Dirtboxes and Stingrays

I have written several items about cell site simulators or Stingrays.  Dirtboxes are stingray-like devices hung from an airplane that DoJ agencies use to capture tens of thousands of cell phones as they fly over hundreds of miles.

I said early on that it was going to be years before the crap hit the fan, but I later said I was wrong.  It is moving much faster.

Senator Grassley (R-IA) and Leahy (D-VT) have been spearheading the effort to get answers from the DoJ.  This post contains two items from Sen. Grassley’s web site about the questions the Senate is asking DoJ about their use of Dirtboxes and Stingrays.

Dec 31, 2014

WASHINGTON – Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) and Ranking Member Chuck Grassley (R-Iowa) pressed top Obama administration officials on the use of cell-site simulators, which can unknowingly sweep up the cell phone signals of innocent Americans.

Recent news reports have chronicled the use of such simulators by law enforcement, explaining that the simulators have the potential to capture data about the location of thousands of cell phones in their vicinity.  Leahy and Grassley previously pressed the FBI about the use of this technology.  In a joint letter sent last week to Attorney General Eric Holder and Secretary of Homeland Security Jeh Johnson, the Senators raised questions about exceptions to a new FBI policy to obtain a search warrant before using a cell-site simulator.  The Senators also asked about other agencies’ use of the technology.

“It remains unclear how other agencies within the Department of Justice and Department of Homeland Security make use of cell-site simulators and what policies are in place to govern their use of that technology,” Leahy and Grassley wrote.

Outlining privacy concerns for innocent individuals, the letter continues: “The Judiciary Committee needs a broader understanding of the full range of law enforcement agencies that use this technology, the policies in place to protect the privacy interests of those whose information might be collected using these devices, and the legal process that DOJ and DHS entities seek prior to using them.”

A signed copy of the December 23 letter to Attorney General Holder and Secretary Johnson is available Here.  Text of the letter can be found below.

December 23, 2014

The Honorable Eric H. Holder, Jr.                                          The Honorable Jeh Johnson
Attorney General                                                                    Secretary of Homeland Security
Department of Justice                                                             Department of Homeland Security
950 Pennsylvania Avenue, N.W.                                            Washington, D.C. 20528
Washington, D.C. 20530

Dear Attorney General Holder and Secretary Johnson:

In recent months, media reports have detailed the use of cell-site simulators (often referred to as “IMSI Catchers” or “Stingrays”) by federal, state and local law enforcement agencies.  Most recently a November 14, 2014, Wall Street Journal article (“Americans’ Cellphones Targeted in Secret U.S. Spy Program”) reported that the United States Marshals Service regularly deploys airborne cell-site simulators (referred to as “DRT boxes” or “dirtboxes”) from five metropolitan-area airports across the United States.  Like the more common Stingray devices, these “dirtboxes” mimic standard cell towers, forcing affected cell phones to reveal their approximate location and registration information.  The Wall Street Journal article reports that “dirtboxes” are capable of gathering data from tens of thousands of cellphones in a single flight.

We wrote to FBI Director Comey in June seeking information about law enforcement use of cell-site simulators.  Since then, our staff members have participated in two briefings with FBI officials, and at the most recent session they learned that the FBI recently changed its policy with respect to the type of legal process that it typically seeks before employing this type of technology.  According to this new policy, the FBI now obtains a search warrant before deploying a cell-site simulator, although the policy contains a number of potentially broad exceptions and we continue to have questions about how it is being implemented in practice.  Furthermore, it remains unclear how other agencies within the Department of Justice and Department of Homeland Security make use of cell-site simulators and what policies are in place to govern their use of that technology.

The Judiciary Committee needs a broader understanding of the full range of law enforcement agencies that use this technology, the policies in place to protect the privacy interests of those whose information might be collected using these devices, and the legal process that DOJ and DHS entities seek prior to using them.

For example, we understand that the FBI’s new policy requires FBI agents to obtain a search warrant whenever a cell-site simulator is used as part of a FBI investigation or operation, unless one of several exceptions apply, including (among others): (1) cases that pose an imminent danger to public safety, (2) cases that involve a fugitive, or (3) cases in which the technology is used in public places or other locations at which the FBI deems there is no reasonable expectation of privacy.

We have concerns about the scope of the exceptions.  Specifically, we are concerned about whether the FBI and other law enforcement agencies have adequately considered the privacy interests of other individuals who are not the targets of the interception, but whose information is nevertheless being collected when these devices are being used.  We understand that the FBI believes that it can address these interests by maintaining that information for a short period of time and purging the information after it has been collected.  But there is a question as to whether this sufficiently safeguards privacy interests.

