Heartbleed and the Computer Fraud and Abuse Act

As the Heartbleed story broke last week, a number of individuals and security vendors released tools designed to test for the vulnerability.  One very popular tool was written and hosted by Filippo Valsorda.  Many systems administrators took advantage of this free tool in order to test the security of their own systems.

Tools that test for vulnerabilities make the internet more secure.  Consumers feel safer knowing their bank or email provider is not leaking sensitive information.  Similarly, websites which do not immediately patch their systems put their customers’ data at risk, and assessment tools allow this information to be known.  A publicly-available assessment tool allows anybody to test whether sites they rely on are properly protecting data.

But releasing these assessment tools to the public is problematic from a legal perspective.  Using a security assessment tool to test any site you don’t control is a violation of the Computer Fraud and Abuse Act (CFAA).

The CFAA amended 18 USC § 1030 to define crimes which occur due to computer misuse.  Multiple clauses of this law could be violated by scanning a website for vulnerabilities without prior authorization.  The Heartbleed bug allows an attacker to receive information located in a server’s memory just by asking for it, so the way to assess whether a particular server is secure is to ask for extra information and see whether the server provides it.  Subsection (a)(2)(c) of 18 USC § 1030 deals specifically with unauthorized access to information:

(a) Whoever –

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—

(C) information from any protected computer;

What exactly is a “protected computer”?   The CFAA defines such in subsection (e)(2):

(e) As used in this section–

(2) the term “protected computer” means a computer–

(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or

(B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;

(The growth of the internet, unforeseen when the CFAA was introduced in 1986, essentially means that a “protected computer” as defined above covers every internet-connected computer, as they are used in “interstate or foreign commerce or communication”.)

Of course, being charged under one section of the CFAA does not preclude being charged under additional sections.  Subsections (a)(5)(B) and (C) cover potential damage caused by access from those who:

(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage;

(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss

Section (b) of 18 USC § 1030 makes attempting or conspiring to attempt unauthorized access a crime.  Use of a vulnerability assessment tool could be considered tantamount to “casing the joint” before actually committing the crime:

(b) Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.

The provisions of the CFAA were intended to fight crime, but they’ve made criminals out of every internet user who is concerned about security.  Criminalizing security research makes us all less safe – after all, how does anyone know who to trust without  basic knowledge regarding security practices?

The inability of prosecutors to uniformly enforce this outdated law also creates a system of selective enforcement.  Since it’s impossible to punish everyone, a federal prosecutor can choose who they would like to charge under this law.  The technology community is painfully aware of what happens when overzealous prosecutors take the CFAA too far.

Part of this problem is symptomatic of a larger issue.  As it stands, it is currently impossible to count the number of federal crimes that could be committed:

“There is no one in the United States over the age of 18 who cannot be indicted for some federal crime,” said John Baker, a retired Louisiana State University law professor who has also tried counting the number of new federal crimes created in recent years. “That is not an exaggeration.”

There have been recent efforts to reform the CFAA.  A bill introduced by Zoe Lofgren would eliminate penalties for Terms of Service violations, such as using a friend’s Netflix account or joining a class-action lawsuit against Steam or Sony.  While these reforms are a step in the right direction, they do not go far enough to de-criminalize responsible online behavior.

Additional resources:
Prosecuting Computer Crimes Handbook
A Practitioner’s Guide to the CFAA
Cybercrimes & Misdemeanors

Hennepin-Lyndale repaving project

After reviewing some of the preliminary plans for the upcoming Hennepin-Lyndale Reconstruction Project, it seems like this is going to be primarily a road paving project.  I was hoping that more improvements would be made for those of us who walk, bike, and use mass transit in this corridor.  I’m honestly a bit skeptical about what can be done to lessen the bellyaches of everyone who travels through this area, regardless of vehicle choice.  (Personally, I’m in favor of something inspired by the Walker – maybe something avant-garde like removing all the stripes on the road and replacing road signage with Kandinsky paintings)

