I for one want to make sure the criminals aren't intercepting my signal with home-made stingrays; the police have other lawful ways to get what they need.
Edit: fully removing amp from link
Not saying it's effective, but I can understand the reasoning.
The issue is that the baseband should be handshaking cryptographically with your provider’s towers to prevent MITM attempts, and no downgrade should be possible. Between eSIM and 5G, honestly surprised it’s not a standard yet.
Check out https://opencellid.org/ which is an open source WiGLE-esque cell location collection. You can contribute with the TowerCollector android app (also on fdroid).
Mozilla also operates Mozilla Location Services as an API for developers. People can contribute location anonymized data to Mozilla by a settings menu checkbox, or using their special app.
WiGLE of course includes cell tower detection in their wireless geographic logging suite.
In addition to the FCC, FAA, there should be a massive public paper trail for tower construction. The locality, state, and feds are involved in this.
So, in a roundabout way, I think your thoughts were: "If FCC regulated and lists this, why the tower search crap?" The reason is that if you get the FCC, state, and local to OK your tower and use it for long range deer hunting, the FAA maps will still show your 220ft deer stand, but there are likely no cellular transceivers on the tower. On a cell tower there could easily be 2 today, and then 4 next month.
So the location and use of the towers doesn't always coincide with the cellular network equipment hanging off it, which is what would need to be monitored.
Also I'd wager that the open sensor method of opencellid, MLS, WiGLE will give you better data. If you are doing your own research, it would be greatly helpful to compare to the official lists, but you'll need to verify it anyhow.
If anybody is doing this work I would be interested in knowing more about this landscape.
edit: And as others have said, it compares a bit to wanting to keep the location of a lighthouse a secret.
I think this was an example of such a network.
Many carriers lease space on the same towers, or have agreements to lease space from others in certain markets. You almost never get the site placement you want: you are operating in a built environment and have to work within those constraints.
The problem is that knowing the co-ordinates of the tower does nothing to defend against Stingray-like devices: coordinates aren’t a means of authentication.
- Are there future cell technology standards being planned which would make it harder for a 3rd party device to impersonate a cell tower? (e.g. the police would actively need the cell network to help them sign something)
- Why can't we encrypt calls and texts in a way which doesn't let all this stuff get read? Like (handwaving) either trust the network and encrypt with a key they provide, or else some form end-to-end encryption (where maybe generating keys is part of what happens when you activate a sim card or something)?
Like, sure the lawsuits are important, but why did we end up with a system where these tools are possible?
The other problem IIRC is virtual towers - when operator A gains improved coverage by renting capacity on a tower of operator B, they want the phone to seamlessly connect to that tower as if it's run by operator A (even if it's not) without the phone being able to inform the customer that hey, you're now connected to operator B - because it might rise confusion about roaming charges, and also give bad PR about coverage which might suggest the customer to switch to that competitor.
What could work is the combination of (a) your phone being able to cryptographically verify if it's really connected to your 'main' operator or someone they explicitly authorized (isn't this something that 5g and even 4g protocol supports?) and (b) requiring explicit confirmation if connecting to someone that's not. Of course, (a) would mean that police Stingrays would be recognized as legitimate cell towers, they'd need cooperation from the cell network, but's IMHO not really a problem, just some paperwork whenever they need to activate a new batch of intercepting devices.
You could have an encryption setting in the phone, and the handshake with the network could have a bit telling you the setting isn't supported.
so then you use a vpn and voip instead of using the phone system directly...
We can have E2E encryption on cellphones today, just make calls and send texts over Signal (with other people who also have Signal installed).
Here's an article on using SIM cards as a secure element: https://nelenkov.blogspot.com/2013/09/using-sim-card-as-secu...
I would really like a hardware interface for changing a key, or a mechanism where you flip the card over to expose a separate set of contact plates which have write permissions. Stock Android will allow carriers to fuck with your SIM card sans user permissions.
