RSA: Geolocation shows just how dead privacy is

Discussion in 'privacy problems' started by ronjor, Mar 3, 2016.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,059
    Location:
    Texas
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Well, privacy is surely dead if you use mobile devices ;)

    So just say no :)
     
  3. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    @mirimir

    It'd be nice if that were actually possible while keeping a job.

    Edit: to be a bit clearer, I'm an IT worker. All of my full-time employers thus far have required that I have a smart phone for work stuff - not just a phone, but an Android or iOS smart phone. And the nature of IT work basically means I have had to keep the phone on, and on my person, whenever possible.
     
  4. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Sorry, but that's nonsense. You could argue that point for mobile devices that are cellular, but any other point you try to bring up for non-cellular mobile devices equally applies to any other device (desktop/laptop/etc). They are just smaller computers.
     
  5. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    Because this, Im still using my trusty 10+ years old nokia dumbphone that has no wi-fi, no bluetooth, no gps, no smart OS to hack or install apps (old crummy S30!), nothing . Just plain old calls and sms.
    Phone and prepaid sim both paid with cash so there is no exact, well know, id to tie to this particular number and imei.

    So if someone really wanted to go effort and geolocate my phone specifically, with only phone number and imei at hand, how easy would it be?

    Checking logs from the three last cell towers and doing triangulation from there ?
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Well, I was thinking mostly of cellular devices with GPS. With a plain-vanilla cellphone, there's only tower triangulation for the device ID. But devices that use WiFi are also problematic, given geolocation based on AP MACs.

    But my point is that you must choose between mobile connectivity and privacy. Maybe you can use a WiFi only device, and lock it down well enough for decent privacy.
     
  7. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Even the old ones that don't have internet?
     
  8. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    Smaller computers which:
    • Are small enough to be carried around far more frequently than other less or non mobile devices. How likely a device is to move around with an individual, and to be able to reveal location and related information, is central to the topic. So we'd focus on things like smaller devices that are carried or worn, devices within things that people ride or ride in, etc.
    • Support some features (GPS receivers, contactless payment systems, sensors) that aren't as common in other less or non mobile devices. Such features have the potential to reveal more information.
    • Aren't as easily/reliably/extensively modified as general purpose computing devices and, in general, are more likely to be running software that is actively degrading privacy in one or more ways. This is changing, as similar traits are being forced upon some desktop/laptop/etc users, but there is still a notable difference here.
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    OK, so you have zero privacy when you're working and on-call. That's just what's so. So you just need to keep in mind that you're under constant observation at those times.
     
  10. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Since you work on IT, I think it's not that hard to install Ubuntu Phone there :p I mean, they require specific programs, like WhatssApp, and not a specific OS. Now, granted, you wouldn't have 100% privacy still, but at least that's a start. I think it's possible to configure Ubuntu Phone to automatically use a VPN or the Tor Network for 100% of it's activities, it is still an OS in the end.
     
  11. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    If you are on a carrier data plan, there is no real effective way to spoof or circumvent geolocation. Your location can be determined readily from cell tower triangulation even without GPS. That will be unavoidably tied to any accounts you have on that phone so the only strategy I can think of in the work phone situation is to set up specific work accounts for that phone and to only use it for work. If your phone has no data plan, the carrier can still determine your location but you can get a prepaid phone and never register it in your real name and never tie it to any accounts you use online.

    Using wifi also can give out your location because many hotspots have their location registered in the Google maps database which uses a combination of SSID and Mac address. If you find you have a router that is in the database, change both if possible. You don't need to connect to have a router give out your location. The Google maps API just checks nearby signals for location information.
     
  12. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    A non-celular mobile device is just as likely to reveal location as a laptop is. It doesn't matter if it has GPS or not when you control how that functionality is activated. Something that can't be guaranteed when using cellular.

    How exactly would they reveal said information, are you assuming they are backdoored? I know it's common for privacy fanatics to go with the rule that the cellular/sim card system is a back door. Sure, let's ride with that. Now how does that apply to a tablet exactly?

    Sorry, but any standard PC or laptop has orders of magnitude more bloatware on them than a mobile device. On top of that, add all the trial software, like evaluation AVs, which expire. Just look at the recent Lenovo and Dell outrages and the privacy and security issues involved... and with PCs/laptops you have an additional issue with all that bloat, performance degradation, unlike OEM apps which sit idle.

    My original point, if you had read it (did you?) is that mobile devices are not somehow inherently more insecure than other devices. With the arguable exception of cellular devices.
     
  13. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Older devices do not make you more secure in terms of privacy, they make you more secure in terms of security through obscurity. i.e. it is unlikely you will be a target of an exploit with the software is so basic, and a phone that next to no one is using.

    In terms of privacy, older devices are worse, because they tend to only support older generation cellular protocols (2G) which has sub-standard encryption.

    So your choice is the potential to be evesdropped by everyone (2G) or by just the goverment (4G). As with any encryption method, the older it is, the cheaper it becomes to assault.

    edit: I should also note that by using a newer device that supports encrypted apps like "Signal", you can eliminate the latter 4G problem, by eliminating the use of calls and texts.
     
  14. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
  15. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    If I told you how simple and mundane that task is you would "kill the messenger". Where your work, where you go to church if you do, what restaurants you visit, etc..... ------- > simple simple simple.
     