However, a few rather simple changes could make some intersections much more safe and friendly for cyclists and pedestrians.  I live in the Whittier neighborhood, but I have stayed away from biking north or south along Hennepin due to safety concerns, and it’s one of the only stretches of “protected” cycletracks that I tell novice cyclists to avoid.  Let’s look at some problems and (more importantly) some solutions…

Hennepin & Oak Grove:

LyndaleOakGrove-300x230

As a cyclist, there are a few dangerous circumstances here that can be mitigated through smarter street design.  The first is west-facing traffic on Oak Grove attempting to turn north.  While there is both a “No Turn on Red” sign as well as a bright swath of day-glo paint, cars still meander into the bike lane, even if they don’t intend to break the law by turning on red.  This can cause accidents as well as prevent cyclists from entering or exiting Loring Park safely due to the placement and necessity of a curb ramp.

This problem is easier to solve than you’d think, and we can use how drivers interact with the road to our advantage.  One way to do this is to supplement the signal marked at (1) with an additional signal marked at (2).  Cars tend not to move past where they can see all traffic signals which apply to them, so by moving a light closer to where traffic should actually stop (and maybe complementing it with a “Stop Here On Red” sign), it gives an indication that they should not proceed past that point.   One example of this behavior occurs further south, at this intersection where traffic from 94 can get to Lyndale or Hennepin:

94LyndaleSouth

While this intersection isn’t perfect either, cars tend to not stray into sidewalks or bike lanes largely due to signal placement and signage.  (Of course, these cars are exiting off a freeway and into an urban setting, which may lead to more malleable behavior, but I digress)

Looking back at the picture of Hennepin and Oak Grove, another major problem is the combined cyclist/pedestrian lane.  It’s inconvenient and dangerous for a number of reasons, partially due to the fact that it’s on a hill.  As northbound cyclists gain speed on the hill, they must pass groups of pedestrians (whose behavior can be erratic) while monitoring any southbound cyclists who may be also avoiding pedestrians or overtaking one another as they climb the hill.  In addition, before you get to Oak Grove, try to figure out which northbound right-turning cars will yield to you and which ones will cut right in front of you; something that can only be ascertained by observing whether a driver is looking at their mirrors.  (plus there are always the drivers who turn without signaling, which is always a fun surprise) That’s a lot of things to pay attention to!

But we can improve safety by limiting the things a cyclist needs to be aware of.  Removing the area where pedestrians and cyclists share a single lane and extending the sidewalk between Groveland to Oak Grove would accomplish this.  Yes, it means asking St. Marks to give up some space, and that might be an unpleasant conversation, but it’s one that needs to be had if this city is serious about improving alternative transportation infrastructure.   The problem of northbound traffic turning onto Oak Grove is a challenge that I don’t have a better solution for (though I’m open to suggestions).

Hennepin & Groveland:

HennepinGroveland

For cyclists, this intersection sometimes feels more safe than Hennepin & Oak Grove, due to fewer moving parts.  But the near-misses I witnessed here were the ones that caused me to rethink using this stretch altogether.  Each instance played out exactly the same – a southbound cyclist in front of me would approach the intersection and a driver would pull into the intersection completely oblivious of all activity on their right side.  The driver was so intent on figuring out how to turn right into those 4 lanes of oncoming traffic that they completely ignored the green paint and the cyclists they nearly ran over.

The best fix for this is to forbid right turns on red and to implement the same types of traffic signals that I mentioned earlier which discourage turning.  Add a signal prior to the bike path and make a clear “Stop Here on Red” sign to keep the prospect of turning out of the driver’s mind.  As long as I’m making demands, why not push westbound-facing drivers back 5-10 feet, both here and on Oak Grove?

Even if moving the west-facing drivers back isn’t an option, can we at least move the median at Groveland back or make it more friendly to pedestrians?  Pedestrians don’t want to climb over that thing, and instead they walk in the green painted area, and when the light changes it’s hard to find enough room for pedestrians and cyclists going both ways.  Again, this is also a problem that could be solved by extending that sidewalk down the hill to Loring Park.