From a YCombinator comment:
"The way that Qwest CEO Joseph Nacchio so meaningfully resisted the government that he was convicted of insider trading for telling people his company would be successful when it actually relied on a government contract that was pulled in retaliation, which he couldn't use as a defense in court because of national security concerns? For which he served four years in prison, and Qwest no longer exists? That sort of meaningfully resist?
The message to me from that case is clear—if the US government tells you to jump, you answer, how high."
5G runs also on sub-6. The spec defines the modulation and the network, it doesn't hard-spec the frequency.
So the coverage on low band 5G will be the same as 4G
They have been hiding behind the NDA as a reason they should not have to follow federal disclosure laws, but never in the history of the law has a private contract superceeded the law itself.
they also hide behind these same NDA's when criminal defendants get to court and want to challenge the use of the tech on 4th amendment grounds
Hopefully the ACLU can put a end to that, the government should not be able to contract with any organization that prevents them from disclosing their activity to the public. Seems law enfrocement has lost sight of who they awnser to, which should be the people of this nation
Here's a relevant talk from the National Constitution Center, if you want to hear some of the nuance: https://www.youtube.com/watch?v=hW32k7x7zE0
The Thrid Pary doctrine allows the Government to end run the 4th amendment if you discloused info to a 3rd party.
In this instance, the government is claiming they do not have to talk about the technology at all, even to the point of proving it actually does what they claim.
In criminal Trails they treat it as a black box that is magical.. this should not be allowed evidence collected by it directly or as a result of his use should be barred unless the defence has access to the technology fo independent review
The government claims they do not have to disclose anything because they signed a contract with the manufacturer saying they would not disclose anything about the tech.
While stingrays are an issue, the vast majority of spying on cell phone users (read: vast majority of US pop) comes from those other mechanisms which do employ the third party doctrine loopholes. I should have been more specific, but you are right about Stingray.
We need to redefine data ownership in this country, not just to curb police abuse, but to curb the abuse of corporations as well
That extends well beyond the 3rd party doctrine
Police having the ability to spy on everyone with little to no oversight is nightmarish authoritarianism, it's completely against the spirit of American democracy, not to mention in violation of The Constitution.
After two months, only two cities have sent me their search warrant records. All other states have given me rejections saying:
1. The records are on paper and never transcribed.
2. The records are digital, but there's no way to query from a frontend.
3. The records are digital and queryable, but the agency considers the use of queries "creating reports", where tons of states have case law backing this up.
4. Nothing, because they haven't responded yet.
So far I've received three enormous fee estimations of ~500k, ~400k and ~150k. Obviously not affordable.
Chicago is one of the few cities that sent records (though, it took a year). They've sent three separately sized files for the same timeframe - 11k rows, 9k rows, and 20k rows. The data is messy, and there is some very important info missing from their records. Can't speak too much about it yet, since I'm still confirming the reasons. It's been blindingly frustrating trying to get a consistent message about whether the data is even accurate.
All this goes to show that police agencies don't make records on search warrants even remotely easily available to the public, and we have no way of gauging whether our constitutional rights are being upheld throughout the US. It's honestly very sad.
If you want to support this work and our other projects, please consider a donation to Lucy Parsons Labs: https://lucyparsonslabs.com/support/
It's not there to get information, it's there to give the appearance that they give information.
The most used excuse here is it will take "too many resources".
They often follow the same set of steps to legally delay or prevent information going out.
There is a FOI ombudsman, but they are so swamped the backlog is enormous.
> don't make records on search warrants even remotely easily available to the public,
It seems like the right reform would be for all approved search warrants to be automatically posted online one year after issuance.
I know it is unlawful to ask about arrests without convictions as a precursor to employment in at least a few jurisdictions in the US. 
That's probably the case as I believe warrants can be requested even when court is not on session. As someone who has sat in court a couple times I can say the only warrant I ever saw a judge issue was a bench warrant.