Accordingly, please provide written responses to these questions by January 30, 2015:

1.    Since the effective date of the FBI’s new policy:
a.    How many times has the FBI used a cell-site simulator?
b.    In how many of these instances was the use of the cell-site simulator authorized by a search warrant?
c.    In how many of these instances was the use of the cell-site simulator authorized by some other form of legal process?  Please identify the legal process used.
d.    In how many of these instances was the cell-site simulator used without any legal process?
e.    How many times has each of the exceptions to the search warrant policy, including those listed above, been used by the FBI?

2.    From January 1, 2010, to the effective date of the FBI’s new policy:
a.    How many times did the FBI use a cell-site simulator?
b.    In how many of these instances was the use of a cell-site simulator authorized by a search warrant?
c.    In how many of these instances was the use of the cell-site simulator authorized by some other form of legal process?  Please identify the legal process used.
d.    In how many of these instances was the cell-site simulator used without any legal process?
e.    In how many of the instances referenced in Question 2(d) did the FBI use a cell-site simulator in a public place or other location in which the FBI deemed there is no reasonable expectation of privacy?

3.    What is the FBI’s current policy on the retention and destruction of the information collected by cell-site simulators in all cases?  How is that policy enforced?

4.    What other DOJ and DHS agencies use cell-site simulators?

5.    What is the policy of these agencies regarding the legal process needed for use of cell-site simulators?
a.    Are these agencies seeking search warrants specific to the use of cell-site simulators?
b.    If not, what legal authorities are they using?
c.    Do these agencies make use of public place or other exceptions?  If so, in what proportion of all instances in which the technology is used are exceptions relied upon?
d.    What are these agencies’ policies on the retention and destruction of the information that is collected by cell-site simulators?  How are those policies enforced?

6.    What is the Department of Justice’s guidance to United States Attorneys’ Offices regarding the legal process required for the use of cell-site simulators?

7.    Across all DOJ and DHS entities, what protections exist to safeguard the privacy interests of individuals who are not the targets of interception, but whose information is nevertheless being collected by cell-site simulators?

Please number your written responses according to their corresponding questions.  In addition, please arrange for knowledgeable DOJ and DHS officials to provide a briefing to Judiciary Committee staff about these issues following the provision of these written responses, but no later than February 6, 2015


Mar 23, 2015

WASHINGTON – ‎Senators Chuck Grassley of Iowa and Patrick Leahy of Vermont, Chairman and Ranking Member of the Senate Judiciary Committee, questioned the Justice Department about reports that federal law enforcement agencies have deployed cell phone tracking technology on behalf of  federal intelligence agencies. In a letter to Attorney General Eric Holder and Acting Deputy Attorney General Sally Yates, the senators ask whether law enforcement’s use of technology capable of scanning data from thousands of cell phones is part of a domestic test operation on behalf of the intelligence community.  The letter follows a media report detailing cooperation between the Central Intelligence Agency and the U.S. Marshals Service to domestically test surveillance technology.

Grassley and Leahy raised concerns about the legal and privacy implications of this technology in a letter last year to Attorney General Eric Holder and Homeland Security Secretary Jeh Johnson.  The senators have not yet received a written response from the Justice Department, as requested in that letter.

The devices mimic cell phone towers to connect with and collect identifying information from cell phones in the area. While reports have indicated that the technology has been deployed for domestic law enforcement purposes, it remains unclear what legal authority and privacy protections are in place for their use.

A signed copy of the letter is available here.  Text of the letter is below.

March 18, 2015


The Honorable Eric H. Holder Jr.
Attorney General
U.S. Department of Justice
The Honorable Sally Quillian Yates
Acting Deputy Attorney General
U.S. Department of Justice

Dear Attorney General Holder and Acting Deputy Attorney General Yates:

In June and December, we wrote to the Department of Justice (DOJ) and other agencies raising questions about the use of cell-site simulators.  Often referred to as “IMSI Catchers,” “dirtboxes,” or “Stingrays,” these devices mimic standard cell towers and force affected cell phones to reveal their approximate location and identifying serial number.  Although we understand that some versions of these devices can intercept and collect the content of communications, the Federal Bureau of Investigation (“FBI”) and the United States Marshals Service (“USMS”) both maintain that they do not use the devices in this way.  These agencies have also reported that they purge any data collected from non-targeted telephones once an investigation is complete.