Franklin & Lyndale:

And while it’s outside the scope of this project, it would be really nice to address that stretch from where the bike lane ends at the 94 ramp to Franklin Avenue.  I know in an ideal world we’d all ride on that cool bridge to our single-family homes in LHENA, but some bike-loving folks live in Whittier too.  To stay law-abiding, these cyclists are encouraged to go out of their way by taking the bridge and then biking down a giant hill on Franklin Ave, through the intersection with Lyndale (an intersection of two county roads – what could possibly go wrong?), then back up a giant hill.

As someone who has lived near this intersection for years, this is encouraging unsafe behavior.  The safe alternative is to illegally ride on the sidewalk past Rudolph’s – so why not come up with a way to make safe cycling legal?  One possibility would be to remove the street-level parking between 94 and Franklin and add a short protected cycle track.

Anyway, those are a few thoughts on how to improve bike and pedestrian experiences with a minimal investment in infrastructure. Once this repaving project is completed, it may be the last time we have an opportunity to address these issues for awhile.

The inherent insecurity of mobile phones

I’ve had some interesting conversations since my article on kill switch technology was published.  One thing has come up a couple of times – the general sentiment of “people are really going to set up devices that pretend to be AT&T cell phone towers?  That sounds ridiculous/farfetched/like a movie plot, etc.”

Well, you don’t have to spoof an AT&T cell phone tower at all – just create your own!  By their very nature, cell phones are very “chatty” devices – they are constantly sending out signals to figure out where the nearest tower is, and whether they should change towers.  This is why your cell phone works while you’re walking down the street (or driving, but you shouldn’t be doing that anyway).

A cell phone does not need to authenticate to any particular type of tower; it essentially trusts any tower that promises to transmit data.  This fundamental technological flaw (or “feature”, depending on your viewpoint) allows for just about anyone to create a working cell phone tower – and these towers can be used to track individuals when they come within range because they will connect to your tower.

It should be noted that the above-linked slide is from 2008, when this technology cost $40,000, but is built for far less money today (unless you’re buying from Harris).

In this video (spoiler alert: it’s also an ad), we can see a Raspberry Pi ($35) acting as a controller for the Ettus Research USRP B100 (possibly discontinued; Ettus suggests the B200 for $675).  Or in this (quite boring) video, we see the USRP N210 ($1,700) used in conjunction with Linux and OpenBTS.  Together, they are used to transmit a signal  - in this case, a text message – to a cell phone.

So the reason I’m strongly opposed to this proposed law?   Just imagine if he had sent a “kill” signal to that phone instead of a text message.  From my understanding, that phone would not be able to talk to *any* cell tower after coming in contact with this rogue tower.  Worse than that, I believe the proposed federal bill wants the capability to not only disable a phone but also to wipe data from the hard drive.

Communications technology is about enabling people to talk to each other.  Legislating a technology into existence which intentionally limits the ability to communicate is immoral, especially in a democracy which requires open communication between citizens.  And if you don’t think cell phone carriers can already disable your phone, try not paying your bill for a couple of months (which will surely happen for those MN legislators living on minimum wage).

Quick rant on state-issued IDs

Just in case I forgot how easily and subtly the deck can be stacked against certain groups of people, I had to go to the DMV to get my license renewed recently.  It was fairly slow in there, so I was chatting with the nice woman who was processing my paperwork and learned some interesting things.

Apparently you’re supposed to have your driver’s license or ID renewed any time you move.  I knew that you were supposed to, but I’d never personally done that before.  That’s $15.75 (currently) every time you move.  I’ve lived in 9 different places since moving to Minneapolis, so technically I should be out at least $140, not even counting the cost to renew an expiring license, which is $26.25.

So I asked the clerk if anyone actually did that, and she said people do it all the time.  I was skeptical, so I asked her why – pretty sure none of my friends bothered to go to the DMV every time they moved.  As it turns out, if you’re stopped by a police officer and give an ID that lists an incorrect address (more than 30 days after you’ve moved), you can be fined $200.  (So the correct answer to the officer is always “I *just* moved last week”)

If I were some Republican strategist making this an issue, I’d call it a Moving Tax.  Couldn’t make your rent and had to move back in with your parents? That’ll be $15, please.  Finally got a job and moved out of a homeless shelter and into your first apartment?  That’ll cost you another $15.

