
FBI would rather prosecutors drop cases than disclose stingray details (2015) - fgeorgy
https://arstechnica.com/tech-policy/2015/04/fbi-would-rather-prosecutors-drop-cases-than-disclose-stingray-details/
======
mirimir
This is not the only situation where investigators are hiding iffy information
sources, and committing perjury. We all know about deals with informants, who
sometimes receive immunity for major crimes, in exchange for their
information.

But the elephant in the corner is DEA's Special Operations Division (SOD).[0]
This funnels information from the CIA and NSA to the FBI, IRS, DHS and USCIS.
But you will find _nothing_ about SOD in _any_ of the cases where it
reportedly played a key role (according to that DEA Museum lecture).

Anyway, there's no evidence that SOD has ever been used except for major drug
cases. But there's no reason to assume that it hasn't been, either.

0) [https://www.deamuseum.org/wp-
content/uploads/2015/08/042215-...](https://www.deamuseum.org/wp-
content/uploads/2015/08/042215-DEAMuseum-LectureSeries-MLS-SOD-transcript.pdf)

~~~
JumpCrisscross
> _there 's no evidence that SOD has ever been used except for major drug
> cases. But there's no reason to assume that it hasn't been, either_

What does this mean?

~~~
jexah
Lack of evidence of something does not equal evidence of non-existence of said
thing.

~~~
will_brown
In the context of Criminal Procedure and Rules of Evidence, the prosecution
has to turn over all evidence (including mitigating evidence) in discovery and
failure to do so means: a. It doesn’t exist, b. If it does the prosecution is
risking mistrial; their career/disbarment; and over turning convictions going
back in time.

~~~
charleslmunger
[https://www.hrw.org/report/2018/01/09/dark-side/secret-
origi...](https://www.hrw.org/report/2018/01/09/dark-side/secret-origins-
evidence-us-criminal-cases)

You're not wrong, but you're also significantly overstating the risks to
prosecutors. Prosecutors are rarely punished for misconduct.
[http://www.latimes.com/local/politics/la-me-lying-
prosecutor...](http://www.latimes.com/local/politics/la-me-lying-
prosecutors-20150201-story.html)

~~~
moomin
Indeed it’s so common there’s an accepted term for burying your poison vine:
parallel construction.

~~~
mirimir
This. It has become the norm. I suppose that it's justified by outrage over
the sorts of crime involved. But with SOD and Stingrays, we're talking about
widespread subversion of federal agencies, state police and prosecutors, and
probably at least some judges. It has indeed been a criminal conspiracy. Not
that anyone will ever be prosecuted for it.

------
stuntkite
Is the preference to throw away the case because of all the accessory data
being gathered? I wonder how much this has to do with all the DC stingray
devices[0]. Truly a weird time to be alive. The first Stingray discussion I
saw was at DEFCON 18[1], though that talk was just about 3G/2G. Is anyone
seriously thinking that this shit is safe? I don't know the nuts and bolts of
a current stingray, but I don't think it's $300k black magic. How many similar
devices are running outside of LE identification?

[0] [https://www.wired.com/story/dcs-stingray-dhs-
surveillance/](https://www.wired.com/story/dcs-stingray-dhs-surveillance/)

[1]
[https://www.youtube.com/watch?v=fQSu9cBaojc](https://www.youtube.com/watch?v=fQSu9cBaojc)

~~~
stevehawk
There's a few reasons to throw away a case, and I make no assertion that these
are why -

* they've identified a legal or technical reason that would render their evidence invalid

* may give up information that would let someone identify which towers are stingrays

* may give up information on where they are or have operated

* may be protecting some not-yet published or not yet well known exploits of the cellular network

> How many similar devices are running outside of LE identification?

Well, foreign versions of these have been found on US soil. No doubt we've
deployed them internationally as well. Spies gonna spy. And it seems safe to
assume that naughty hackers probably prop these up at major events for fun or
profit.

~~~
stuntkite
I wonder if anyone has outlined best practices for going to major public
events? Just a burner cell? I assume airplane mode isn't enough. Faraday cage
bag and keep the phone off until I get outside the event. Since we no longer
really have pay phones, I wonder what best secure SOP is aside from must
"don't go". I think airports and tube stations qualify as minor major events.

I don't just worry about it because of the tracking, but also pushing false
over the air updates. I know 4G is a lot more secure, but I don't fully
understand the current stingrays. With the government saying they don't know
who's running the DC stingrays, it pulls a lot into question for personal
security.

Here's a presentation from last year's Blackhat:

"New Adventures in Spying 3G & 4G Users: Locate, Track, Monitor" by
Ravishankar Borgaonkar and Lucca Hirschi

[https://www.blackhat.com/docs/us-17/wednesday/us-17-Borgaonk...](https://www.blackhat.com/docs/us-17/wednesday/us-17-Borgaonkar-
New-Adventures-In-Spying-3G-And-4G-Users-Locate-Track-And-Monitor.pdf)

~~~
jnbiche
> I don't just worry about it because of the tracking, but also pushing false
> over the air updates.

Pretty sure OTA updates are signed, and signatures checked, so you'd need to
steal a vendor's private key. Those are almost certainly kept on a hardware
security module, so it's not an easy task at all.

~~~
kabdib
That's putting a lot of faith in HW manufacturers' security practices. I've
had conversations with ex-employees of a couple of large cell phone firms who
know about their build systems, and am not willing to buy those brands now.