Last week, the Wall Street Journal reported that the USMS field-tested various versions of this technology in the United States from 2004 to 2008 on behalf of the Central Intelligence Agency (“CIA”).  If this report is true, such practices raise additional concerns.  In December, we asked about the full range of DOJ entities that use this technology, the policies in place to protect the privacy interests of third parties whose information might be collected by these devices, and the legal process that is sought prior to their deployment, including the information provided to courts that may authorize their use.  DOJ’s failure to answer these questions has heightened our concerns.

Accordingly, please provide written responses to each of the following by March 27, 2015:

1.    Does DOJ policy ever permit the use of cell-site simulators to capture the content of communications domestically?  If so, under what circumstances is this permitted?

2.    Has DOJ or any DOJ entity tested cell-site simulators or other surveillance technology on behalf of the intelligence community, by employing the devices in the course of domestic law enforcement operations?    If so, when, to what extent, and under what legal authority?

3.    What, if any, DOJ policy governs the testing and deployment of new surveillance technology?

4.    Please provide written responses to Questions 1 through 7 of our December 23, 2014 letter, as requested in that letter.

Should you have any questions, please contact Jay Lim at (202) 224-5225 or Lara Flint at (202) 224-7703.  Thank you for your cooperation in this important matter.



Charles E. Grassley
Patrick Leahy
Ranking Member


Facebooktwitterredditlinkedinmailby feather

The Insider Threat – Goldman Sachs Edition

In a somewhat bizarre case, a Goldman Sachs programmer has been convicted for the second time of stealing software that he developed for Goldman (see Wired article).  The first conviction was overturned and the second may be nullified by the judge.

Sergey Aleynikov was convicted in 2011 on espionage and theft of trade secret charges.  He was accused of stealing the source code for Goldman’s high speed trading platform he helped develop prior to leaving for another firm.

The following year the conviction was reversed because the code is not physical property, according to the appeals court and so the theft statute he was charged under did not apply.

After the reversal, Sergey was released from prison after serving 1 year out of his original 8 year sentence.

Goldman, not being happy that the conviction was overturned, worked with the NY District Attorney and he was charged him under state law (the initial conviction was under Federal law) with “unlawful use of secret scientific material” and “unlawful duplication of computer related material”.  He was found guilty of the first charge and acquitted on the second.  I am not sure how that might work, but that was what the jury decided.

Sergey was earning $400,000 a year at Goldman when he decided to take a new job with Teza Technologies which would have paid him $1.2 million.

A few days before he left Goldman, he downloaded and encrypted code he had worked on and transferred it to a website hosted in Germany.  Then he erased the program he used to encrypt the files.  He also attempted to delete the log files showing his activity.  This does not seem to me like the activities of a person who thought what he was doing was legal.

His story was that he only intended to collect open source software.  According to his attorney, only 32 megabytes of the 1,224 megabytes of code he took was proprietary.  If true, that would tend to support his claim.

The appeals court said that because he did not assume physical control over anything when he took the source code, he did not deprive Goldman of its use, therefore he did not steal anything.

Apparently, the judge in the second case is skeptical of the conviction and may overturn it.  If that doesn’t happen, I assume Sergey will appeal it.

So what does all this mean?

To an employer concerned about insider threats,  it means that it is not limited to low-compensation employees and it is not limited to physical objects.  It also means that it is very difficult to actually obtain a conviction (this happened in 2009).

To an employee, it means that your actions may be viewed very differently by an employer than by you and even if you think what you are doing is legal, your employer may not agree.  And, if your employer disagrees with your interpretation, your life will be hell for a long, long time.

With Sergey earning almost half a million dollars a year and Goldman being pretty profitable, a LOT of money has been spent on this over the last 6 years.  AND, it is not over yet.

Also, the police did not find any of Goldman’s code on Teza’s computers, so it was not a cut and dried case of someone stealing code to take to his new job.

The scary part is that this is an easy case – they have the proverbial smoking gun and six years later it is not settled.  What about those cases where the employer never even found out about.

What this says is that the entire problem of insider theft is a pretty messy problem and it is not going to become any easier in your lifetime or mine.

Facebooktwitterredditlinkedinmailby feather

Banks Fight Back Against Third Party Information Providers

Below is an interesting ad from the J.P. Morgan Chase home page:


They go on to say that you could be responsible for any losses if you do.  They say don’t share your login password for Chase.com with third party sites that offer budgeting, managing and other services.

