
Bugged, Tracked, Hacked - ghosh
http://www.9jumpin.com.au/show/60minutes/stories/2015/august/phone-hacking/
======
chewxy
The mainstream media is covering this (ABC covered this topic a few days ago
as well: [http://www.abc.net.au/news/2015-08-16/metadata-retention-
pri...](http://www.abc.net.au/news/2015-08-16/metadata-retention-privacy-
phone-will-ockenden/6694152))

But nobody is doing anything. Nobody is making noise. Young people (and I feel
old for saying this) accept this as the norm. Bleh

~~~
FilterSweep
A great sentiment I can agree with, but what exactly are young folks supposed
to do?

\- Protest? Recent events have shown the media will simply turn face and
demonize us as pariahs.

\- Activism? When faced with the backlash from "I have nothing to hide....you
must have something to hide," most people don't know how to respond to this
logical fallacy[0]

\- _Spreading Awareness?_ Now this is something I can get behind. But tell me
how one goes "greyhat" and explains himself to authorities. AFAIK, even POTUS
is given sec disclosures and does nothing on them.

Finally you have to consider the sheer amount of young folks, men and women,
who are now earning their livelihoods from this same issue. I scoff at it as a
developer, but I can't harp on the vast numbers of unemployed seeking ad
revenue on their blogs (which goes hand and hand with massive corporate
surveillance) as a way to make money and support themselves.

[0]:
[https://en.wikipedia.org/wiki/Nothing_to_hide_argument](https://en.wikipedia.org/wiki/Nothing_to_hide_argument)

~~~
orkj
Sorry, not directly an answer to your points. But here goes:

    
    
      - Activism? When faced with the backlash from "I have nothing to hide....you must have something to hide," most people don't know how to respond to this logical fallacy
    

I like the Snowden argument[0] about this one, and try to say it to people as
often as possible. So I am going to repeat it here as well. Maybe then can we
teach people who "don't know how to respond" how to respond:

> Arguing that you don’t care about the right to privacy because you have
> nothing to hide is no different than saying you don’t care about free speech
> because you have nothing to say.

[0]:
[https://www.reddit.com/r/IAmA/comments/36ru89/just_days_left...](https://www.reddit.com/r/IAmA/comments/36ru89/just_days_left_to_kill_mass_surveillance_under/crglgh2)

~~~
bob-2
What about the terrorists? People fear the terrorists. They see the terrorists
doing terrible things every week. Are we willing to sacrifice some of our
rights to our government to better protect us from the merciless, bloodthirsty
terrorists?

While more and more people are seriously considering the question, a good
majority of people would still say yes without any reservation.

Until we can convince the majority of the population we don't need to give up
privacy to continue to be safe, they're going to keep brushing those "anti-
government nutjobs" off. It's just noise to them until they're personally
impacted.

------
some1else
We've had geeks uncover vulnerabilities of GSM and SS7 in Slovenia since 2012:
[https://translate.google.com/translate?sl=auto&tl=en&js=y&pr...](https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Fslo-
tech.com%2Fclanki%2F12003%2F&edit-text=)

Last year a student discovered that Slovenian military and police
communications system TETRA isn't configured to encrypt:
[https://translate.google.com/translate?hl=en&sl=auto&tl=en&u...](https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fpodcrto.si%2Fpolicisti-
kazensko-preganjajo-studenta-ki-je-razkril-varnostne-ranljivosti-tetre%2F)

The official response was to terrorize and prosecute, even in cases of
responsible disclosure. Of course, it's impossible for them to fix issues that
arise from insecure design, but they also seem to be ignorant of the Streisand
effect.

As somebody else commented, we have yet to reach the tipping point, when
general public becomes concerned with the privacy of mobile networks.
Mainstream TV shows like this one might bring that moment closer. I just hope
they do enough fear-mongering before deadly crime happens, or people gradually
accept lack of privacy as the norm. The former is tragic, and the latter paves
the way for oppression.

------
LukaAl
Having a little bit of experience in the telco industry, I could really say a
lot of this topic even without knowing the details of the hacks.

For instance on the IMSI catcher, from what I understood they are a form of
MIM attack where a fake base station connect to your phone and forces it to
switch to non-encrypted mode. Why non-encrypted mode exists? Well, in the past
(20 years or more) encryption was expensive and base station huge and bulky,
none believed it was a conceivable attack. So they introduced a signal to
switch of encryption to increase capacity in emergency.

Now you could trick cellphone to switch to un-encrypted and intercept traffic.
Why this vulnerability hasn't been closed? Many reasons, first of all even if
base station are no longer configured to support this mode, they should accept
unencrypted traffic for inter-operability and the same it's for phones.
Furthermore, it makes a lot easier to implement devices like personal base
station to enhance network coverage in buildings.

Also, there's the "next gen" bug. It is almost 8 years that telco company
think about 4th gen technology, the LTE network and VoLTE. This is an paper a
totally new systems built with new technology and new threat model in mind. It
is not perfect but far better. The issue? Implementation took longer than
expected (as usual) and none want to spend money and time in fixing something
that will be replaced. Sounds familiar?

------
joesmo
Why the hell would you assume a system developed 40 years ago by phone
companies would be secure? That's just insane. We knew this system had holes.
Hell, there's even articles from last year which I found out using Wikipedia
of all places (see below).

The way I see it is this: If it can have security holes, it will have them and
they will be exploited. And what software cannot have security holes? By that
line of reasoning, we reasonably should have known that such a system would
have security holes that would be exploited when it was created in 1975. So
this is hardly news.

[https://www.washingtonpost.com/business/technology/for-
sale-...](https://www.washingtonpost.com/business/technology/for-sale-systems-
that-can-secretly-track-where-cellphone-users-go-around-the-
globe/2014/08/24/f0700e8a-f003-11e3-bf76-447a5df6411f_story.html)

[https://www.washingtonpost.com/news/the-
switch/wp/2014/12/18...](https://www.washingtonpost.com/news/the-
switch/wp/2014/12/18/german-researchers-discover-a-flaw-that-could-let-anyone-
listen-to-your-cell-calls-and-read-your-texts/)

------
getdavidhiggins
Worth watching the CCC talk
[https://www.youtube.com/watch?v=2oCOdGpXvZY](https://www.youtube.com/watch?v=2oCOdGpXvZY)
Personally, finding 'holes' in GSM/3G is a fruitless task, because they are
SIGINT enabled as the default. Finding holes in deliberately weakened systems
makes you look clever, but you're only part of the wider problem of legacy
systems that are deliberately kept online because of arcane lawful
interception 'laws' (they're not really laws, they're just one law for the
police, and none for you).

------
shkkmo
So, the solution is to use encrypted voip and messaging services if you
actually want security? I should start treating phone calls and texts the same
way I treat email?

~~~
shkkmo
anyone know of a libre solution for encrypted voice calls and messages?

~~~
patrickmn
RedPhone and TextSecure

~~~
msh
And signal for iOS

------
scottmcdot
I never thought 60minutes (Australia!) would make it to HN.