(Think: Dedicated PCs, one builder for each major revision of a phone,
basically unpatched for years, with magic and difficult to reproduce
configurations. Don't know specifically about HSMs, but those seem unlikely
given their level of care and sophistication).

~~~
luma
That's a pretty accurate description of firmware build environments for a
whole lot of products, not just cell phones.

~~~
kabdib
Once upon a time, a certain large maker of a popular video game console lost
the hardware engineer's laptop where the source code for the game controller
firmware was. I don't know the nature of the catastrophe, whether the code was
accidentally deleted, or the drive failed, or perhaps the employee left and
the the laptop got recycled. In any event, the source was gone.

Source control? What's that? Sounds complicated and unnecessary. All you need
are files on disk, right?

"Wait, I thought _your_ laptop had the source code. Um..."

They wound up paying a consultant to disassemble the binary and turn it back
into plausible C. For all I know, given the way that those firmware engineers
wrote code, the recreated source was of _better_ quality than the original.
:-/

[I am trying real hard not to turn this into a "how bad can firmware code get"
comment, but I do have to say that this was the same group where one
contractor had written the firmware for a device, consisting of one massive
function with a bunch of goto statements and static variables, with names like
'v' and 'x' and 'xx'. The contractor also seemed to think that removing
whitespace from the program would make the binary run faster...]

------
DannyB2
I have 2 theories about why the EXTREME secrecy surrounding Stingray.

1\. It is based on stolen credentials / crypto keys.

2\. It is based on exploiting a vulnerability in the protocol.

Either way, secrecy is important. In case 1, if the secret got out, those keys
/ credentials could be revoked and replaced and Stingray would no longer work.
In case 2, if the secret got out, every high school kid would be building a
Stingray and poor people would be spying on rich and powerful people (gasp!).

In case 2, the vulnerability may be something that takes years to fix,
requiring compatibility over the replacement period both to base stations and
mobile equipment as old mobile sets attrition out of the system.

~~~
bradknowles
Given the vulnerabilities that have been recently announced for LTE, it seems
to me that your #2 is much more likely. Anyone with a Software Defined Radio
and the right code could run their own Stingray.

Circumstantial evidence of recent reports of massive increases in suspicious
activities would seem to indicate that this is actually happening.

------
gnu8
This suggests a criminal defense strategy where if someone was up to no good,
they should arrange it so that the investigators are forced to use sensitive
and illegal techniques to obtain evidence, making the case not prosecutable.

~~~
benchaney
Criminals can't force the government to use illegal strategies. This problem
is entirely self inflicted.

~~~
greggarious
> _Criminals can 't force the government to use illegal strategies._

Parent said _sensitive_ or illegal.

I think it's perfectly possible to have such state of the art opsec, that the
government would not be willing to out their investigative technique to bust a
run of the mill criminal.

~~~
benchaney
Actually parent says sensitive _and_ illegal, but it is beside the point.
Criminals can't force the government to use their sensitive investigative
techniques either.

~~~
greggarious
> _Actually parent says sensitive and illegal, but it is beside the point.
> Criminals can 't force the government to use their sensitive investigative
> techniques either._

You're playing semantics. Written language is not machine code, try not to be
a faulty compiler :)

Sure, a criminal cannot _literally force_ the government to use a sensitive
technique.

But since the government tends to want to investigate all crimes it is capable
of investigating, a criminal can easily create a situation where the costs
involved with a prosecution (disclosing a sensitive technique, causing people
to update opsec accordingly) outweigh the benefits (prosecuting a small time
criminal).

The end result is that the government is figuratively forced to not prosecute
a criminal despite having the capability to prove their guilt.

~~~
benchaney
> But since the government tends to want to investigate all crimes it is
> capable of investigating, a criminal can easily create a situation where the
> costs involved with a prosecution (disclosing a sensitive technique, causing
> people to update opsec accordingly) outweigh the benefits (prosecuting a
> small time criminal).

This is the part I'm disputing. If a criminal could reasonably control what
evidence is available to the government, a better and less risky strategy is
to give them no evidence rather than to give them evidence that they don't
want to use.

~~~
heavenlyblue
What if that evidence reduces your bottom line considerably or reduces your
risk, as opposed to other evidence?

------
S_A_P
I’m curious as to whether or not it is possible to identify a stingray
“tower”. I would love to read more about that.

~~~
dbcurtis
Yes, unfortunately in this under-caffeinated moment I can't recall the right
google search terms. As I recall, there are a small number of root-able
Androids that are suitable for pairing with a RasPi, which together with
suitable software gives you a stingray detector.

~~~
deusofnull
Something like this, perhaps? [https://hackaday.io/project/15711-raspberry-pi-
stingray-dete...](https://hackaday.io/project/15711-raspberry-pi-stingray-
detector)

Looks like a pretty standard software defined radio reciever that profiles
local cell towers so as to notice when a new, lower power (local) tower is put
up, which you can then assume is some kind of stingray type device. Looks
pretty easy to set up as well.

~~~
DannyB2
A low power cell tower might simply be a legitimate micro-cell, such as in a
home or office where ordinary tower reception is very poor.

------
g0dg0d
It's because they know that what they are doing, collecting up everyones
cellular data WITHOUT WARRANTS...IS ILLEGAL!