It'd be a good idea to limit the set of record points to only those that you're interested in.
edit: to be clear, I think the government itself could really do with reeling it back a bit as well - but this very news is a reminder that some people are watching out for the watched.
... and tons more, at https://www.aclu.org/defending-our-rights/court-battles?topi...
> At Trudeau airport, Radio-Canada detected the catcher's presence through the use of a CryptoPhone — a cellphone look-alike that emits red alerts when a fake antenna tries to catch its signal. Several red alerts were received, throughout the afternoon and early evening, in the section of the airport for U.S. departures.
> The devices are operated out of at least five U.S. airports, "covering most of the U.S. population". It is unclear whether the U.S. Marshals Service requests court orders to use the devices.
Once you have a number pop up on the Stingray you distribute that person's photo to all the border agents.
Since airports are one of the very few places where you can positively identify a certain person was there at a certain time, you can combine a passenger list with a device list to get some soft matches to previously unlinked devices.
Combine that linked metadata with other dragnet metadata, and you're going to learn a lot.
There are issues with some units that downgrade your data signal to a slower connection than you would get with a normal cell tower.. but otherwise you would never know the difference.
The person you are replying to is actually making an excellent point as most current methods of detecting stingrays are heavily reliant on the "tower" moving or changing.
Like, if my neighbor is a drug dealer, and the police get a warrant to search their apartment, maybe that's reasonable. If they use that warrant to search every apartment on my block, that's messed up. If they do that without leaving a trace, so I have no idea when or if it has happened ... then I'm living in a panopticon.
they'll just do a parallel construction - use stingrays to find other evidence, scrap stingrays from record and only go forward with evidence gathered from usage of stingray.
That doesn’t mean that they don’t pose a threat though.
Big adtech have insane amounts of data and deep pockets but realistically no means to carry out the above, however that doesn't mean big adtech should get a pass.
With who? I'd really like to know who is copacetic with this kind of surveillance state.
Some comments about mm-wave 5G, keep in mind that mm-wave != 5G. But on mm-wave stingray becomes more difficult due to the high directionality of short wavelengths. But at lower bands, there is no advantage of 5G over 4G in terms of resilience over stingray types of attacks (which are basically a L1 middleman attack, similar to age old wifi types of spoofs).
Actually it's a 4G antenna. It's not a stingray, but to me, it's a big step towards it if you're a black hat and can find a way to access the cellphone network.
I have optimism and want to believe most big telco have good security practices and make it extremely difficult or impossible to connect to their network. Although one might be able to do some social engineering and do it, since the cellphone network requires a lot of antenna and manpower to install and maintain them.
For example, imagine you set up a fake company that installs those antennas. How can the telco make sure the antenna is not being moved around (monitoring GPS of the connected smartphones, maybe checking the residency of users to see if something is statistically fishy)? So in short, I tend to think it's not very hard to penetrate cellphone networks, unless the telco spends enough money to secure it and triple check their contractors.
the first paragraph is an intro speech of sorts then the real content begins. There is an interesting article linked in that part so i want to bring it to the fore.
it seems that a number of factions may have been using "stingray" devices and thier contemporary equivalents for some time.
For more insight and details.
To the casual security conscious user, that is probably going to look like a 'stingray', since you will be walking down the street with a gradually dropping RSSI, when all at once, boom, you walk into a five bar signal and life is good.
It covers about a 300 ft radius with the most blessedly beautiful signal you can imagine. Maxes out at 100Mb/S, since that is all the backhaul it gets from the ISP where it is connected. (Not that I am complaining about 100/100 in the house.)
But it isn't a Stingray. It is a fully secure registered femtocell base station.
Given that it hasn't moved in five years, it may well be on someone's map of established cell towers.
I was involved in the chip architecture for the silicon that is used in the box as well as the software engineer involved in the secure boot path for the cellular modems. It is one large chip with all the modems and application processors in one chunk of silicon. No unencrypted data, air link or Ethernet back haul, ever leaves the die.
