G/5G, as in, you can still
| ping the mobile equipment to see which BTS it's connecting
| to. (And even if you don't get the TA with CDMA/OFDMA you
| still get signal strength and/or can force a downgrade if
| necessary, to get a rough location.)
| Forbo wrote:
| I'm not sure if you're shadow banned or what, but every
| comment of yours I have encountered has been marked dead.
| I vouched for this and another one I saw elsewhere in the
| thread.
| flowerwolf wrote:
| Made the account an hour ago, maybe that's why. Thanks
| for the heads up
| dang wrote:
| Sorry about that; software filters are tuned more
| aggressively for new accounts. We've marked your account
| legit so it won't happen again.
| breput wrote:
| Same
| efitz wrote:
| Essentially the government has built a surveillance state by
| outsourcing it to private enterprise.
|
| I think it would be interesting to know how people really feel
| about this. I would love to see a survey that actually truly
| explained the trade-offs and see how people felt about it, eg
| avoiding the " should government be able to subpoena records from
| private business" but actually ask questions like "is it OK with
| you that with a subpoena that the government can get a list every
| website that you have visited?" And then present the trade offs
| and abuse cases. I really think that we've allowed the
| surveillance state to form without actually having a meaningful
| public debate about it.
| DeathArrow wrote:
| >Essentially the government has built a surveillance state by
| outsourcing it to private enterprise.
|
| How long until the government finish outsourcing of all its
| attributions to private entities and corporations take
| ownership of governance? Then instead of voting, the citizens
| can manifest their interests through buying shares.
| bjarneh wrote:
| > the citizens can manifest their interests through buying
| shares.
|
| Isn't this sort of how it already works? Although only a few
| (very rich) citizens hold enough shares to actually have any
| clout.
| DeathArrow wrote:
| >I really think that we've allowed the surveillance state to
| form without actually having a meaningful public debate about
| it.
|
| Isn't it for the "Greater Good(tm)", as always? :D
| DeathArrow wrote:
| It might be unpleasant for the US citizens. But US is
| conducting mass surveillance against foreign nationals and that
| is not cool.
| sircastor wrote:
| This feels like classic Americanism. We're so obsessed with
| freedom from the government and ensuring capitalism marches on
| that we never bothered to think our government might just buy
| it's way into what it wants.
|
| We kept the concepts separated, and weren't paying attention.
| DeathArrow wrote:
| >We're so obsessed with freedom from the government and
| ensuring capitalism marches on
|
| Then why is capitalism being killed and replaced with
| corporatism? Why is everything industry consolidating having
| one or few very big players and no medium and small
| businesses?
| ozymandias12 wrote:
| The ones that did are rich nowadays, MURICA
| matheusmoreira wrote:
| It's optimistic to assume people feel anything at all. They'll
| just assume that the government won't actually target them with
| these powers. Just like violence seems like a distant reality
| until it happens to them.
| tempfs wrote:
| This is exactly how you get around those pesky laws that
| prevent you from doing it yourself as a governing body. You
| just let/encourage/look-the-other-way as private companies do
| it for you then you just buy access from them. All perfectly
| legal since those private companies are busy selling _your_
| private data to anyone and everyone else.
|
| The advent of smartphones, social media, search engines,
| pervasive online shopping are all absolute boons for
| surveillance entities.
|
| And the best part is that the users/public just gives all of
| this info up willingly and for free.
| resonious wrote:
| I think many users, even if they do know that their
| information is being sold around, don't care. They don't know
| how it may effect them negatively.
|
| Especially since it's been happening for awhile now and
| nothing outright bad has happened to most individuals. They
| just enjoy using Instagram. They see a targeted ad and are
| like "oo scary... they know me" and then continue on.
| ethbr0 wrote:
| > _The advent of smartphones, social media, search engines,
| pervasive online shopping are all absolute boons for
| surveillance entities_
|
| The only way to avoid this would have been to design the
| Internet as something Tor-like from the beginning, which
| would have been impractical from an efficiency standpoint.
| thoughtstheseus wrote:
| Yeah, today data is worth more than oil.
| tenebrisalietum wrote:
| I don't know why. How many different ways do companies
| have to look at me to understand I am broke?
| dotancohen wrote:
| It's not your money they are after. Some advertisers are
| interested in your money. Other advertisers are
| interested in influencing your opinion.
|
| If you are in the US: Should you support Israel?
|
| If you are in the UK: Should you vote to leave the EU?
|
| If you are in Germany: Should you support US troops in
| Asia?
|
| If you are in Australia: Should you support economic
| treaties with China?
|
| Advertising techniques can sway you - and large portions
| of the population - into supporting or not supporting
| many facets of policy. If the Arab states want to destroy
| the Jewish state today, they would not send troops. They
| would fund influence of opinion of the American and
| European population.
|
| Actually, they already do.
| yhoneycomb wrote:
| Not sure if it's any worse than the pre-internet days,
| with print media making everyone believe that there was
| only one single truth. Nowadays you hear a lot more
| diversity of opinion rather than just ISRAEL GOOD (ie,
| Israel maybe isn't the good guy here and their troops
| maybe shouldn't be shooting kids in the street and
| sexually harassing Palestinian women).
| ethbr0 wrote:
| You do hear more diversity of opinion, however, the
| average quality has certainly lowered.
|
| Unfortunately, the average person's intelligence has
| remained constant.
| [deleted]
| lootsauce wrote:
| Government Alphabet agencies (see what I did there) don't just
| outsource, they run shell companies and real companies. They
| also invest in startups. Along with the revolving doors of
| regulation and regulated industries, nepotism, insider dealing
| one wonders if the labels such as Government and Corporate are
| just a distraction? The extent of this is probably unknowable
| but sometimes I wonder how much we all know for certain,
| because it is so obvious, is not actually so.
| Cipater wrote:
| Meanwhile in China they're straight up mandating that companies
| transfer all data to state-owned storage platforms.
|
| >A ministry supervising state companies, the State-owned Assets
| Supervision and Administration Commission, is mapping plans to
| set up more government-controlled providers of cloud services
| for data storage, people familiar with the agency's workings
| say. Such services have been dominated by private companies,
| including Alibaba and Tencent.
|
| >The city of Tianjin has ordered companies it supervises to
| migrate data from private-sector cloud platforms to state-owned
| ones within two months of the expiration of existing contracts,
| and by September 2022 at the latest, according to an official
| notice dated Aug. 12. More localities are expected to follow
| suit, the people say.
|
| >Government-controlled entities are acquiring stakes and
| filling board seats in more companies to make sure they fall in
| line with the state's goals. ByteDance Ltd., owner of the
| video-sharing app TikTok, and Weibo Corp. , which runs Twitter-
| like microblogging platforms, recently have sold stakes to
| state-backed companies.
|
| https://www.wsj.com/articles/xi-jinping-aims-to-rein-in-chin...
| NoImmatureAdHom wrote:
| I have hope that we here in the U.S. will be able to get out in
| front of this one. Despite all the complaining the justice
| system still mostly works and we have a libertarian streak a
| mile wide. Perhaps the thing to do is show those in power that
| they haven't escaped the dragnet...
| novaRom wrote:
| All politicians, high rank officials, and tech leaders are
| basically owned by foreign intelligence. This data can be
| analised carefully to build profiles and strategies to
| influence.
| a0zU wrote:
| Source on that first claim?
| Goety wrote:
| Every 'interest' has this data. It comes down to money
| and time.
| mschuster91 wrote:
| The US had a wiretap on Merkel. Do you think Russia,
| China, Germany, Israel, Iran and North Korea don't have
| the same on every other major political figure?
|
| Let's face the truth: _none_ of us is safe. _Everything_
| we do, even if we are just oedinary 9-5 office workers
| and not politicians or activists, is ending up recorded
| somewhere.