In fact, the user agreement says this:

If you disclose your Card numbers, account numbers, PINs, User IDs, and/or Passwords to any person(s) or entity, you assume all risks and losses associated with such disclosure. If you permit any other person(s) or entity, including any data aggregation service providers, to use the Online Service or to access or use your Card numbers, account numbers, PINs, User IDs, Passwords, or other means to access your accounts, you are responsible for any transactions and activities performed from your accounts and for any use of your personal and account information by such person(s) or entity.

There are two ways to look at their ad, both of which, I think, are valid.

First, if you give out your password to another site, say Mint (I’m not picking on them, it is just a popular aggregation service), that aggregates your financial data, you may well be responsible for any fraud that occurs.  If they are hacked, it is your bank account that is at risk.  At best, you will have to fight to prove that you didn’t do the transaction.  The bank could say that by giving them your password, you authorized them to do whatever they did, so it is your problem (which is exactly what it says in the user agreement).  Also, since it was done with your userid, it will be hard to prove that it wasn’t you.  The bank could say that someone logged in with your userid and password, that there is no evidence of hacking, so you must have done it.

The second way to look at it is that the bank wants to be your trusted financial advisor.  They want you to come to THEIR web site so that they are the center of your financial universe.  If you use a third party site, they become much less relevant to you, which will not make them very happy.  You might never log on to the bank’s web site yourself ever again.  That will make them sad.  It also means that their bank could be swapped out with a different bank and it wouldn’t make any difference to you.

I think both points of view are valid.

So what’s a person to do if they do want to use a third party web site to help them manage their financial life?  I make these recommendations.

First, of course, research the site as best as you can to make sure that they are reputable, have good security practices, their terms of service don’t make you liable for everything they do – stuff like that.

Second, and likely more important, most banks will allow you to create additional userids to access your account data.  Many of them will allow you do grant or revoke permissions to that ID.  This means a little more work for you, but we are talking about your money.

If a web site only does reporting for you, they do not need to be able to issue checks or wire transfers.  Create a userid just for that site and don’t give it those permissions.  If you have another site that does bill pay for you and only needs access to your checking account, only grant it access to your checking account.  DO NOT SHARE IDs ACROSS DIFFERENT SITES.

If you have already given out your password to some other site, change your password and then create a new ID for them with the right permissions.

This includes, by the way, if you give your accountant or bookkeeper access to your banking site – give each of them their own ID.

By giving each entity that has access to your money it’s own ID, IF there is a problem, you have a much better chance of figuring out where the problem came from.

Facebooktwitterredditlinkedinmailby feather

Why Hackers Are Winning

Microsoft just patched a bug this month (see article) that potentially allows a hacker to take over your computer and for sure allows a hacker to crash it – repeatedly – all because they forgot to check for a carry overflow in an addition operation.  It potentially affects 70 million web sites and is being actively exploited as you read this.

I will try to make this as non-geeky as I can.

Windows runs in two modes – user mode, where MOST programs run and kernel mode, where certain parts of Windows runs.  In kernel mode, a program can do anything it wants – talk to the hardware, whatever.  The goal should be that as little as possible runs in kernel mode because if the programmers make a mistake, it can be, to say this kindly, catastrophic.

If a program needs to ask Windows to perform certain tasks for it, it makes system calls and each one of these calls has some overhead to it.  If you look at things from a certain perspective, if you move code from user mode to kernel mode, it will run faster since in kernel mode it just does stuff instead of asking Windows to “please do this for me”.  However, if there are any bugs, you run the risk of making the hackers VERY happy, since they now control the real hardware of the machine.

A few years ago (when Windows 7 was being written), Microsoft decided to move part of it’s web server into kernel mode to improve it’s performance.  That code runs in most versions of Windows 7, Windows Server 2008 and 2012 and Windows 8.

In this code, they needed to do a calculation about the length of something (which is end-start+1).  If you do this in Excel or in a high level programming language, they make sure that all the eyes are dotted and tees crossed, but operating systems are written in low level languages to improve performance and in that case you are on your own.

Without going into details, they forgot one part of the calculation (checking for a carry out) and the result is that under certain circumstances, the server will crash.  There are a lot more details, but that is not important for this post.

One stupid check missing can cause the server to crash.  Potentially affecting 70 million web sites (note:  it is only a problem if site has kernel caching turned on, which is the default).