From that, I am familiar with the physical design that the manufacturer implemented. (We did a lot of support work to get the manufacturer up and running)
They even go so far as to have a physical 'self destruct' button within the box. If you try to physically open it, it will never boot again.
The service provider states in the documentation (when you get the box) that if you tamper with the device such that the self-defeat gets activated, you have to pay full retail for the now dead box (they provided the femtocell for free if you live in a dead zone).
I laughed when I opened the retail box and that was the first thing in the document stack. Basically a large font "you have been warned"
Do spoofed callers appear on a capture device as the spoofed number?
If so, you could in theory use law to target anyone by calling their number using a spoofed number that is included on a surveillance order. Just keep calling the numbers you want to monitor and the net keeps getting bigger.
Please tell me this is not the case?
If your switch is under your control (say, you're using Asterisk), you can send whatever you want, as demonstrated nearly constantly by all those spam calls.
I personally don't hold the constitution as a sacred document, though I do find that it aligns with my ideals more than the actual policies of modern America. I could respect an organization being opposed to an amendment and deciding not to defend it for that reason, but it's always been weird to me that they have to hide behind a legal rationale rather than just admitting their political opposition to individual gun rights.
I still love the ACLU, and in the past I've given them time (passing out flyers, IANAL) and money despite these reservations. I'm really not trying to hate on them, but I would consider them "off the tracks" in this regard.
You're leaving out the third option, practical.
There are already well funded, effective organizations defending your interpretation of the Second Amendment. It makes little sense for the ACLU to divert resources to that endeavour as a result, even if they agreed with your political view on the individual vs. collective right to bear arms.
The tools should be as powerful as possible. To keep people safe, shouldn't infrastructure be powerful enough to tap anything instantly with proper authorization, even backward in time? Why not?
Then we're focused on making rules better. Isn't that the best thing to do in a system of laws and standards?
Imagine if you could change any aspect of the system to make it more proportional, fair, ethical, whatever. Why not think about asking the right questions, weighing the pros and cons, and tailoring a way to improve it with minimum side effects?
Also, sometimes the regulations are so strict, it's dangerous.
For instance, here's an example where the rules around stingrays being so strict led a guy to get away with murder (in eyes of the judge):
> Circuit Judge Yolanda Tanner said in court Monday that while she is suppressing the evidence “with great reluctance,” Copes is “likely guilty.” https://arstechnica.com/tech-policy/2016/04/citing-unconstit...
I wonder what it would have been like had that case been in Florida. Which has sweet inevitable evidence law.
I think a lot of people would disagree with this premise. The argument against it is basically that abuse of powerful surveillance technologies is inevitable precisely because the technology is so powerful. In reality, law enforcement is only incentivized to catch criminals, not necessarily to protect people's privacy or personal freedoms, so LE will abuse these capabilities 100% of the time they have access to them.
A more subtle argument is that bureaucratic oversight of LE is almost always impotent to reign them in and has every reason not to due so due to a lack of accountability. A "fair, ethical" system is fundamentally incompatible with one in which law enforcement has sweeping surveillance capabilities and the lack of oversight which always results from any sufficiently large/slow/complex legal system.
What would be some examples of an abuse?
What would be some examples of a powerful surveillance technology?
For instance, what "surveillance technology" isn't already an internal diagnostic tool for day-to-day system administration for a telecom/service provider?
Only difference is who picks the target and them having oversight (likely having to provide a predicate/rationale). Why is this so bad?
If there's a lack of oversight, what rules and systems would you suggest to prevent abuse, as you define it?
Also, it is possible to build systems where the admins can access the data or metadata. End-to-end encryption, for example parent the admin from seeing the contents of messages. Systems like Tor also prevent any one person from knowing who everyone is and what's saying. Mutual authentication can also help establish that mitm attacks aren't happening, but that's a slightly different problem than when there is access to the back end of the system being used.