|
| The only way out would be a nation-state effort of open
| source: everything from the VHDL of the chips over
| firmware to the OS, and _enough_ money to fund audits of
| all components. At least, users could then somewhat trust
| at least their clients, and treat the network as a dumb
| leaky network of pipes.
| boomboomsubban wrote:
| >. Do you think Russia, China, Germany, Israel, Iran and
| North Korea don't have the same on every other major
| political figure?
|
| Do you think US intelligence don't also have the same?
| We've already seen a sitting US president hire
| intelligence agents to bug his enemies and political
| rivals, it's not like there's any reason to suspect that
| was a one time occurrence.
| SquishyPanda23 wrote:
| > We've already seen a sitting US president hire
| intelligence agents to bug his enemies and political
| rivals,
|
| Do you have a source for this claim?
| boomboomsubban wrote:
| https://en.wikipedia.org/wiki/Watergate_scandal
| SquishyPanda23 wrote:
| Ha sorry, I just realized you must have meant Watergate.
| I misread your original comment as saying it was about
| the current sitting president.
| pessimizer wrote:
| Leaders under more authoritarian governments don't have
| to answer to rando voters. They only have to answer to
| their country's elites, who support what they're doing.
| boomboomsubban wrote:
| The intelligence agencies don't answer to voters either,
| they only answer to the countries elite who they've been
| shown to spy on.
| curiousllama wrote:
| I love HN-3-comments-down. Where else do people just
| casually claim the global economic and political elite is
| controlled by a small cabal of foreign intelligence
| services? And other people jump in to defend! It's
| awesome
| sixdimensional wrote:
| "Essentially the government has built a surveillance state by
| outsourcing it to private enterprise."
|
| There's a rather innocuous sounding name for this - "public
| private partnership" [1]. If you've ever experienced this
| scenario first hand, you'd truly be surprised how much
| government is run in partnership with private enterprise.
|
| [1]
| https://en.wikipedia.org/wiki/Public%E2%80%93private_partner...
| gary_0 wrote:
| > Essentially the government has built a surveillance state by
| outsourcing it to private enterprise.
|
| This has been going on for a long time. A decade ago, Microsoft
| purchased Skype and converted it from secure peer-to-peer[0][1]
| to sending all user data unencrypted through their servers
| while giving the government access to everything. "The 2013
| mass surveillance disclosures revealed that Microsoft had
| granted intelligence agencies unfettered access to supernodes
| and Skype communication content."[2]
|
| [0] https://arxiv.org/abs/cs/0412017 (2004)
|
| [1] https://www.reuters.com/article/us-security-internet-
| germany... (2007)
|
| [2]
| https://en.wikipedia.org/w/index.php?title=Skype&oldid=10314...
| (2021)
| hulitu wrote:
| Also skype harvested users computers. I noticed that when
| skype was running the harddrive will be constantly accessed,
| on an otherwise idle computer. Checking with process explorer
| showed that skype has a lot of disk reads (hundreds of MB).
| This was the reason why it got uninstalled. But people are
| happy with microsoft products. - "They need telemetry to
| improve the product". - "But there is no improvement. The
| product is even worse". - "Maybe it's your experience, i
| already feel better using the new product". or - "I have
| nothing to hide. They are my friends". What happens when the
| regime is changed ? ( see Afganistan).
| raxxorrax wrote:
| I believe Skype is dead by now for average users. Some
| still use it in business environments, but they sure did a
| good job in getting rid of it. Without much success though,
| since people just use other products.
| ozymandias12 wrote:
| But have they stopped terror and corruption? Does the benefit
| outweigh the costs?
| hulitu wrote:
| The scope of surveillace is not to stop terror or, god
| forbids, corruption. The scope is the suppresion of
| opposition.
| hef19898 wrote:
| That seems to be something literally _all_ governments,
| from Belarus over Turkey to China, the US and Europe can
| agree upon. Surveillance of ones citizens is _good_ ,
| consequences of this surveillance vary by country so.
| AnthonyMouse wrote:
| There are so few actual terror attacks that the FBI has
| resorted to goading innocent buffoons into making
| incriminating statements so they can claim to have foiled
| something.
|
| There was never a real problem for law enforcement to
| solve. All we ever needed were reinforced cockpit doors.
| pempem wrote:
| but the rest of the cost has created jobs! it's the great
| jobs program of our lifetimes.
|
| /s
| clove wrote:
| This, but without the /s.
| jjeaff wrote:
| https://en.m.wikipedia.org/wiki/Parable_of_the_broken_win
| dow
| hef19898 wrote:
| I think it made some people incredibly rich, jobs are an
| unplanned side effect.
| TaylorAlexander wrote:
| I remember in the 2016 election Hillary Clinton's VP mentioned
| in a debate that their administration would make it easier for
| tech companies to share data with the government for
| "cybersecurity" and its obvious that what they wanted to do was
| legalize transfer of surveillance materials from corporations
| to government. And it's so frustrating because nobody seemed to
| notice that line and it feels like the public hears that and
| thinks "cybersecurity good" and doesn't think about it at all.
| Like if the democrats had come out and said "we're going to
| expand government surveillance by paying Microsoft and others
| for your data" it would have been extremely unpopular. But by
| using obtuse language they can actually claim a win while
| saying basically the same thing.
| jjeaff wrote:
| I don't think there is any big conspiracy there because it is
| already legal (and always has been) for companies to give
| surveillance data to the government.
|
| The government can't take it by force without a warrant. But
| the company is free to give it to them if they ask nicely or
| otherwise.
| TaylorAlexander wrote:
| The point is that they proposed expanding these
| relationships and they billed it as "security". But anyone
| who really understands security knows that collecting more
| data and sending it to one big third party is the opposite
| of security. They wanted to expand surveillance while
| telling us they were protecting us.
| DaftDank wrote:
| "They wanted to expand surveillance while telling us they
| were protecting us."
|
| The issue is that they (i.e. government) have always done
| this. I'm only 35, but I remember this being very clear
| immediately after 9/11. You just say the boogeyman is
| terrorism, and that is used to justify end-runs around
| the constitution via the "PATRIOT" Act, etc. etc. Before
| terrorism, the excuse was communism. Maybe I'm just
| cynical now or read too much "1984" as a teenager, but I
| feel like there will always be a new boogeyman that they
| use to justify more authority, more powers, and all the
| while saying it's for our own good and to 'protect' us.
| TaylorAlexander wrote:
| Yes they have always been doing this and it is bad. I
| thought this one example of bad behavior was worth
| mentioning in this thread.
| mmazing wrote:
| Do you think that only one US political party supports this
| crap?
|
| What about the patriot act?
|
| There are tons of other examples about how this isn't a
| partisan issue, and getting people to think of it as partisan
| only helps their goal in getting it through.
| TaylorAlexander wrote:
| No, I do not think one political party supports this. Just
| because I mention something Democrats did that I don't like
| doesn't mean I'm a Republican. I mentioned it because I
| grew up a Democrat and when I realized it was all a sham
| and all the politicians are lying I got mad at all the
| democrat constituents who don't notice this stuff. I'm a
| libertarian leftist now.
| csee wrote:
| The "outsourcing" metaphor is mostly true but misses something
| important which is compulsion. Outsourcing implies a voluntary
| relationship, whereas a court order combined with an implicit
| threat of trouble if they don't follow, isn't.
| SquishyPanda23 wrote:
| > Essentially the government has built a surveillance state by
| outsourcing it to private enterprise.
|
| Well, yes, that's essentially the whole point of silicon
| valley. The government and military fund the creation of
| startups that have tactical value. Those businesses become
| self-funding and improve the US economy, which also has
| military value since a robust economy is harder to attack. This
| has been explored in a few places, e.g. [0], [1].