Of course, the hackers know, now that Microsoft has released a patch, what the problem is and have been crashing web sites right and left.  And, Microsoft thinks, a hacker might be able to execute any code she wants to as a result of this bug.

Even though Microsoft calls this a critical patch, 10’s of millions of web sites have not been patched and are at risk.

And while Microsoft got caught this time, it happens to Apple, Google, and anyone else that writes programs.  This stuff is very complicated and always has bugs – some more critical than others.

The programmer has to get it right every time.  The hacker only needs to get it right once.  This is ESPECIALLY true if the code is running in kernel mode.

And remember, that testing only confirms the presence of bugs, not the absence of bugs, so testing would be unlikely to test for a length of exactly 0 – 18,446,744,073,709,551,615 , which is the ONLY length that will cause the server to crash.

Which is why the hackers are winning.

Facebooktwitterredditlinkedinmailby feather

Drone Vandalism – Really

Wired reported today that the age of drone vandalism has come.  Early Wednesday morning, the graffiti artist/vandal known as KATSU used a hacked Phantom drone to deface a 6 story tall Calvin Klein billboard on Houston Street in New York City and posted the tagging of the billboard on You Tube.  Given what he did was completely illegal, it is not clear if You Tube is going to take it down (for the moment, the video is below).

What KATSU figured out how to do is (a) hack a drone, (b) attach a spray can to the drone, (c) control the spray can remotely and (d) tag the face of Kendall Jenner on the billboard, 7 stories up, in a very busy intersection in lower Manhattan, all the while videoing the episode.  Then he posted it on You Tube and got Wired to write about it.  As an exercise in how to get PR for yourself, that rates an A.

Whether the NYPD will arrest him is another matter because it is not clear that they have any evidence, admissible in court, against him.  In the video, you don’t see his picture, you don’t see anyone controlling the drone and the video is obviously edited.

I am sure that Calvin Klein is not happy.  I do not know if they have already redone the billboard as I doubt there is any way to clean the graffiti off, even if you were hanging off the roof of the building 7 stories up.

The entire episode took about a minute.

From the security perspective, at this point in time, it is not surprising that he was able to hack the drone.  Why he hacked the drone is not clear (maybe deniability – it wasn’t his drone?), but what is of concern is that, as the FAA starts to license drones to businesses, will Amazon’s drones, for example, deliver packages as well as tag billboards.  If you cannot keep control of the drones, you cannot assure people that this won’t happen.

And, given that someone was able to land a gyrocopter on the front lawn of the Capitol last week, could you program a hacked drone to deliver some sort of payload into say, the Super Bowl.  The possibilities are endless and I am sure that the various authorities are losing sleep over it. The Secret Service was flying drones over the White House at 2 AM in an effort to figure out countermeasures.  If the drone is hacked to disable things like remote recall and ignore GPS signals, it would be likely hard to take control of it by the authorities, if you even had enough time to round up the troops to do it.  If the drone contains, for example, an altitude controlled detonator and you shoot it down, have you in fact done the terrorist’s job for them?  Unfortunately, there are no simple answers.


Facebooktwitterredditlinkedinmailby feather

How Much Is Your Privacy Worth? How About $29/Month?

AT&T rolled out its Google Fiber competitor (see article) in the Kansas City, Mo.  area (Leawood, Lenexa, Olathe, and Overland Park, Kan. ) for the same price that Google charges – $70 a month.

However, if you would prefer that AT&T not track the web pages you visit, the time you spend at each, the links or ads you see and follow and the search terms you enter — THAT will cost you an extra $29 a month.  They call this Big Brother service “AT&T Internet Preferences” and if you would prefer not to be preferenced, plan to fork over another $29 each month.

One would assume that this number is close to the amount of revenue they get from selling that data to advertisers.

Google says that they don’t collect browsing history on Google Fiber customers.  Google says that it collects additional data for Google Fiber customers, but that it doesn’t NECESSARILY combine that with data that they collect when you visit all those other Google services like You Tube, Picasa, GMail and many others.

Although AT&T warned that they might pause their fiber rollout to get even with the FCC for their net neutrality ruling, apparently that is not happening just yet since they just announced a list of 100 cities which are new candidates to join Kansas City with gigabit fiber.

This, of course, has nothing to do with the tracking that individual web sites like Amazon or Walmart do – that will continue no matter how much you pay.

So, remember, there is no such thing as a free lunch – even if you pay $70 a month for it.  $99 a month is as close as we come to a free lunch.  Gotta pay for that fiber some how.

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed