«

»

May 21 2018

Spying

You think I was going to talk about the FBI Informant? It’s not a story.

Ok, briefly. This guy, whoever he is, is just like thousands of other FBI informants. He knows a person who is an FBI Agent (or more rarely is specifically recruited because of specialized knowledge or access) and he works at his day job (journalist, academician, business person- whatever). They meet people at lunch, in a meeting, at a gym, and one day some idiot says- “I just ran across this great Tax scam.” or “I know a guy who can get you drugs, how many Kilos do you need?” or “You wouldn’t know it to look at me but I’m the Connecticut River Killer.”. Then, instead of just wrestling that person to the ground and calling 911 (that’s always dangerous and they could be kidding), they call their buddy at the FBI and say- “You’ll never believe what I just heard, do you think someone should look into that?”

In this case the informant, who has a life, happens to be a Republican that is active in Party Politics. He meets a moron with the Trump campaign who just can’t wait to explain exactly how the Russians are going to help Trump beat Hillary with a stick (it’s amazing, when I was a politician I’d just stand there, minding my own business and folks would come up and tell me the most intimate details of their locals, who hated who, who was cheating with whom, who was stealing from the treasury, without my even asking). He calls his friend at the FBI and says- “I thought it was illegal for foreign governments to interfere in U.S. elections.”

Duh!

No. I want to talk about the draft fact that hundreds of millions of people walk around every day with a wire tap and an instant location device riding around in their pocket.

I’m speaking, of course, of their cell phone.

Nearly Everyone In The U.S. And Canada Just Had Their Private Cell Phone Location Data Exposed
by Karl Bode, Tech Dirt
Mon, May 21st 2018

A company by the name of LocationSmart isn’t having a particularly good month.

The company recently received all the wrong kind of attention when it was caught up in a privacy scandal involving the nation’s wireless carriers and our biggest prison phone monopoly. Like countless other companies and governments, LocationSmart buys your wireless location data from cell carriers. It then sells access to that data via a portal that can provide real-time access to a user’s location via a tailored graphical interface using just the target’s phone number.

Theoretically, this functionality is sold under the pretense that the tool can be used to track things like drug offenders who have skipped out of rehab. And ideally, all the companies involved were supposed to ensure that data lookup requests were accompanied by something vaguely resembling official documentation. But a recent deep dive by the New York Times noted how the system was open to routine abuse by law enforcement, after a Missouri Sheriff used the system to routinely spy on Judges and fellow law enforcement officers without much legitimate justification (or pesky warrants).

It was yet another example of the way nonexistent to lax consumer privacy laws in the States (especially for wireless carriers) routinely come back to bite us.

But then things got worse.

Driven by curiousity in the wake of the Times report, a PhD student at Carnegie Mellon University by the name of Robert Xiao discovered that the “try before you buy” system used by LocationSmart to advertise the cell location tracking system contained a bug, A bug so bad that it exposed the data of roughly 200 million wireless subscribers across the United States and Canada (read: nearly everybody). As we see all too often, the researcher highlighted how the security standards in place to safeguard this data were virtually nonexistent:

“Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location,” said Robert Xiao, a PhD student at the Human-Computer Interaction Institute at Carnegie Mellon University, in a phone call. “The implication of this is that LocationSmart never required consent in the first place,” he said. “There seems to be no security oversight here.”

The researcher notes that one of the APIs in the portal was not properly validating the consent response, making it “trivially easy” to skip the portion where the API sends a text message to the end user attempting to obtain consent (Brian Krebs, who first reported the vulnerability, has also confirmed the problem). Given the New York Times story had been making headlines since its May 10 publication, it’s obviously possible that others discovered the vulnerability. LocationSmart has since pulled their location data tracking portal offline.

Meanwhile, none of the four major wireless carriers have been willing to confirm any business relationship with LocationSmart, but all claim to be investigating the problem after the week of bad press. That this actually results in substantive changes to the nation’s cavalier treatment of private user data is a wager few would be likely to make.

What to do? Well, tell your representatives there ought to be a law. Also, invest in an all cash burner phone. It won’t keep the NSA out but it might protect you from petty harassment.