|
| But it's not like any of this was secret. The off-loading of
| government operations to private industry, combined with the
| lobbying for reduced regulations on private industry
| effectively gives the government carte blanche with the added
| bonus of plausible deniability.
|
| Whether or not these trends are good has been debated for half
| a century in the US.
|
| [0] https://qz.com/1145669/googles-true-origin-partly-lies-in-
| ci...
|
| [1] https://www.youtube.com/watch?v=ZTC_RxWN_xo
| xmprt wrote:
| This may be a controversial opinion, but I think some level of
| surveillance can be good for people. If you are convicted for a
| crime, you should be able to use records to prove your
| innocence (eg. cell tower logs to show that you were nowhere
| near the murder and had an alibi). We already have this where
| traffic cameras can show who was responsible for car crashes.
|
| However, a lot of current surveillance is more about snooping.
| That's where it crosses the line for me. I guess it comes down
| to ownership. I should own the text messages and call logs
| because I have access to them. AT&T can own the cell tower logs
| because they own the cell towers.
| gzer0 wrote:
| It is particulary controversial for a reason.
|
| https://apnews.com/article/artificial-intelligence-
| algorithm...
|
| > Employees can and do modify the location or number of shots
| fired at the request of police, according to court records.
| raxxorrax wrote:
| It is certainly controversial, but also not very
| perspicacious. Towards whom do you need to prove your
| innocence? Against a encroaching state that convicts without
| evidence? Well, governments are guilty of that, sure. But
| then that is a problem in dire need of fixing, not tools that
| maybe provide you an alibi when stars align correctly. An
| alibi you shouldn't need in the first place.
| ren_engineer wrote:
| at least China is transparent in what they are, US does the
| same shit but uses loopholes. Before anybody says it isn't bad
| yet or comparing it to China is unfair, think about the fact
| that all this infrastructure is already in place, all it takes
| is 1 bad person to start fully abusing it. People in China are
| at least aware they should be careful, the average American has
| no clue they are effectively being tracked at all times
|
| Sword of Damocles is hanging over our heads
| refurb wrote:
| The US system isn't better because we don't have government
| officials who want to spy on us. The US system is set up
| _assuming that 's what all governments do eventually_.
|
| The US system is superior to China because we have checks and
| balances that actually: 1) uncover this stuff, 2) share it
| with the public, 3) have a system to provide feedback, 4)
| courts to uphold rights.
|
| The US system isn't perfect and it isn't always fast, but the
| point is there is a system of checks and balances that
| hopefully bring it back to what the people intend it to be.
| matheusmoreira wrote:
| > The US system is set up _assuming that 's what all
| governments do eventually_.
|
| What good is it when the fundamental principes arising from
| those assumptions are constantly being eroded? It appears
| some american states restrict even the bearing of arms now.
| If the founders of the USA were to resurrect today, I
| wonder what they would think about the nation they created.
| DeathArrow wrote:
| >The US system is superior to China because we have checks
| and balances that actually: 1) uncover this stuff, 2) share
| it with the public, 3) have a system to provide feedback,
| 4) courts to uphold rights.
|
| 1) surveillance of citizens in China it is public, no need
| to uncover anything 2) in China their government already
| shared it with the citizens since it's official policy 3)
| since when the feedback started to matter? 4) that it's
| very naive to assume that the laws and the courts will
| always be free of abuse and will always protect the
| freedoms of the citizens, protect their interests and
| protect the innocent, we are far from living in a perfect
| world: the only way to make someone can't abuse his power
| is to not give him that power. And they have courts in
| China too, if that matters.
| refurb wrote:
| That's my point. The US (and other countries) systems are
| superior because _at least there is some mechanism to put
| a stop to it_. In China there isn 't - as you said it's
| official policy.
|
| _" we are far from living in a perfect world"_ well yes.
| And we never will live in a perfect world where privacy
| is _never_ violated. There will always be people willing
| to break the rules to benefit themselves.
|
| And since when has feedback mattered? It matters all the
| time? I mean the Democrats won an election and are now
| proposing a massive spending bill taking the country in a
| very different direction, just as one example.
| throwaway210222 wrote:
| Pray tell, how _exactly_ do your checks and balances
| protect you from a government:
|
| - with secret FISA courts whose cases and rulings are
| unknown
|
| - that will imprison recipients from even saying they got a
| security letter
|
| - threaten to imprison the very people who exposed the NSA
| spying on you.
|
| - etc. etc.
|
| Come now, some perspective and humility.
| TaylorAlexander wrote:
| Noam Chomsky talks about this in Manufacturing Consent. Under
| authoritarian regimes they can tell you about the bad stuff
| they're doing because you have no choice. In an apparent
| democracy they have to trick the public in to going along
| with the bad stuff by hiding what is really happening.
| datavirtue wrote:
| I like how ATT skirted around the question and lied. Well, not
| answering the question is...nevermind, they lied.
| m0zg wrote:
| Now _this_ is a federal agency badly in need of "abolishing", not
| the inner city police.
| [deleted]
| unixhero wrote:
| It is more interesting what their procedures are for getting data
| on citizens or any user for that matter, from FAANG.
|
| And bonus question for what they do when they need to pull put
| bank statements.
| jenny91 wrote:
| > CASTViz has the ability to quickly plot call detail records and
| tower data for lead generation and investigative purposes
|
| What's the arrest funnel? Do they use Salesforce to store all
| their leads as well?
| paxys wrote:
| That seems more in Palantir's wheelhouse
| zw123456 wrote:
| So if I know someone's Google password, I could go search on all
| those keywords and basically SWAT them right ?
| forgingahead wrote:
| With all this information collected and available, and with
| pretty basic technology tools (keyword alerts, fast searching,
| location data to pinpoint pretty accurate positioning) - how come
| there is still crime and other "bad things" that happen?
|
| I'm not talking about heat-of-the-moment things, but literally
| anything requiring any sort of planning or organisation
| (kidnapping, gangsterism, etc) should be solvable with this. So
| why isn't it?
|
| *Note, I don't want an uber-surveillance state - my point is that
| we already have one, and any feeble excuses from law enforcement
| about solving 10s of thousands of crimes with "ooops we can't
| figure it out" seems utterly hollow and untrue.
| A4ET8a8uTh0 wrote:
| The oddly fascinating piece of trivia from all this is the
| following: voicemail has more protection ( requires an actual
| warrant ) than your internet searches.
| willhinsa wrote:
| And much more protection against being banned from using it!
| DeathArrow wrote:
| Having lived a part of my childhood in a poor communist country
| from Eastern Europe and a part of my younghood in a poor country
| from Eastern Europe I had some moments when I asked myself if it
| wouldn't be better for me to move to US. I quit asking myself
| this some time ago.
| flotzam wrote:
| Sprint is extra chatty - from page 57 of
| https://propertyofthepeople.org/document-detail/?doc-id=2108...:
|
| > Ping: The network sends a message to the phones internal GPS
| receiver to report it's location (must see min. of 4 satellites.
| GPS coordinates of device and suspected radius from tower
| e-mailed(or through L-Site website) every 15 minutes for 30 days.
| Can be done manually every 5 minutes.
|
| I wonder if this is facilitated by one of those infamous "carrier
| app" backdoors included in stock OS but not e.g. in GrapheneOS:
|
| https://grapheneos.org/faq#cellular-tracking
|
| https://gist.github.com/thestinger/171b5ffdc54a50ee44497028a...
|
| https://github.com/dan-v/rattlesnakeos-stack/issues/69#issue...
| maxo133 wrote:
| this is most interesting piece of entire presentation.
|
| They can query location remotely using GPS and likely turn on
| microphone too.
| bhhaskin wrote:
| Could also be an app that runs on the sim. That would make the
| most sense.