On a side note, while I was at the counter another man (likely homeless and perhaps mentally ill) needed a new ID issued.  He didn’t have the $15 to pay for it, so was instructed to wait until Friday and to go to 17th and Chicago to get a voucher (apparently Friday is ID voucher day at Catholic Charities).  This guy had trouble moving from his seat to the counter.  I couldn’t imagine him spending the better part of his Friday getting to 17th and Chicago, then waiting to get a voucher, then traveling back across town to the Government Center, so I paid for him.  I didn’t stick around to see what he listed on the address line.

Following the money on Mark Dayton

As an equal-opportunity opponent of institutionalized corruption current campaign finance law, I’ll take a look at the biggest fish in the gubernatorial pond, incumbent Mark Dayton.  Dayton has raised a total of $1,086,739.75 for his 2014 campaign, a number which dwarfs that of the highest GOP fundraiser, Scott Honour.

So where does that money comes from?  A few of Minnesota’s key political families play a big role.  Followers of MN politics will probably recognize the last names of Borman, Cowles, Dayton, Messinger, Pohlad, and Sieben – combined they donated $130,600, which is over 12 percent of Dayton’s total.  Those families each donated between $12,000 and $20,000 except for the Dayton family, who donated $54,750 in total.

Continuing the focus on big-money donors, let’s look at those who contributed the maximum amount of $4,000.  There were 106 such donors contributing to the 2014 cycle, a number which includes contributions from political committees (22 total) and registered lobbyists (11 total).  That means max donors accounted for almost 40 percent of Dayton’s fundraising total.

Looking further at those same max donors, there were 14 instances where 2 donors at the same residence donated the maximum amount – a fairly common tactic to maximize political influence. There was also one instance of three max donors using the same PO Box (the above-referenced Messinger family).

I was planning on going further in-depth on Dayton’s fundraising, but there are a handful of other projects I need to tackle this week, so I’m cutting this one short – I just don’t have the bandwidth to give this the attention it deserves. I’ll write more on the influence of money as we get closer to the election. I’ll leave you with this short speech from Senator Wellstone on the realities of political corruption:

 

Following the money on Scott Honour

Every year before an election, candidates for state office are required to file with the MN Campaign Finance and Disclosure Board.  And every year, intrepid reporters dig through those disclosure forms, creating pretty graphs or writing interesting stories about numbers.

I like to dig through those reports too, though my approach is less methodical in some ways (and moreso in others).  I don’t know the candidates very well, and I find campaign rhetoric to be quite tedious, so I focus on the process.  For the record, I don’t hate all the players, but I sincerely hate the game – when money mixes with politics, democracy always loses.

I was able to extract some text from the online filings (despite them being “copy-protected” which renders the copy-paste function on some PDF readers unusable) and was able to glean a little bit of interesting information from it.  Let’s kick things off with our top moneymakin’ challenger Scott Honour!

Scott Honour had itemized contributions from approximately 309 donors in 2013, and raised a total of $596,680.  Not too shabby! 16 current employees of the Gores Group (based in Los Angeles, and where Honour was once senior managing director) contributed $21,250, not including spouses, who kicked roughly an additional $10,000.  Not to be outdone, 11 employees of Moelis & Company chipped in $26,750 (their spouses gave an additional estimated $13,250).  So employees (and spouses) of just two companies account for over 10 percent of Honour’s total fundraising!

Also interesting was that of those 309 total donors, approximately 91 were from California – a close second to Minnesota, which had 134 donors.  So less than half of Honour’s donors live in MN – in fact, one $4K donor (the maximum amount allowable) lives in Singapore!

