Quirks in Tech

As if having the caloric details of your sex life posted publicly wasn’t enough, new research has exposed additional security vulnerabilities in the popular Fitbit fitness tracking devices.

The ability to hack these devices, at the outset, seems silly: who would bother?

But as more and more organizations provide these to employees, to individuals they insure, and so forth, the desire to ‘game the system’ will increase. The problem is less along the lines of ‘you can capture this data’ - though that is a privacy concern - and more along the lines of ‘how can I beat the system reliably to advantage myself’. 

So, I use two factor authentication for a variety of services. It’s great for security.

It’s also a royal pain in the ass to be (re)inputting secondary authentication information all the time. That basic ‘pain point’ is sufficient to dissuade most people from setting it up. I support Twitter adopting this, and for some people it’ll be awesome. For most people it’ll just be a pain in the ass.

(Source: cybertheorist)

Cunningham writes that AeroFS,

If you want access to the best features of Dropbox or one of its many competitors—automated file syncing between computers, a way to automatically keep old versions of your synced files, etc.—but you don’t want to keep your stuff in someone else’s cloud, AeroFS is a promising service. It can provide file syncing for many clients using your own local server (or, for businesses, Amazon S3 storage that you have more direct control over). 

These are the kinds of projects that are really interesting to see come to fruition. In British Columbia there is pretty intense law that largely precludes public institutions from storing BC residents’ information outside of the province. The law has created a lot of consternation, especially amongst educators, who believe they can’t use ‘next generation’ tools in their classrooms.

Solutions like AeroFS start to bridge that divide, insofar as more and more ‘cloud’ services can be localized within the province and, as a result, be used by teachers and their students. In effect, such products can satisfy users’ demands while also complying with provincial law. Everyone wins.

It’s been widely reported that the DEA San Jose office is unable to conduct surveillance of Apple iMessages. The note is revealing in its very phrasing; the author(s) state that:

While it is impossible to intercept iMessages between two Apple devices, iMessages between an Apple device and a non-Apple device are transmitted as Short Message Service (SMS) messages and can sometimes be intercepted, depending on where the intercept is placed. The outcome seems to be more successful if the intercept is placed on the non-Apple device. (emphasis added)

Note that despite the ‘encryption’ the agent(s) recognize that they can sometimes intercept messages. Importantly they are ‘more successful’ when the intercept is on the non-Apple device. Their phrasing suggests one of the following:

1. Authorities are occasionally able to intercept messages between Apple devices; or
2. Authorities are occasionally able to intercept messages that are inbound to an Apple device that are sent from a non-Apple device.

Either situation is interesting, insofar as the former raises questions of the efficacy of Apple’s encryption process and the latter questions about where a tap is placed pre-encryption in the Apple network. 

More broadly, however, the challenge facing the DEA is one that is already encountered by investigators around the world. In fact, the DEA is in a pretty envious position: most of the major ‘messaging’ companies have some degree of corporate presence in the US and can thus be easily served with a wiretap order. Sure, a host of orders might need to be issued (one to Apple, one to Facebook, one to Google, etc etc) but this is a possible course of action.

Officers outside of the US that want similar access to messages that flow outside of SMS channels experience a different reality. They tend to need a MLAT or other cross-national warrant might be needed. Such warrants are incredibly time consuming and, as a result, resource intensive. These kinds of pressures are, in part, responsible for the uptick in discussions around state agents serving malware to mobile and fixed computing systems: it just isn’t practical to ‘wiretap’ many of these communications anymore, on the basis that the companies running the services are beyond the authorities’ jurisdictions.

So, while encryption is (fortunately) becoming more and more common, this isn’t necessarily the ‘solution’ to third-parties intercepting communications. Indeed, all it means is that attackers (in this case, the state) are targeting the far softer domains of the communications infrastructure: everything around the encryption layer itself.