| flotzam wrote:
| Do SIM apps really have direct access to the GPS?
| ranger_danger wrote:
| the baseband radio does, so, yes. also the camera and mic
| in many cases.
| gruez wrote:
| that works even if location is turned off in the OS itself?
| ranger_danger wrote:
| You don't even need a traditional app backdoor to do this. The
| carrier can just send the message to the baseband radio itself,
| which has a direct connection to your GPS receiver, among other
| things (usually) like the camera and microphone. That means
| these peripherals are accessible (in theory, Snowden says it
| has been done in the past) even if the main app OS is _shut
| down_.
| flotzam wrote:
| I'm not sure this is still true (on modern devices):
| https://grapheneos.org/faq#baseband-isolation
|
| There's Enhanced 9-1-1 but its GPS access should be mediated
| by the OS? Hopefully?
| numpad0 wrote:
| GPS in 3G or later is integral to Baseband Processor which
| is a separate ARM CPU that runs its own RTOS. If your
| adversary gets to push BP patch over SMS you're probably
| owned no matter what OS you run on Application Processor.
| chriscappuccio wrote:
| Graphene suggests that it uses iommu and similar hardware
| on supported devices to mitigate (some) attacks like
| this.
| ozymandias12 wrote:
| What's the story Apple/Samsung etc tell for GPS to be
| this leaky? Shouldn't the GPS be solely handled by the
| OS?
| numpad0 wrote:
| There's only so much you could without making your own
| modem... Current cellular modems are autonomous and
| integrated. It's architectural.
| Scoundreller wrote:
| So, I'm currently in North America but with a foreign SIM, so I
| have that country's IP, most ads are in a language I can't
| understand, and McDonalds app won't let me login unless I switch
| to wifi with a local IP.
|
| This is all great, but does this mean that the local provider has
| no access to my traffic? I guess DNS is all resolved overseas
| too? How does the tunnelling work?
| flowerwolf wrote:
| The network you're on has theoretical full access to
| everything. If the network is hostile you're screwed, because
| even with the improved protection in 4G/5G they can still
| easily force a downgrade attack.
| kccqzy wrote:
| That tunneling is created generally for billing and metering
| purposes (for telco's benefit). A lot of cooperation between
| carriers happen in order to create that tunnel. Don't assume
| it's an encrypted tunnel.
| jauer wrote:
| The tunnels between carriers could be encrypted. They don't
| _have_ to be. The LTE S1 link (eNodeB <-> packet core) may not
| be.
|
| Like, if your eNB is a picocell or feeding a DAS, it probably
| is doing backhaul over IPSec over internet or dedicated
| circuit, but if it's normal carrier network, likely not.
|
| ref Page 37 of
| https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...
| nickff wrote:
| This really depends on what you mean by "my traffic"; keeping
| in mind that your local provider is the ultimate man-in-the-
| middle.
| Scoundreller wrote:
| I guess that's a part of the question: is my phone encrypting
| (with whatever gsm standard) to the overseas provider and the
| local provider can't really see anything, or does it go to
| the local provider in the clear and they tunnel it over to
| the overseas provider?
| nickff wrote:
| My understanding is that the A5/1 (GSM) encryption is
| applied to the communication between the device and the
| local service provider. The local service provider then
| decrypts and routes the packets.
| xxpor wrote:
| Where local service provider is just the tower.
|
| https://www.firstnet.com/power-of-firstnet/firstnet-
| advantag...
|
| >FirstNet is designed with a defense-in-depth security
| strategy that goes well beyond standard commercial
| network security measures, providing protection without
| sacrificing usability. And now, we've gone farther than
| anyone in the industry to secure public safety
| communications. FirstNet will be the first-ever network
| with comprehensive, tower-to-core encryption based on
| open industry standards.
|
| Which implies every other network doesn't encrypt that
| traffic (or does it with some proprietary scheme... which
| wouldn't give me a lot of confidence)
| numpad0 wrote:
| Telcos rarely do end-to-ends, usually they handle
| signaling out of band, strip headers, decipher payload
| and re-cipher with new session information each time your
| data switches medium. In-band signaling with E2E and
| recursive encapsulations like TLS over TCP over IP are
| very Internet/IP pattern.
| [deleted]
| gzer0 wrote:
| _Sprint cannot currently translate IPV4 addresses (ex.
| 152.138.17.240) to an actual phone number
|
| Sprint may be able to translate IPV6 addresses (ex.
| 001:0db8:0000:0042:0000:8a2e:0370:7334) to a phone number._
|
| Interesting, anyone know which aspect of the IPV6 protocol allows
| for this?
| itsthecourier wrote:
| there are so many possible ipv6 public ips that absence of
| overlapping on assignation is doable and thus individual client
| determination
| bibaheu wrote:
| Probably IPv4 is on CGNAT and Sprint doesn't keep the logs of
| the translation. On IPv6 there's no NAT, and there might be a
| deterministic relationship between subscription and IP
| glogla wrote:
| That, or they don't give devices IPv4 addresses at all and
| run 464XLAT - according to Wikipedia, quite a few telcos do
| it that way.
| keneda7 wrote:
| I believe you are correct.
|
| https://news.ycombinator.com/item?id=16440850
| p1mrx wrote:
| 464XLAT is a form of CGNAT.
|
| The main difference is whether the subscriber side uses an
| IPv6 or private IPv4 address, but on the internet side they
| are equivalent.
| 1cvmask wrote:
| Joseph Nacchio, the CEO of Qwest, was jailed for not complying
| with the illegal requests of the surveillance state:
|
| https://www.businessinsider.com/the-story-of-joseph-nacchio-...
|
| https://www.denverpost.com/2014/03/27/former-qwest-ceo-nacch...
|
| https://en.wikipedia.org/wiki/Joseph_Nacchio
|
| And let's not forget the number of people put the jail without
| the government disclosing the use of stingrays to the defense
| attorneys:
|
| https://en.wikipedia.org/wiki/Stingray_use_in_United_States_...
|
| https://theintercept.com/2020/07/31/protests-surveillance-st...
| LogonType10 wrote:
| >jailed for not complying with the illegal requests of the
| surveillance state
|
| From the wiki page:
|
| >On March 15, 2005, Nacchio and six other former Qwest
| executives were sued by the U.S. Securities and Exchange
| Commission. They were accused of a $3 billion financial fraud
| between 1999 and 2002 and of benefiting from an inflated stock
| price.
| gowld wrote:
| > In its case, the government stated that Nacchio continued
| to tell Wall Street that Qwest would be able to achieve
| aggressive revenue targets long after he knew that they could
| not be achieved.
|
| Interesting that Nacchio was prosecuted for this but almost
| no one else is.
| spywaregorilla wrote:
| The very same article states that he was found to have
| produced false accounting records and talked up the
| company's outlook despite knowing it was losing business
| and selling his own shares. He got caught on the insider
| trading.
|
| There's nothing noteworthy here.
| vlovich123 wrote:
| As I understand it, the explanation of the "false
| accounting records" and "losing business" had to do with
| expected government contracts vanishing because of
| refusing to cooperate about the NSA surveillance.
| spywaregorilla wrote:
| Losing a contract with the NSA because they didn't play
| with the NSA certainly sounds like a real thing. Telling
| the markets that they would continue to see national
| security contracts when he knew they would not is
| another. Presenting false accounting records is entirely
| unrelated and just banal fraud. Selling your own shares
| while doing these things is even worse.
| [deleted]
| r00fus wrote:
| This really closes the loop. If the Feds cancelled
| contracts because of Nacchio's refusal to do business and
| then indicted him on fraud because he probably could not
| tell others that those contracts were cancelled (as with
| other similar wiretap/NSL requests)...
|
| That seems like a colossal Catch-22.
