This is not the only situation where investigators are hiding iffy information sources, and committing perjury. We all know about deals with informants, who sometimes receive immunity for major crimes, in exchange for their information.
But the elephant in the corner is DEA's Special Operations Division (SOD).[0] This funnels information from the CIA and NSA to the FBI, IRS, DHS and USCIS. But you will find nothing about SOD in any of the cases where it reportedly played a key role (according to that DEA Museum lecture).
Anyway, there's no evidence that SOD has ever been used except for major drug cases. But there's no reason to assume that it hasn't been, either.
Absence of evidence only means that there is not sufficient evidence to pronounce the defendant guilty. It is not evidence of innocence. They are not the same.
In the US, the accused in a criminal case is presumed innocent unless the prosecution can prove beyond reasonable doubt that they are guilty. The defendant in a civil case is presumed not liable unless the plaintiff can prove by preponderance of evidence that they are responsible.
Under those standards, without evidence, the defense wins. Practically speaking, it doesn't matter if they are innocent or unprovably guilty. Al Capone [probably] wasn't innocent, but he was not found guilty of anything until they tried to get him for tax evasion.
You are never declared innocent, only not guilty. Functionality they are similar as you can't be tried for the same crime. But, being declared 'not guilty' is not useful in a civil case related to the same issue.
A woman who spent 17 years in a California prison for a murder she didn’t commit was declared factually innocent Friday, clearing the way for her to collect about $600,000 in compensation from the state.
Justice Department officials said it is not their job to notify prisoners that they might be incarcerated for something that they now concede is not a crime.
Proof of culpability is required in both civil and criminal cases, though the standard of proof.is different.
> so absence of evidence is evidence of innocence.
Absence of evidence of guilt isn't evidence of innocence, though absence of evidence of guilt makes a not guilty verdict nore likely. The presumption of innocence means that innocence is the default conclusion in the absence of evidence, it doesn't change what is or isn't evidence of innocence.
True. But we do know that thousands of people in the criminal justice system have lied about secret evidence. If even 10% of them went to trial, I bet that relevant evidence would come out. Some of them could accept plea deals, and testify against their managers.
In the context of Criminal Procedure and Rules of Evidence, the prosecution has to turn over all evidence (including mitigating evidence) in discovery and failure to do so means: a. It doesn’t exist, b. If it does the prosecution is risking mistrial; their career/disbarment; and over turning convictions going back in time.
This. It has become the norm. I suppose that it's justified by outrage over the sorts of crime involved. But with SOD and Stingrays, we're talking about widespread subversion of federal agencies, state police and prosecutors, and probably at least some judges. It has indeed been a criminal conspiracy. Not that anyone will ever be prosecuted for it.
I don't know about the US but in the UK there has just been a major and sadly underreported scandal with police failing to disclose evidence to defence solicitors.
We know that federal and state agencies, investigators and prosecutors have lied for decades about SOD. They've used parallel construction to build clean cases. And they've not disclosed evidence provided by the NSA or CIA to defendants' counsel.
Why would we assume that evidence provided by the NSA or CIA are only used in drug cases? I mean, look at the list of federal agencies involved. Why would they create a parallel system for prosecuting tax evasion, or child abuse, or whistleblowing, or whatever?
I mean, we know that there's a broad conspiracy to lie. How can we trust liars to only lie about some things? And how could we even trust denials about that?
Is the preference to throw away the case because of all the accessory data being gathered? I wonder how much this has to do with all the DC stingray devices[0]. Truly a weird time to be alive. The first Stingray discussion I saw was at DEFCON 18[1], though that talk was just about 3G/2G. Is anyone seriously thinking that this shit is safe? I don't know the nuts and bolts of a current stingray, but I don't think it's $300k black magic. How many similar devices are running outside of LE identification?
There's a few reasons to throw away a case, and I make no assertion that these are why -
* they've identified a legal or technical reason that would render their evidence invalid
* may give up information that would let someone identify which towers are stingrays
* may give up information on where they are or have operated
* may be protecting some not-yet published or not yet well known exploits of the cellular network
> How many similar devices are running outside of LE identification?
Well, foreign versions of these have been found on US soil. No doubt we've deployed them internationally as well. Spies gonna spy. And it seems safe to assume that naughty hackers probably prop these up at major events for fun or profit.
I wonder if anyone has outlined best practices for going to major public events? Just a burner cell? I assume airplane mode isn't enough. Faraday cage bag and keep the phone off until I get outside the event. Since we no longer really have pay phones, I wonder what best secure SOP is aside from must "don't go". I think airports and tube stations qualify as minor major events.
I don't just worry about it because of the tracking, but also pushing false over the air updates. I know 4G is a lot more secure, but I don't fully understand the current stingrays. With the government saying they don't know who's running the DC stingrays, it pulls a lot into question for personal security.
Here's a presentation from last year's Blackhat:
"New Adventures in Spying 3G & 4G
Users: Locate, Track, Monitor" by Ravishankar Borgaonkar and Lucca Hirschi
> I don't just worry about it because of the tracking, but also pushing false over the air updates.
Pretty sure OTA updates are signed, and signatures checked, so you'd need to steal a vendor's private key. Those are almost certainly kept on a hardware security module, so it's not an easy task at all.
That's putting a lot of faith in HW manufacturers' security practices. I've had conversations with ex-employees of a couple of large cell phone firms who know about their build systems, and am not willing to buy those brands now.
(Think: Dedicated PCs, one builder for each major revision of a phone, basically unpatched for years, with magic and difficult to reproduce configurations. Don't know specifically about HSMs, but those seem unlikely given their level of care and sophistication).
Once upon a time, a certain large maker of a popular video game console lost the hardware engineer's laptop where the source code for the game controller firmware was. I don't know the nature of the catastrophe, whether the code was accidentally deleted, or the drive failed, or perhaps the employee left and the the laptop got recycled. In any event, the source was gone.
Source control? What's that? Sounds complicated and unnecessary. All you need are files on disk, right?
"Wait, I thought your laptop had the source code. Um..."
They wound up paying a consultant to disassemble the binary and turn it back into plausible C. For all I know, given the way that those firmware engineers wrote code, the recreated source was of better quality than the original. :-/
[I am trying real hard not to turn this into a "how bad can firmware code get" comment, but I do have to say that this was the same group where one contractor had written the firmware for a device, consisting of one massive function with a bunch of goto statements and static variables, with names like 'v' and 'x' and 'xx'. The contractor also seemed to think that removing whitespace from the program would make the binary run faster...]
I'd hope for most things on my iphone or newish name brand android, but I don't have the audits to prove it for everything.
There were some amazing phishing attacks way back when the iPhone could do a single click jailbreak through the web. While that scene publicly is mostly dead for people that want a Cydia app, there's definitely a big money private game that still exists. I don't think it's a totally safe assumption to just trust that a sophisticated man in the middle at a dense event isn't possible.
Unlikely, sure... Maybe I'm not even the best target. My 75 year old uncle with his thrift store Android might be in a common set of outdated devices ripe for picking, and wouldn't be able to catch a phish if it slapped him. Let alone something that didn't need user input. That's a pretty reasonable inroad to all sorts of stuff if your patient and inclined.
I dunno, I think it's a reasonable thing to at least ponder in our current world of ubiquitous barely updated pocket linux slabs.
Jailbreaks through the web are always a threat - they don't stop being a threat because you're using a legit cell tower. So I think that "what if there's a low-interaction 0-day" doesn't really interact with Stingrays. If you're worried about it, avoiding events where Stingrays are likely to be used doesn't really help you.
iOS does verify OS software via a secure-boot-style chain of trust, starting with a public key that's part of ROM, and there's rollback prevention for the OS, the baseband, and the Secure Enclave's software. https://www.apple.com/business/docs/iOS_Security_Guide.pdf (At least, if you believe Apple, and if you don't, stop putting interesting info on your Apple cell phone.)
Android also does verified boot https://source.android.com/security/verifiedboot/verified-bo... but device support is probably all over the place. I think that anything running Android 6 or later is required to use ARM TrustZone, but it's probably a lot easier to defeat than iOS's mechanism.
Rupprecht et al. 2016 find that most devices on the market at the time - including the iPhone 5S and 6S and the Nexus 5 and 7 - would accept the LTE no-encryption mode ("EEA0") without showing any UI warning or indicator; see section 5 / table 2 in https://www.usenix.org/system/files/conference/woot16/woot16... . They also find that some Huawei chipsets will accept the LTE no-integrity-protection mode ("EIA0"), although most devices reject that. I haven't seen a newer version of this research.
NIST points out (https://csrc.nist.gov/CSRC/media/Presentations/LTE-Security-... slides 40 and 47 - warning, 3-megabyte PDF) that most phones support downgrading to older standards - which is what you want for roaming, but if you're in a densely populated area with a clear view of the sky and your phone shows "3G", maybe you should be suspicious.
Your 75-year-old uncle with a thrift store Android is almost certainly at serious risk, yes, but I think his primary problem is that this Android isn't getting updates any more and there are just publicly known exploits that anyone can use. Personally, I'd say the best thing is to get him a ~$150 iPhone SE from one of the prepaid carriers, because that's what they're going for these days, the SE should have about two more years of security support lifecycle left, and it does have a Secure Enclave.
I have 2 theories about why the EXTREME secrecy surrounding Stingray.
1. It is based on stolen credentials / crypto keys.
2. It is based on exploiting a vulnerability in the protocol.
Either way, secrecy is important. In case 1, if the secret got out, those keys / credentials could be revoked and replaced and Stingray would no longer work. In case 2, if the secret got out, every high school kid would be building a Stingray and poor people would be spying on rich and powerful people (gasp!).
In case 2, the vulnerability may be something that takes years to fix, requiring compatibility over the replacement period both to base stations and mobile equipment as old mobile sets attrition out of the system.
Given the vulnerabilities that have been recently announced for LTE, it seems to me that your #2 is much more likely. Anyone with a Software Defined Radio and the right code could run their own Stingray.
Circumstantial evidence of recent reports of massive increases in suspicious activities would seem to indicate that this is actually happening.
Based on a quick look at Wikipedia for GSM, it sounds like some efforts have been made towards breaking the encryption: https://en.m.wikipedia.org/wiki/GSM
I'd be willing to bet that national governments have done even more work on that problem.
This suggests a criminal defense strategy where if someone was up to no good, they should arrange it so that the investigators are forced to use sensitive and illegal techniques to obtain evidence, making the case not prosecutable.
>Criminals can't force the government to use illegal strategies.
Parent said sensitive or illegal.
I think it's perfectly possible to have such state of the art opsec, that the government would not be willing to out their investigative technique to bust a run of the mill criminal.
Actually parent says sensitive and illegal, but it is beside the point. Criminals can't force the government to use their sensitive investigative techniques either.
Still means it is a viable strat. If your opsec requires an exploit that's currently invaluable to OPS targeting way bigger fish, You can operate with some degree of impunity until the exploit becomes moot for the bigger fish.
It's why security researchers will in all odds never be the target of an "evil maid" attack. It isn't worth the time.
> Actually parent says sensitive and illegal, but it is beside the point. Criminals can't force the government to use their sensitive investigative techniques either.
You're playing semantics. Written language is not machine code, try not to be a faulty compiler :)
Sure, a criminal cannot literally force the government to use a sensitive technique.
But since the government tends to want to investigate all crimes it is capable of investigating, a criminal can easily create a situation where the costs involved with a prosecution (disclosing a sensitive technique, causing people to update opsec accordingly) outweigh the benefits (prosecuting a small time criminal).
The end result is that the government is figuratively forced to not prosecute a criminal despite having the capability to prove their guilt.
> But since the government tends to want to investigate all crimes it is capable of investigating, a criminal can easily create a situation where the costs involved with a prosecution (disclosing a sensitive technique, causing people to update opsec accordingly) outweigh the benefits (prosecuting a small time criminal).
This is the part I'm disputing. If a criminal could reasonably control what evidence is available to the government, a better and less risky strategy is to give them no evidence rather than to give them evidence that they don't want to use.
> But since the government tends to want to investigate all crimes it is capable of investigating
Sure, but is that appropriate? Is that what we actually _want_ from _our_ government?
> The end result is that the government is figuratively forced
You can't start a problem with desire and then claim a forced hand when it doesn't go your way. The government is not forced to investigate or attempt to stop _every single_ crime.
>Sure, but is that appropriate? Is that what we actually _want_ from _our_ government?
No, and sorry if it came off that I thought that's a good thing.
>The government is not forced to investigate or attempt to stop _every single_ crime.
No, but in a connected society it's harder to ignore crimes. The government doesn't like to "lose face" so they end up doing silly things like raiding marijuana dispensaries instead of using that manpower to target the heads of opiate dealing gangs - because the former is more visible it gets disproportionate attention.
Yes, unfortunately in this under-caffeinated moment I can't recall the right google search terms. As I recall, there are a small number of root-able Androids that are suitable for pairing with a RasPi, which together with suitable software gives you a stingray detector.
Looks like a pretty standard software defined radio reciever that profiles local cell towers so as to notice when a new, lower power (local) tower is put up, which you can then assume is some kind of stingray type device. Looks pretty easy to set up as well.
But the elephant in the corner is DEA's Special Operations Division (SOD).[0] This funnels information from the CIA and NSA to the FBI, IRS, DHS and USCIS. But you will find nothing about SOD in any of the cases where it reportedly played a key role (according to that DEA Museum lecture).
Anyway, there's no evidence that SOD has ever been used except for major drug cases. But there's no reason to assume that it hasn't been, either.
0) https://www.deamuseum.org/wp-content/uploads/2015/08/042215-...