Speaking of max donors, there were a total of 58 individuals who donated the $4,000 max to Honour’s campaign in 2013 – that’s over $250K!  How many of these folks are connected with good ol’ Minnesota businesses?  Well, not too many – here are their employers (number in front is how many $4,000 donors that employer accounts for):

1 API Group
1 ATEK Companies
1 Bijan
1 BreitBurn Mgt Co.
1 Dalton Capital
1 ELO Touch Solutions
1 GTL
1 Gold Mine
1 Golden Gate Capital
1 Gravitas Development Group
1 Legendary Media
1 Macquarie
1 Meagher & Geer PLLP
1 Medtox Scientific
1 Miller Barondess LLP
1 Mount Yale
1 Northern Pacific Group
1 Norwest Equity Partners
1 Overbrook Capital
1 Palisades Ventures
1 Sagent Advisors
1 Self-employed actress
1 Self-employed entrepreneur
1 Skadden Arps
1 Superior Edge
1 TCF Bank
1 Top Hat
1 UCLA
1 Weil Gotshal
2 Self-employed Investor
3 The Gores Group
5 Moelis & Co.
6 Retired
13 Homemaker

Most of those are investment groups of some form or another, so I’m not really sure what they do.  Though judging by their contributions, an ally in office must be vital to their success – I suppose they are allowed a bigger say in who gets elected since they’re the ones that will eventually profit from it.  I’ll admit I was curious about the “self-employed actress” that could afford to give $4,000 to Mr. Honour – maybe it’s a celebrity! It turns out she’s just good pals with the Gores Group folks.

Is this the kind of candidate Minnesotans are willing to get behind?  Is an important factor in choosing a governor is to know how many friends they have in the financial services sector?

Anyway, the above information probably isn’t a surprise to those who follow politics closely.  But I hold Minnesota Republicans to a higher standard than their national counterparts and they should be wary of thinking a professional money man is palatable to the voters of this great state.

(And yes, while this post is focused on a Republican, Mark Dayton’s filing is even more interesting and some data from that will be detailed in a future post.)

Recap: MN Civil Law Committee Hearing on Surveillance and Privacy

Here’s my edited dump of notes from today’s meeting (apologies if any of it is misattributed or incorrect):

Today the State of MN Civil Law Committee convened to hear testimony regarding state and local government use of surveillance technologies.  At issue was how these technologies impact an individual’s right to privacy, and what legislative steps can be taken to allow law enforcement’s use of these technologies while protecting constitutional rights.

The first person to testify was the ACLU’s Catherine Crump.  She prefaced her comments by mentioning that while many privacy issues have surfaced due to the NSA, problems can also arise at the state and local level.  The ACLU is not opposed to surveillance technologies, but recognizes that oversight is required to prevent powerful technologies from being abused.

(While I would prefer that modern technologies not be used to surveil in the first place, this is a perfectly sane position to take.  Being “opposed” to technology is a pretty difficult proposition, since it’s the actual use of technology that can be problematic – it would be like opposing streaming video technology because you watched a bad movie.)

Crump’s testimony was focused on four areas: GPS tracking of vehicles, cell phone location tracking, automated license plate readers, and surveillance drones.  Crump also noted that extended surveillance often leads to the discovery of very private information about an individual, and that 28 days of GPS surveillance was considered a “search” by the Supreme Court.  Previously, searches like this were limited by the cost of technology, but the plummeting cost of GPS technology requires the state to impose additional legal restraints against this type of use.

Crump also touched on some topics related to cell phone tracking.  The first is all carriers store historical data for at minimum one year, and that carriers are willing to share this data with law enforcement.  This historical data is often much more sensitive than current location, since it can be used to identify patterns of activity.

Current cell phone location data is obviously very useful in the event of an immediate threat or crime being committed, and I do not believe anyone is opposed to police using this data.  Law enforcement can also work with carriers to receive what’s called a “tower dump” which consists of a list of cell phones that have recently connected to a particular cell phone tower.  Both these uses of technology require oversight into the frequency these tools are used, who they are used against, and how they are deployed.

In closing, Crump stated that legislation which adds oversight to the use of technology needs to address where future technology is headed.  For example, surveillance drones will likely soon become a part of our landscape, so it’s important to come up with legislation regarding acceptable drone use before they become widely deployed.

Next, Commissioner of Public Safety Ramona Dohman answered a few questions form the committee.  Most interesting to me was that Kingfish/Stingray (cell phone exploitation devices) have been deployed in Minnesota since 2005 – almost 10 years!  Other interesting points made by Dohman (or her assistants – my notes are terrible) was that data collected by Kingfish was not kept, but that it could be – the claim is that this data would not be very useful.  Also, in response to a question, the identities of the specific officers that access data is not available to the public.