| spywaregorilla wrote:
| That's ridiculous. There's no NDA in the world that
| prevents you from disclosing the true financials of your
| company. You don't need to specify who you're serving.
| His charge of insider trading is because he blatantly
| lied about the company doing well to inflate the price
| while selling his shares knowing it was not.
| r00fus wrote:
| That's exactly the kind of wording that NSLs require.
| It's why the idea of a "warrant canary" [1] came into
| existence.
|
| As to the selling of shares - prima facie, that's likely
| criminal (insider selling) but I don't know the details
| of his case.
|
| [1] https://en.wikipedia.org/wiki/Warrant_canary
| spywaregorilla wrote:
| No, it absolutely is not. Not even close. Love for clever
| little hacker things does not carry any weight here. How
| could you possibly believe that it would have been
| illegal for this company to correctly state the amount of
| revenue it received?
|
| You do not need to acknowledge that you received an NSL
| in order to acknowledge you are no longer providing
| services to the NSA. You do not need to reference the NSA
| or NSL at all in order to correctly state revenue,
| because you are not required to show all of the entities
| with which you're doing business.
|
| It is fully possible to pretend you simply lost the NSA
| contract for non-NSL related reasons. His fraud is his
| own doing
| whoknew1122 wrote:
| So if I'm piecing this together correctly, he decided he
| wasn't going to help out NSA. This led to him losing
| government contracts, which would lower the value of his
| company. So instead of taking the stock price hit (which
| would be the principled thing to do), he created false
| accounting records to defraud investors. And while he was
| publicly preaching that the Qwest was just fine, he was
| unloading his own stock.
|
| And this is the guy I'm supposed to be sympathetic of?
| londons_explore wrote:
| It was well known why Google got rid of their "don't be
| evil" tagline... except now nowhere on the internet seems
| to have a record of the exact reason either...
|
| These kinds of stories get 'forgotten' very quickly.
| spywaregorilla wrote:
| what on earth is this trying to imply? That google
| bleached the internet? Google got rid of the don't be
| evil tagline because it didn't fit with their corporate
| mission anymore, which was objectively more boring and
| more profit driven.
| ranger_danger wrote:
| they're probably implying it was a sort of warrant canary
| or that they did not comply with overreaching government
| wiretap requests (the assumption being that now they do).
| spywaregorilla wrote:
| I find that to be a pretty charming belief. It's probably
| correlated timeline wise with when such things did change
| on that, but I highly doubt it was the reason for the
| mission statement change.
| ikiris wrote:
| It was well known in telecom at the time this was due to
| the nsa situation. Don't always take things at face
| value.
| dapids wrote:
| > Don't always take things at face value.
|
| You are literally presenting an opinion at face value ...
| ikiris wrote:
| Something is not an opinion just because you don't
| believe it.
| spywaregorilla wrote:
| He could easily have just acknowledged what happened and
| not sold all of his stocks to avoid insider trading while
| the nsa situation still happened. It's nice that he
| refused the nsa. Doesn't absolve him of other fraud.
| the-dude wrote:
| Wasn't there a gag order involved?
| spywaregorilla wrote:
| That does not prohibit you from being honest in your
| public statements about the financial health of the
| company, nor does it prevent you from following the same
| insider trading rules as everybody else.
| swarnie wrote:
| Who signs your cheques, out of interest?
| [deleted]
| qwertyuiop_ wrote:
| "Donald Trump is really dumb to take on the intelligence
| agencies. Let me tell you, you take on the intelligence
| community, they have six ways from Sunday at getting back at
| you," Schumer told MSNBC
| snuser wrote:
| he was right i wouldn't want to mess with the people behind
| covid and 9/11 either
| pregnant2times wrote:
| Us southern boys will take em out
| JasonFruit wrote:
| Imagine the founders' reaction if they heard a prominent
| senator saying that, not with regret, but exultantly, as
| though he relished the idea. I can't bring myself to accept
| that this was what they intended to launch into the world.
| ceejayoz wrote:
| Washington sent an army to squash the Whiskey Rebellion,
| and John Adams signed the Alien and Sedition Acts into law.
| They were quite happy to go after threats to their power.
| JasonFruit wrote:
| Dead on, and those are a couple excellent illustrations
| of why, no matter how good a chief executive had been
| before taking office, you have to watch them
| relentlessly.
| krrrh wrote:
| It depends a lot on how you define "their". In both those
| cases you could also argue that the president was still
| establishing the supremacy of a democratically elected
| republican government as the process for achieving change
| rather than perpetual revolution. It's different then
| having elected officials undermined by permanent
| bureaucracies.
|
| I'm not defending the sedition act, but it's quite
| important that it was implemented during a quasi-war and
| was still barely passed. There's also a reason that two
| hundred years later it's constantly held up as a paragon
| of bad law and there's no way it would pass judicial
| review at any point since then (it didn't at the time
| either, because it expired 2 years after it was passed
| and before judicial review was established).
| acomar wrote:
| not to mention that we're speaking of colonists who
| intentionally set out to genocide the native population
| on a regular basis. and most were slavers, putting the
| lie to any talk of freedom. in the end, little mattered
| to them in that revolution than removing English fetters
| on themselves. that people identify with a group that
| would almost certainly would have denied them the right
| to legal personhood and look to them as guarantors of
| freedom only speaks to their historical illiteracy.
| enave2 wrote:
| I remember often hearing pundits claim that "17
| intelligence agencies had confirmed Russian meddling in the
| 2016 election"
|
| Now, it turned out that "meddling" amounted to buying
| facebook ads. Not really a huge deal.
|
| But more importantly, since you brought up the founders -
| what would they say about the fact that we apparently have
| at least 17 federal agencies dedicated to spying.
| keneda7 wrote:
| I have a feeling they would want to burn all 17 to the
| ground.
| ceejayoz wrote:
| Maybe not.
|
| https://www.mountvernon.org/george-washington/the-
| revolution...
|
| > Among other honorifics, George Washington--known as
| Agent 711 in the Culper Spy Ring--is often heralded as a
| great "spymaster," and indeed, he was. Under Washington's
| astute watch, several networks of spies operated in both
| close-knit circles and far-reaching societies.
|
| > Washington recognized the need for an organized
| approach to espionage.
|
| https://en.wikipedia.org/wiki/Intelligence_in_the_America
| n_R...
|
| > The original Committee members--America's first foreign
| intelligence agency--were Benjamin Franklin, Benjamin
| Harrison, Thomas Johnson and subsequently included James
| Lovell, who became the Congress' expert on codes and
| ciphers and has been called the father of American
| cryptanalysis.
|
| > On June 5, 1776, the Congress appointed John Adams,
| Thomas Jefferson, Edward Rutledge, James Wilson, and
| Robert Livingston "to consider what is proper to be done
| with persons giving intelligence to the enemy or
| supplying them with provisions." They were charged with
| revising the Articles of War in regard to espionage
| directed against the American forces. The problem was an
| urgent one: Dr. Benjamin Church, chief physician of the
| Continental Army, had already been seized and imprisoned
| as a British agent, but there was no civilian espionage
| act, and George Washington thought the existing military
| law did not provide punishment severe enough to afford a
| deterrent.
|
| That's three right from the start.
| ozymandias12 wrote:
| Please do share some more 3
| Spooky23 wrote:
| The context is really key when you consider the information
| that the prominent senator is aware of about the subject
| that you as a random member of the public may not.
|
| If you look at the fate of people like Aaron Burr, I think
| it's quite clear that the founders were not supermen, but
| humans who dealt with similar problems that we do today.
| Likewise, the post-revolution treatment of tories wasn't
| exactly magnanimous either.
| 5faulker wrote:
| US's running some sick show behind the scene...
