16 comments

[ 6.4 ms ] story [ 55.7 ms ] thread
The mainstream media is covering this (ABC covered this topic a few days ago as well: http://www.abc.net.au/news/2015-08-16/metadata-retention-pri...)

But nobody is doing anything. Nobody is making noise. Young people (and I feel old for saying this) accept this as the norm. Bleh

It just isn't bad enough yet. If you look at the past it seems that humans will continue to ignore their predicament until it actually becomes unbearable. Take for example Russia in wwI or the French revolution. Action only started happening after people were dying in the streets and everyone was generally miserable.

These days you might feel a bit uncomfortable with sending pictures to a friend. But life in the western world is not uncomfortable enough to spur the masses into direct action. I think the change with regards to spying/hacking/bugging will come slowly and not as a result of mass protesting.

A great sentiment I can agree with, but what exactly are young folks supposed to do?

- Protest? Recent events have shown the media will simply turn face and demonize us as pariahs.

- Activism? When faced with the backlash from "I have nothing to hide....you must have something to hide," most people don't know how to respond to this logical fallacy[0]

- Spreading Awareness? Now this is something I can get behind. But tell me how one goes "greyhat" and explains himself to authorities. AFAIK, even POTUS is given sec disclosures and does nothing on them.

Finally you have to consider the sheer amount of young folks, men and women, who are now earning their livelihoods from this same issue. I scoff at it as a developer, but I can't harp on the vast numbers of unemployed seeking ad revenue on their blogs (which goes hand and hand with massive corporate surveillance) as a way to make money and support themselves.

[0]: https://en.wikipedia.org/wiki/Nothing_to_hide_argument

Sorry, not directly an answer to your points. But here goes:

  - Activism? When faced with the backlash from "I have nothing to hide....you must have something to hide," most people don't know how to respond to this logical fallacy
I like the Snowden argument[0] about this one, and try to say it to people as often as possible. So I am going to repeat it here as well. Maybe then can we teach people who "don't know how to respond" how to respond:

> Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.

[0]: https://www.reddit.com/r/IAmA/comments/36ru89/just_days_left...

What about the terrorists? People fear the terrorists. They see the terrorists doing terrible things every week. Are we willing to sacrifice some of our rights to our government to better protect us from the merciless, bloodthirsty terrorists?

While more and more people are seriously considering the question, a good majority of people would still say yes without any reservation.

Until we can convince the majority of the population we don't need to give up privacy to continue to be safe, they're going to keep brushing those "anti-government nutjobs" off. It's just noise to them until they're personally impacted.

I would rather get burned by "the norm" than something unexpected. At least if I know something is happening, I can plan for it. The fact that young people "accept this as the norm" is encouraging, because it certainly beats the alternative of being completely unaware of it.
(comment deleted)
I never thought 60minutes (Australia!) would make it to HN.
Why the hell would you assume a system developed 40 years ago by phone companies would be secure? That's just insane. We knew this system had holes. Hell, there's even articles from last year which I found out using Wikipedia of all places (see below).

The way I see it is this: If it can have security holes, it will have them and they will be exploited. And what software cannot have security holes? By that line of reasoning, we reasonably should have known that such a system would have security holes that would be exploited when it was created in 1975. So this is hardly news.

https://www.washingtonpost.com/business/technology/for-sale-...

https://www.washingtonpost.com/news/the-switch/wp/2014/12/18...

We've had geeks uncover vulnerabilities of GSM and SS7 in Slovenia since 2012: https://translate.google.com/translate?sl=auto&tl=en&js=y&pr...

Last year a student discovered that Slovenian military and police communications system TETRA isn't configured to encrypt: https://translate.google.com/translate?hl=en&sl=auto&tl=en&u...

The official response was to terrorize and prosecute, even in cases of responsible disclosure. Of course, it's impossible for them to fix issues that arise from insecure design, but they also seem to be ignorant of the Streisand effect.

As somebody else commented, we have yet to reach the tipping point, when general public becomes concerned with the privacy of mobile networks. Mainstream TV shows like this one might bring that moment closer. I just hope they do enough fear-mongering before deadly crime happens, or people gradually accept lack of privacy as the norm. The former is tragic, and the latter paves the way for oppression.

So, the solution is to use encrypted voip and messaging services if you actually want security? I should start treating phone calls and texts the same way I treat email?
anyone know of a libre solution for encrypted voice calls and messages?
RedPhone and TextSecure
And signal for iOS
Having a little bit of experience in the telco industry, I could really say a lot of this topic even without knowing the details of the hacks.

For instance on the IMSI catcher, from what I understood they are a form of MIM attack where a fake base station connect to your phone and forces it to switch to non-encrypted mode. Why non-encrypted mode exists? Well, in the past (20 years or more) encryption was expensive and base station huge and bulky, none believed it was a conceivable attack. So they introduced a signal to switch of encryption to increase capacity in emergency.

Now you could trick cellphone to switch to un-encrypted and intercept traffic. Why this vulnerability hasn't been closed? Many reasons, first of all even if base station are no longer configured to support this mode, they should accept unencrypted traffic for inter-operability and the same it's for phones. Furthermore, it makes a lot easier to implement devices like personal base station to enhance network coverage in buildings.

Also, there's the "next gen" bug. It is almost 8 years that telco company think about 4th gen technology, the LTE network and VoLTE. This is an paper a totally new systems built with new technology and new threat model in mind. It is not perfect but far better. The issue? Implementation took longer than expected (as usual) and none want to spend money and time in fixing something that will be replaced. Sounds familiar?

Worth watching the CCC talk https://www.youtube.com/watch?v=2oCOdGpXvZY Personally, finding 'holes' in GSM/3G is a fruitless task, because they are SIGINT enabled as the default. Finding holes in deliberately weakened systems makes you look clever, but you're only part of the wider problem of legacy systems that are deliberately kept online because of arcane lawful interception 'laws' (they're not really laws, they're just one law for the police, and none for you).