  16. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    My feeling is that the issue of operational security is far more important than the device type here.

    Clearly, if you are functioning in one role (as @Gullible Jones is in the IT capacity - which also has the disadvantage that there is never downtime from that role!) - then you must not mix it with your other personae, if you are seeking privacy.

    My personal take is that I would not trust a smartphone in those alternative contexts at all, whereas I could mitigate risk better with a dumb cellphone or a privacy-friendly live OS.
     
  17. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    So basically, it's just few click away? Just like in those silly crime series from tv where some agency nerd pulls data out with few keystrokes?

    I was afraid of that ...

    How accurately it can give my location? within 1 km ? within 100 m ?
     
  18. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    It might not just be the government only that could break 4G.
    According to this http://www.telegraph.co.uk/technolo...951812/4G-inherently-less-secure-than-3G.html
    4G is less secure than previous generations.

    Now, I know that 2G has been broken for long time and even 3G can be cracked with help of rogue cell tower, massive rainbow table and some supercomputer computing.

    But if that article really is true then I will keep my phone enforced to connect only to 3G network (least easily cracked?) and will not upgrade. No matter how much my p*sky operator wants me to.

    I would like someone to offer a dump phone for sale that has really secure OS and apps for communicating (encrypted and all).
    Like Blackphone 1 or 2 but much smaller, simpler and cheaper.
     
  19. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    That article is the definition of FUD, which you should totally expect from a Rupert Murdoch publication.

    Like I said, dumbphones generally don't support newer protocols. In this case, you'd encounter bandwidth issues with the older 2G protocol. It struggles enough without encryption, nevermind the increase in bandwidth encryption would add.

    Realistically though, if it supported said apps, then it wouldn't be "dumb".

    But lets theoretically say that this phone was made. If enough people started using it, you'd loose your only source of protection that dumb phones currently provide - security through obscurity.
     
  20. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    Might be. But at least that part seems to be true that with 4G, it is all-IP (packet switched) network (checking other places from Net).
    But what is the encryption that 4G uses?

    Well, let's call it "feature" phone then. Anyway, phone that:

    - Does not even try to support 2G (even if it means you can't make call/send sms in some developing country)
    - Supports 3G or "3,5G" (it's max speed is what, 7,5 Mb? with HSPA+ ? enough for crypto?)
    - Has secure/hardened OS (open source one, please) that is regularly updated.
    - As a bonus, possible encrypted, hardened chat/voip etc. application? (but mostly just for calls & sms)

    And that's that.
     
  21. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    That isn't a bad thing, that's why the article is FUD. It doesn't even talk about encryption. It's similar to all the FUD surrounding IPv6. Nothing brings in the money like a good scare story.

    I'm not understanding your end goal. You want it to only support 3G because you're afraid of unlikely negatives of 4G? lol. You need to wake up and stop blindly trusting the "traditional" media. It's a dinosaur heading for the grave.

    When you don't understand how something works, you should research it. You shouldn't be afraid of it, especially not because someone in the media told you to be. Always ask yourself why.
     
  22. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    @elapsed - I wouldn't call it FUD round IPv6. One of the better things a person can do on the client and ISP gateway is to remove it. It provides no benefit for the vast majority of users, and introduces a nasty untested codebase.

    The glibc vulnerability can be traced directly back to the fudges required of DNS to support IPv6, and the protocol simply isn't ready for widespread production-quality scaling.
     
  23. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    That's why I asked what encryption 4G uses. And I mean the connection between user device and cell tower. Not the operator network.


    Hard to do research when much of the freely available stuff is how wonderfull and fast and blah,blah,blah 4G is. Those mean zip to me. Im more interested about how it implements encryption.

    But I managed to find few resources:

    http://go.radisys.com/rs/radisys/images/paper-seg-ipsec-deployment.pdf
    pages 10 - 14 talks about some risks of switching to all-IP network and how network operators can patch their unencrypted network with IPsec if they want to.

    and looking from https://books.google.com with keyword "Security Strategies in Web Applications and Social Networking" and going to page 319 gives also some hints of the risks and used encrpytion (between user and cell tower?), either 3DES (hmmmmm...) or AES (good!).

    So it's not entirely FUD. There are risks (especially if you live in North America) with this operator switch to all IP-based network where some parts might be unencrypted.
     
  24. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Whilst IPv6 isn't the best comparison since it's not mature (the FUD regarding 4G is discussing a mature protocol) I would still call a lot of the articles damning IPv6 FUD. There have been articles damning it as some form of Y2K like disaster.

    But yes, the various implementations of IPv6 will definitely have teething issues as is to be expected. That's not a reason to fear or avoid it.

    It is FUD. Trying to damn a protocol that has been in use for decades and has thus matured. Funny how the internet isn't somehow imploding.

    If it was me I'd be asking: why does a media outlet that is all for the current government of the UK and pro their proposed spying bills, trying to fear people away from 4G? We wouldn't want people using better forms of encryption now, would we. Figures.
     
    Last edited: Mar 4, 2016
  25. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    Thanks.

    Not directly related to the above, but might be of interest and is pretty topical. I haven't gone that far down the rabbit hole and identified the better/up-to-date links, so search terms will have to do:

    "LTE Direct" OR "Device-To-Device" OR (D2D AND discovery) OR (ProSe AND proximity)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.