| beckman466 wrote:
| _" The slide also shows that AT&T retains "cloud storage
| internet/web browsing" data for 1 year. When asked what this
| detail entails exactly, such as websites visited by customers on
| the AT&T network, AT&T spokesperson Margaret Boles said in an
| email that "Like all companies, we are required by law to comply
| with mandatory legal demands, such as warrants based on probable
| cause. Our responses comply with the law." The document also
| mentions that law enforcement can request records related to
| wearable devices from AT&T."_
|
| do you know what this "cloud storage internet/web browsing" data
| looks like?
| badkitty99 wrote:
| beta version of social scoring system?
| aendruk wrote:
| Did they misread the table? I see two distinct rows:
|
| - Cloud Storage
|
| - Internet/Web Browsing
|
| In the big picture it's probably fine to conflate them but the
| technical aspects of each are going to be very different.
| gruez wrote:
| probably dns/sni logs? with most sites using https that's all
| they're really going to get.
| beermonster wrote:
| I wonder what % of https requests are using esni these days..
| JumpCrisscross wrote:
| And with VPNs like Apple Private Relay being broadly pushed,
| likely less than that.
| dkdk8283 wrote:
| Never assume- carriers can mandate data collection or
| sharing.
| Scoundreller wrote:
| Is there any way to change dns servers on lte/3G? Odd that
| iPhones let you change it for wifi, but not cellular. Can I
| even find out it's using?
|
| What about android?
| ornornor wrote:
| Nextdns works on both cellular and wifi. They have a
| profile you can download so it's definitely possible but
| maybe not through the GUI.
| isaack wrote:
| iOS supports DoH/DoT natively via work profile. Create one
| yourself here: https://dns.notjakob.com
| ls612 wrote:
| Cloudflare's 1.1.1.1 app works with both Wifi and cellular
| by configuring itself as a VPN. I've been happy with it for
| a few years now.
| javajosh wrote:
| Do you assume that the FBI does not have a similar
| document for Cloudflare (or any VPN or DoH provider)? I
| think it's probably healthy to assume that your accessed
| host history is semi-public regardless of how well you
| try to protect it. Note that even with esni your ISP or
| your VPN's ISP will still know the IP addresses you're
| getting to, and in most ordinary cases can do a reverse
| lookup.
| ls612 wrote:
| CF doesn't retain much if any data from 1.1.1.1 so at a
| minimum you are protected from retrospective
| surveillance. I agree it's impossible to be perfect but
| let that not be the enemy of good.
| gruez wrote:
| >Is there any way to change dns servers on lte/3G?
|
| probably doesn't matter because regular dns is performed in
| the clear. There's nothing preventing them from
| logging/intercepting your requests even if you changed
| them.
|
| >Odd that iPhones let you change it for wifi, but not
| cellular.
|
| >What about android?
|
| AFAIK on both changing DNS can be done by using an app that
| acts like a VPN, and intercepts the DNS requests.
| jakobdabo wrote:
| DNSCloak does that, but it sometimes crashes, and
| unfortunately there are no recent updates.
| NmAmDa wrote:
| AdGuard can do that on both android and iphone
| ev1 wrote:
| at the very least, t-mobile has static-routed public
| resolvers like google's to their own in the past.
| Scoundreller wrote:
| Though legally speaking, there might be a difference
| between logging dns packets going to ??? and dns packets
| hitting the provider's dns server.
|
| The latter could be construed as necessary logging while
| the former is spying for the sake of spying.
| judge2020 wrote:
| The legal aspect might change what AT&T 'has' to log,
| although they likely voluntarily include other passively-
| obtained port 53 traffic in their cooperation.
| cmeacham98 wrote:
| Android natively supports DoH, which both lets you change
| the DNS server and prevent your cellular provider from
| redirecting/logging DNS requests:
|
| Network Settings -> Advanced -> Private DNS
|
| Enter one.one.one.one (or substitute your favorite DoH-
| supporting resolver)
| specto wrote:
| Until eSNI or similar is implemented across all sites, it
| doesn't matter much.
| CrazyCatDog wrote:
| iOS works with opendns think of it like a cloud pi-hole--I
| was using the app which used to have issues with cellular,
| but has worked as expected more recently. Use the generated
| profile...
| [deleted]
| ramesh31 wrote:
| I've never understood why they try to "disguise" these things.
| They always stick out like a sore thumb. How would anyone know
| the difference from a normal cell tower?
| miloignis wrote:
| I think you've misunderstood - the disguised towers are normal
| cell towers, and normal cell towers are normally disguised to
| be less of an eyesore.
| aetherspawn wrote:
| MetroPCS looks to be the most private cell provider.
| hammock wrote:
| When it comes to retention periods, AT&T (who I imagine most
| iPhone users here have, by default) is REALLY bad: https://video-
| images.vice.com/_uncategorized/1634930279896-r...*
|
| They also have the longest and deepest history of working with
| the government on surveillance.
| slg wrote:
| >AT&T (who I imagine most iPhone users here have, by default)
|
| AT&T lost iPhone exclusivity a decade ago.
| kkirsche wrote:
| Your point? Most customers in the marketplace are averse to
| change across any service. It's not uncommon for users to
| stay with single providers due to momentum.
| slg wrote:
| My point is that saying iPhone users are by default AT&T
| users rests on the assumption that people have stuck with
| the same decisions they made about mobile network and phone
| operating system that they made over a decade ago. That
| isn't even factoring in the growth of the market overall
| and the people who have bought their first smartphone
| within the last decade.
| annoyingnoob wrote:
| The churn rate for wireless carriers is around 2% per year
| in the US, give or take. There are about 300M wireless
| subscribers in the US. Meaning that around 6M wireless
| subscribers per year switch carriers.
| _jal wrote:
| > They also have the longest and deepest history of working
| with the government on surveillance.
|
| I've long considered ATT to be an extension of the US
| intelligence apparatus. Ownership doesn't matter, it is who
| they answer to.
| travoc wrote:
| You can download some of the data that Verizon retains from your
| own cellular use here: https://www.verizon.com/support/download-
| and-view-vpd-file/
|
| When I did it, I could see they recorded IP addresses, time
| stamps and data transfer volume of every web site that I visited
| over their network, along with cell tower connections. It was
| fascinating.
| fulafel wrote:
| Wow, that's invasive.
| jamesfe wrote:
| Is it? How do they bill you without knowing how much data you
| transferred? How do they debug what went wrong with your
| connection without logs?
|
| This stuff is barely scratching the surface of the data those
| companies collect and maintain, likely for long periods of
| time, just to analyze and improve customer experience.
| jjulius wrote:
| >This stuff is barely scratching the surface of the data
| those companies collect and maintain, likely for long
| periods of time, just to analyze and improve customer
| experience.
|
| Heh, _just_ to analyze and improve customer experience?
| Nothing else a bit more unsavory?
| tablespoon wrote:
| >> This stuff is barely scratching the surface of the
| data those companies collect and maintain, likely for
| long periods of time, just to analyze and improve
| customer experience.
|
| > Heh, _just_ to analyze and improve customer experience?
| Nothing else a bit more unsavory?
|
| The point is this data would get captured regardless,
| surveillance or no. Mass surveillance (at least in this
| matter) often isn't so much about what gets captured, but
| how long it gets retained and who gets access to it.
| fulafel wrote:
| I interpreted this to mean they log traffic per web site:
|
| > data transfer volume of every web site that I visited
| over their network
| snuser wrote:
| without net neutrality this could be useful for future
| billing arrangements
| unethical_ban wrote:
| As if ATT gets on the line with end-users to debug site-
| specific issues!
|
| Aggregate data usage is one thing, but retaining any kind
| of detailed logs on where one goes or how much data was
| used on a specific site is unnecessary for the base
| provisioning of network connectivity.
| LatteLazy wrote:
| Actually it's very transparent. They're required to keep that
| data by law, they're just making it easy for us to see that.
| mikem170 wrote:
| I was curious about this. I knew that logged data has to be
| turned over if there is a warrant. I wasn't sure if logging
| was mandated.
|
| I found this article [0] describing the situation in
| various countries, with the following info for the United
| States:
|
| > Data Retention Period = 1 Year for Internet metadata,
| email, phone records
|
| > Authorization required to access the data = Various
| United States agencies leverage the (voluntary) data
| retention practiced by many U.S. commercial organizations
| like Amazon through programs such as Prism and Muscular.
|
| > Status Of Data Retention Regime = No mandatory data
| retention regime
|
| I'm guessing the above means that metdata (user ip and also
| user web and email destinations) are held for a year, but
| retaining actual user data (email contents, etc) is not
| mandated.
|
| [0] https://www.privacyend.com/mandatory-data-retention/
| murat124 wrote:
| Does anyone know the AT&T equivalent of this URL?
| rlt wrote:
| FWIW I think all ISPs that employ CGNAT are required by law to
| retain "NAT binding records" that are essentially this.
| NavinF wrote:
| I used to be an ISP and I'm not aware of any law like that in
| the US.
| rlt wrote:
| Maybe a DMCA safeharbor thing?
| NavinF wrote:
| Nope
| rlt wrote:
| I mean it may not be explicitly required by law but if
| you can't identify which customers broke other laws then
| aren't you opening yourself up to liability?
| chriscappuccio wrote:
| There is currently no federal rule, law or other mandate for
| US ISPs to develop, construct or keep CGNAT translation
| records. The laws that apply in this area only apply to
| records voluntarily created by the network operator.
| hpoe wrote:
| Just out of curiosity do you use a VPN, I always browse with a
| VPN on my phone for precisely that reason and am wondering if
| it actually works to help protect my privacy.
| aksss wrote:
| Assuming your VPN isn't owned by or in cahoots with the NSA
| too, you're dns lookups would be shielded from view, I guess.
| travoc wrote:
| Using a VPN would protect the privacy of your IP sessions
| from Verizon, although your VPN provider would now be able to
| see all of your session information.
|
| I suspect a VPN user would show up in the Verizon data file
| with many large TCP sessions to a very small number of IPs.
| SavantIdiot wrote:
| I am my own VPN provider. EC2 micro instance on AWS running
| StrongSwan. Sure, feds could dig that up, but it would be
| messier. I wonder what in/out logs AWS keeps on its
| VPCs....
| gtsteve wrote:
| t3.micro = $0.0104 x 750 = $7.80/mo without taking your
| bandwidth into consideration.
|
| Lightsail costs $3.50/mo with 1tb transfer bundled or
| $5/mo with 2tb.
|
| If your setup is scripted then it probably makes sense to
| switch over to save a bit of cash. Others following the
| same path could save some money by using Lightsail as
| opposed to EC2.
| SavantIdiot wrote:
| Yeah, but I wanted full control...
| mnahkies wrote:
| Can you please clarify what control you are gaining using
| EC2 over lightsail? (And why it's useful for your stated
| purpose)
| SavantIdiot wrote:
| I know I'm not selling my requests? I don't have to trust
| lightsail. Sure, I have to worry about AWS keeping logs
| of my requests but that seems less likely? Is that your
| argument?
| mnahkies wrote:
| Lightsail is basically an EC2 instance packaged with an
| ipv4 address, storage and bandwidth to compete with low
| cost VPS providers.
|
| I personally use lightsail for most always on things and
| then just use ec2 for on demand workloads, because it
| works out far cheaper (these are just random personal
| projects so I'm heavily optimising for low cost)
|
| You can't configure the lightsail instances as much as an
| EC2 instance, but otherwise it's essentially the same
| product (both operated by AWS).
| fomine3 wrote:
| AWS operates LightSail and LightSail is cheaper for who
| use bandwidth a few TB. That's why the question.
| zzyzxd wrote:
| > EC2 micro instance on AWS running StrongSwan
|
| Just curious, how many captchas do you solve with this
| setup daily? Or even IP bans?
|
| I did exactly the same thing once and it was so annoying.
| beermonster wrote:
| You can always use Privacy Pass as quite often you're
| dealing with CloudFlare protected sites.
|
| That said, if you're using your own EC2/lightsail
| instance you won't see as many CAPTCHAs as, say, using a
| commodity VPN service.
|
| Given you can't detect a VPN per-se (if configured
| properly) usually the way it works is that the
| destination node knows you're coming from a source IP
| from a known VPN-supplier's well-known IP-block.
|
| If you go for this kind of setup (running your own VPN on
| AWS) you're simply changing your ISP to Amazon. They
| still might (and probably will) be monitoring egress
| traffic at the very least to perform any kind of incident
| analysis.
| flowerwolf wrote:
| The big providers are _definitely_ monitoring, and are
| probably working with NSA /FBI, if nothing else then at
| least to look for APT CNE/org.crime.
| SavantIdiot wrote:
| None? I've had this for a long time with no issues.
| That's weird. I'm on it now listening to spotify, reading
| WaPo and browsing HN. What sites complain? I'll try it?
| bklyn11201 wrote:
| Why pay AWS $0.09 a GB tax to listen to Spotify?
| SavantIdiot wrote:
| Yes. Spotify. Ahem. That's why I use my VPN... cough
| cough.
| rlt wrote:
| You might have gotten lucky with the static IP / subnet
| assigned to your machine.
|
| I set up a VPN on a Digital Ocean instance and got
| captchas all the time on various websites, especially
| ones using CloudFlare etc (I'm aware of Privacy Pass but
| didn't bother setting it up as it was a temporary thing)
| gzer0 wrote:
| I suspect that the effort required to succesfully produce
| viable evidence from a VPN provider such as Mullvad are
| significantly higher than the effort we see here from ATT,
| T-mobile, Sprint, and Verizon.
| travoc wrote:
| That is probably true in most cases. Choose your poison.
| flowerwolf wrote:
| Also, don't use a VPN provider that knows who you are and
| don't use one in your own jurisdiction.
| koheripbal wrote:
| I have been considering setting up a dedicated lightweight
| node on some cloud server just for VPN.
|
| I'm curious if other have done the same.
| kempbellt wrote:
| I route all of my mobile data through a Wireguard VPN on my
| home's network, and everything on my home network is routed
| through PiHole where I block/disable a lot of tracking and
| extraneous junk requests.
|
| Generally speaking, this makes me feel a better when using
| mobile data or any foreign network (public, friends, work,
| etc) since I know all of my outbound requests are coming from
| "one location".
|
| I can reroute outbound access to an external VPN if/when
| needed, but it's really a crapshoot for who you trust to keep
| track of your outbound requests. I don't trust any VPN out
| there to be strong enough to say "NO" to an intrusive 3rd-
| party like the US gov. No more than my own ISP at least.
|
| For someone overly paranoid about tracking, I would probably
| suggest just using Tor, but for basic consolidation of
| internet access, routing through a self-hosted VPN at home
| works great.
| mikeastock wrote:
| Do you any recommendations for a solid getting started
| PiHole guide?
| flowerwolf wrote:
| Don't use pi-hole, use dnscrypt-proxy instead.
| kofejnik wrote:
| Google wirehole, just needs a single docker-compose up
| mrtksn wrote:
| Wouldn't that kind of data be massive? Any idea on what kind of
| infrastructure they use?
| adolph wrote:
| Prolly just "borrow" NSAs.
| OneLeggedCat wrote:
| Prolly just being indirectly paid by NSA to run it
| themselves.
| adolph wrote:
| I wonder if this sort of activity would be detectible on
| publicly available balance sheets?