Next up was Minneapolis PD Chief Janee Harteau, who stated that MPD does not have any cell phone exploitation technology and does not have any plans to obtain it.  When MPD has such a need, they get a warrant and make a request to the BCA who handles the technology aspect.  When asked why MPD does not contact the Hennepin County Sheriff’s Office (who also has Kingfish), she could not give an answer – personally, I get the feeling that MPD and Hennepin County Sheriff’s don’t always see eye-to-eye.  Harteau also stated that MPD does not own and drones and has no plans to purchase any drones.    Harteau also was questioned over her department’s policy of keeping license plate reader (LPR) data for 90 days (a time period I consider somewhat reasonable).

St Paul Police Chief Tom Smith was a little more active about stating the benefits of consumer location technology, noting that OnStar could find him if he were in an accident in northern MN, and also touting some of the features of Apple’s iOS7.  He noted that St Paul does not use Triggerfish or Kingfish, and that like Minneapolis, when they need to use that technology, they get a warrant and contact the BCA.  Smith also stated that he and Harteau were both members of the International Association of Police Departments, and that that organization might be able to help draft some model legislation.

After some additional testimony from Olmstead County Sheriff Dave Mueller and MN Sheriff’s Association Executive Director Jim Franklin, things got a little more interesting.  Don Gemberling of the Minnesota Coalition on Government Information raised the possibility of a privacy and civil liberties board in Minnesota (after keenly pointing out that at one point, George Orwell himself was a cop).  He also cited Judge Brandeis’ dissent in the Olmstead case (“if the government becomes a lawbreaker, it breeds contempt for law”) as one reason this board might need to be established, and said that it’s not only the bad guys you have to worry about, but also the good guys who lose control.

Rich Neumeister gave some additional comments, stating that law enforcement has been increasingly trending toward secrecy, and that this trend has been going on a long time.  He noted that even the LPR data took 4 years before it was made public knowledge, and that police in the late 80s used handheld scanners to attempt to listen to phone calls transmitted by cordless phones.  He has also been unable to obtain even the names of the companies that BCA has contracts with.

Last, Deputy Secretary of State Beth Fraser spoke.  She talked briefly about the Safe at Home program, which helps shield victims of domestic abuse from their abusers.  She stated her concern of what happens when an abuser is a member of the law enforcement community, and would like a way for certain data to be deleted that does not have a legitimate use.

Overall, the meeting was about what I expected.  Not a whole lot that was accomplished today, but I am grateful for Rep. John Lesch keeping important privacy issues at the forefront of discussion.  As always, feel free to contact me via email or leave a note in the comments.

Smartphone kill switches – a bad idea

A recent Star Tribune article noted that state and federal lawmakers are attempting to pass legislation mandating a “kill switch” for smartphones.  On the surface, this seems like a pretty good idea – after all, many of us are walking around with handheld devices worth hundreds of dollars, and those devices are a natural target for thieves.  If a customer can contact their service provider and get the device permanently shut down, the smartphone loses its value on the black market, deterring the theft in the first place.

But there’s a downside to this kill switch technology, which may not be obvious at first glance.  Some might call it a useful feature, but others see a bug which is more likely to impact users than the problem it solves.

Let’s remember that it’s only the idea of a kill-switch which is useful – the concept is to have it act as a deterrent.  The thief suddenly chooses not steal your phone because the market for stolen phones is depressed; customers are now able to contact their service provider and have that phone shut down.

Since technical details are still unclear at this early stage, it’s impossible to outline all the ways this concept is flawed.  But there are a few different scenarios which should be outlined in order to note how this kill switch would harm consumers.

The first is the most obvious – that this feature will be abused by law enforcement.  The kill switch will undoubtedly be asked to be activated against someone suspected of committing a crime, and possibly against those who have contacted a suspect.  Taking videos of a police officer is now an act that could revoke your cellular privileges.  Participating in a protest could also result in your phone being shut off since you could use it to communicate with others about where riot police are gathering – it’s for your own safety.

The second thing to remember is that the kill switch is permanent.  So when you’ve lost your phone and may have left it in a cab or between the couch cushions, once your phone has been disabled (which is a good idea if you have an sensitive data on your phone, such as access to your email), you’ll be buying a new one, which is exactly what the kill switch is supposed to prevent.  In the Marketplace article linked above, the subject mentions he’s had his phone stolen three times, and gotten it back twice.  Why bother getting it back if you’ve reported the theft and the carrier has had it rendered permanently inoperable?

There are those out there who think that carriers are refusing to install kill switches on their phones because they sell more phones this way, that phone thefts are a good way to keep reaching into their customers’ pockets.  A reminder about the players in this game is in order: carriers still essentially buy phones from manufacturers like HTC and Apple, and resell them at very little markup – the carriers still make a bulk of their profits through plans.  In fact, the addition of a kill switch to smartphones would negatively impact the used-phone market and force consumers to buy new devices – you really want to take a chance buying a used phone on ebay if it can be turned off at a moment’s notice or is already bricked?

Next, let’s look at another problem – shadowy hackers!  Anyone out there know how cheaply a fake cell tower can be constructed?  At DEFCON in 2010, it was about $1500.  And if you’ve seen more recent videos of people making these things, you know they’re cheaper and more effective now – there’s no way to stop your phone from connecting to them if properly created.  What happens when a fake cell tower transmits a kill signal to every phone that connects to it?  Some police departments already have these fake cell towers – they’re generically called “IMSI catchers” and one commercial model is called KingFish.

If kill switches are mandated by law, expect problems such as those listed above.  Worse yet, if these phones that have kill switches are ever able to be re-activated, thieves will figure it out, the deterrent effect is gone, and phone theft will continue.  Your phone will be almost the same as before, but now could be shut down at any time.

So how do we prevent smartphone theft?  Well, most of us carry objects worth hundreds or thousands of dollars every day – they’re called wallets.  They have IDs, credit cards, and cash in them.  Wallets are often secured in a similar manner to a cell phone – in a pocket or a purse.  But when I get on the bus to go to work, no one is mindlessly playing Candy Crush on their wallet.

I know legislators are well-intentioned, and they’re probably just trying to help.  And they always score points when they take on companies that are generally reviled, like phone companies.  But there are more important battles to fight than this one, and the idea of a  cellphone kill switch creates more problems than it solves.

Best 30c3 videos

One of my favorite hacker conferences, the Chaos Communication Congress, has just ended.  The most famous talk given so far was given by Jacob Appelbaum, who detailed the ways that the NSA can intercept communications.  It was an interesting talk if you’re following the NSA scandal, and I recommend you watch it – and since it’s going to be freezing cold out tomorrow, what else are you going to do?

But there are some other wonderful talks to come out of this conference.  My personal favorite is called Seeing the Secret State: Six Landscapes.  An artist essentially attempts to “see” secrecy by tracking down the remnants that are still part of the non-secret world:

Another great talk is by Kurt Opsahl of the EFF, who details the NSA revelations and their relation to the law.  I try to pay attention to this and keep all the codenames straight and I still can’t do it, but this is a great one-hour overview.

Two security researchers look into how governments use third-party tools to monitor journalists and dissidents. This talk focuses on governments that are not the United States, and much of the research is firsthand.

If you want some historical context of how governments have always attempted to surveil their citizens, there are a couple of great talks that touch on the subject. The first is an analysis of surveillance and policing during the Romantic Age, and the second is an even broader look at how/why governments act the way they do – frequently to preserve their own power through technology. Both worth a watch.

Also, learn about how national ID cards are used in China. In a trial city of “only” 10 million, the cards contain information such as medical records and political history, and how this impacts human rights. (Funny how “human rights” is invoked when mass surveillance happens in another country, yet it’s necessary to “prevent terrorism” at home).

There’s more that you should be watching, but the above talks are probably the most accessible for a non-technical audience.  If nothing else, check out Six Landscapes – fascinating stuff.