| fouc wrote:
| 120 million verizon customers * 100 daily entries (on
| average) of "ip address, website, total_data, time_stamp,
| cell_tower_connections"
|
| 4.4 trillion database entries in a year
| danuker wrote:
| I guess that is part of why Internet is so expensive in the
| US.
| sixothree wrote:
| On my work computers I have an app that screenshots all of my
| desktops every 30 seconds. I have literally years of
| screenshots. The cost is miniscule.
|
| Meaning, the cost to record everything a person does all day,
| every day of the year for literally forever is not very much
| at all.
| NoPicklez wrote:
| It might not cost much for yourself, but when we're talking
| millions of people. Data points being recorded multiple
| times per day per customer, the size of that data would be
| huge.
| electrondood wrote:
| Interesting, what's the purpose?
| raxxorrax wrote:
| Employee surveillance in a low trust environment and bad
| working conditions I would assume.
| sixothree wrote:
| Quite the opposite here. I did this myself without any
| sort of request. This is one of the highest trust
| environments I have worked in. If this were forced (or
| expected) in any way I would be looking for a new place
| to be.
|
| Please see my answer here
| https://news.ycombinator.com/item?id=29003198
| kolla wrote:
| I've used such an app myself on my work environments and
| if anyone ever questioned what I did a certain day I
| could always go back and look.
|
| Very helpful when filling out the time report if you are
| reporting time on many different customers.
|
| If a company force installed it on your PC it is probably
| not a good place to work at.
| sixothree wrote:
| This is exactly the reason.
| sixothree wrote:
| The purpose is for time tracking. I am a developer but I
| go through periods where I work on _many_ different
| projects. And also I sometimes get pulled in (without
| warning) to support the team on client calls.
|
| It is not uncommon for me to have 15-30 different time
| tracker entries for things I worked on in a single day.
| This is not an exaggeration. Then other days I will work
| on a single task for entire day.
|
| So all of this unscheduled stuff gets lost pretty easily.
| Calls scheduled for an hour run only 30 minutes. Client A
| needed 10 minutes of support here, 20 minutes there, 5
| minutes there. I want to be as fair as possible to our
| clients.
|
| And related to client support, there is often the
| question of "who owns this bug" and who pays for the
| call. So I can use screenshots of the client environment
| to relate to the team and get more information about
| whether we should really be billing for the call or if
| that's something that needs to be improved in our
| software.
|
| Also I support other developers. Skype calls with
| developers tend to be short. But boy can they add up. If
| I'm spending 3 hours a day on support overall, I really
| need to track that. That time needs to go into the right
| project at the very least.
|
| So that's where the screenshots come in. This is not
| something the company asked for or have ever requested
| access to. They know I do this. So when I say I spent two
| hours supporting a client, they feel confident sending
| out that bill.
|
| It actually started as one of those experiments into time
| lapse video. But I multitask way too much for these to be
| usable videos. Though I have hand picked select days and
| turned them into something very cool.
| mldonahue wrote:
| For anyone who wants to know more about how companies can more
| ethically, and transparently, engage with law
| enforcement/governments:
| https://news.ycombinator.com/item?id=28156465
|
| Establishing a best practice for public/private sector
| communication keeps the govt in check and helps companies ensure
| compliance & transparency.
| einpoklum wrote:
| That's neither ethical nor transparent. And the guy writing
| that post is ex-FBI.
|
| An ethical and transparent way to handle such subpoenas would
| include:
|
| 1. If possible, not being a US company so you might be able to
| avoid the subpoena in the first place.
|
| 2. Have a policy of not keeping user data at all, or keeping it
| with a third party that is not legally bound by US government
| subpoenas, so that it can't (?) be subpoenaed.
|
| 3. Publish any subpoena you get from the government.
|
| 4. Moreover, arrange it so that subpoenas are published before
| being read, so that if you get a National Security Letter, you
| would not be able to comply with the non-disclosure
| requirement. Another way to go about this may be to only open
| subpoenas in a public forum, preferably with journalists
| present. Try to consult ACLU/EFF lawyers about this particular
| issue.
|
| 5. If the government somehow gets its hands on user data,
| inform the users immediately.
| johnsillings wrote:
| so basically change all the laws around how this stuff works,
| got it
| mldonahue wrote:
| Can you elaborate how you think a tool like this is neither
| ethical nor transparent? And why is it bad the writer is ex-
| FBI?
|
| You appear to be passionate about the issue at hand, but your
| knowledge on this process seems to be limited.
|
| 1. Not being a US company doesn't matter - international
| agencies send subpoenas just like the US agencies. US govt
| can send subpoenas to international companies just the same.
|
| 2. Not having PII or user data doesn't prevent subpoenas
| (i.e. Reddit, 4chan, Whisper, etc.)
|
| 3. Subpoena's often come with Non-Disclosure Orders (NDO).
| Even without NDOs, publication of the actual subpoena is
| arguably more irresponsible just by the shear fact you could
| be publicizing PII, and subjecting this user to unfair, and
| non-contextualized public opinion. Big tech has adopted
| transparency reports for this reason. User notice is the goal
| - not publicly shaming your user just to make a point to the
| government.
|
| 4. Non-compliance and willful disregard for the legal order
| will not change the overall problem. Ironically, you're right
| that the best way to prevent data requests from the govt
| might be non-compliance...then the company would get shut
| down for said non-compliance...so there would be no company
| for the government to subpoena.
|
| 5. User notice is obviously a legal department best practice,
| but if there is a NDO it puts legal repercussions on a
| company for disclosing such info. Keeping this process
| clunky/messy/disorganized hurts the user, and the company.
| You say this company is not ethical, yet Kodex automatically
| informs users about data requests pertinent to them, and if
| there is an NDO, the user is notified immediately upon
| expiration rather than relying on a legal department employee
| to remember to manually do it months or years later. Would it
| be more ethical to keep the process unchanged and prone to
| human error?
|
| These guides for Law Enforcement (LE) to get data are
| actually meant to streamline the process for the company, so
| companies don't have to deal with non-valid subpoenas. The
| subpoena is coming regardless...why waste time/resources
| dealing with non-valid subpoenas when educating LE will help
| streamline things. Obfuscation is never going to prevent
| these legal orders...if the FBI wants to send your company a
| subpoena they are going to whether you tell them how to do it
| properly or not. Kodex is a best practice that standardizes
| how the govt can interact with companies, to keep the govt in
| check, while keeping companies compliant, transparent, and
| accountable about the process.
|
| As the writer said: "There is a lot that can be fixed in
| government. This process is one of them. The goal is not to
| 'help the FBI do their job more easily'... making the process
| easier for the company, forces the government to do their job
| BETTER, and helps society move forward."
| FDSGSG wrote:
| >4. Moreover, arrange it so that subpoenas are published
| before being read, so that if you get a National Security
| Letter, you would not be able to comply with the non-
| disclosure requirement. Another way to go about this may be
| to only open subpoenas in a public forum, preferably with
| journalists present. Try to consult ACLU/EFF lawyers about
| this particular issue.
|
| I can't imagine this working more than once, the goverment
| can just verbally inform you of the non-disclosure
| requirement when they deliver any future documents in person.
| yawaworht1978 wrote:
| Indeed, often people have said the FBI runs this and that. But
| this is not cost efficient, the agencies can just subpoena the
| businesses for data, simple as that. No hacking, no developing
| etc.
|
| It's pretty efficient, if the government announced they would
| save some files on all citizens, it would be widely unpopular. So
| let the people use the services they consent to use, let the
| businesses collect as much data as possible, the more, the
| merrier.
|
| And when the need for these resources arises, subpoena the
| business, they'll even do the search for them.
___________________________________________________________________
(page generated 2021-10-26 23:02 UTC)