Blackhacker

President Bush signs bill banning pretexting
President Bush has signed the Telephone Records and Privacy Protection Act of 2006 into law, making the practice of pretexting illegal. Under the new law, anyone attempting to “knowingly and intentionally” acquire the phone records of a third party by making false representations to a phone company or selling such illegally obtained records will face up to ten years in prison and fines. The penalty can be increased for offenses involving over 50 victims.

I’m interested in seeing the signing statement. It would not surprise me if he has reserved the right for law enforcement to use pretexting to gather evidence, in his “War on Terror.” But then again, my do they need pretexting at all. They could just right a letter.

Pentagon and CIA snooping Americans’ financial records
In the wake of 9/11, the FBI was given the power to issue demands, in the form of “national security letters,” for records from financial institutions like banks and credit card companies. Compliance with these demands is compulsory.

The NYT story reveals that the Pentagon and the CIA have been issuing their own, “non-compulsory” versions of the letters that the banks can choose to contest in court. Apparently, banks and other financial institutions are choosing to cough up the documents, and both agencies have used them to obtain information on hundreds of American citizens.

This Ars Technica article goes on to point out that normally the Military is prohibited from enforcing domestic law and thew CIA is prohibited from spying in the US.

Pentagon officials said they used the letters to follow up on a variety of intelligence tips or leads. While they would not provide details about specific cases, military intelligence officials with knowledge of them said the military had issued the letters to collect financial records regarding a government contractor with unexplained wealth, for example …
(link)

That is of course stupid because They could have (should have) done a background check on the contractor before award the contract. No letter would be needed. I wish the government was this diligent when it come to control wait fraud and abuse by contractors in Iraq.

In case you didn’t know:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Next thing you know your new roommate shows up say he has been assigned to “quarter” in your house. For the legally impaired that is in violation of Amendment III.

Something has always bothered me about cell phones. As they are become more and more complex, they have shifted from being mere communications devices to platforms for applications, but in my opinion we don’t have as much control over what applications are being run on our phones as we don on our PC. If I anted to could I wipe my cell phone, and boot it with an other operating system? In actuality I don’t know. (I don’t even own a cell phone. really) But I doubt it. Somebody correct me if I’m wrong. Here is a good reason why I think we need more control over our cellphones.

FBI using cell phone microphones to eavesdrop
In his memorandum opinion, Judge Kaplan described the roving bug as a “listening device” installed in the defendants’ cellular phones that functioned regardless of whether the phone was powered on. Many models of cellular phones, however, can have their microphones remotely activated via a download—even without the knowledge of the owners. That could be what happened with Ardito and Peluso’s cell phones. It is also possible that the FBI installed a bug directly on the phones. (emphasis mine)

This is not a post disparaging law enforcement. The article sited how this capability should be done. They go a court order to turn a cell phone in to a “roving bug”. But I can that if some intelligent yet unscrupulous hacker could sneak an app onto your cellphone to record your conversations, and send him the mp3. Remember phones are much more complicated now. Complexity is where hackers live. For all of our sakes and I think this has to be they net frontier in the open source movement. To have open source phones that we can use on any cell network. TO use open protocols so that they masses can examine, debug, and improve the protocols that the few engineers that dreamed this up will undoubtedly miss. I know you need to get buy fro the Cell carriers. They loose their “lock in” in such an environment. But if at least ONE forward think company emerges to embrace these methods, and provide free software to switch phones from other carriers to their own. And provide and open platform that developers can cheaply right apps for, and they can provide service and value on par with the major telecoms that might be disruptive enough to force other to do the same.

One if my favorite series of commercials are the Citibank ones that show the victims of ID Theft talking in the voice of those who have stolen from them.
The NY Times has an interesting piece about a real serial ID Thief. While this peace does a good job of Chronicling, the perpetrators, history as an ID Thief, and covering the motivations, or at least what he tells us where is motivations, this being the NY Times and not a publication more technically oriented, it only glosses over the how. Basically the guy said he just used phishing. To get the needed data, or bought data from online brokers of stolen data. I’m more interested in some of the social engineering, beyond phishing that would be necessary, for him to pull of some of his scams. Or how he would be able to show up at a dealership with 27,000 in cash, in cash i mean actual currency, And him being able to walk out with a vehicle no questions asked. In order for someone his age, to live such an expensive life style, with perceivable source of income, he has got to be part con artists. I want to know about that. Knowledge about the con is the only way we can craft policies, and procedures to defend against them.

CNN is also reporting that the SSNs have not been accessed since the robbery. Not sure how this could be verified, but I do recall that file creation, modification, and access date & times of each file is maintained by the file system. It been a minute since I did any REAL work with a PC so I’m not sure. But I think that the more interesting stuff is at the end of the piece:

According to the documents provided to The Associated Press, the analyst, whose name was being withheld, had approval as early as September 5, 2002, to use special software at home that was designed to manipulate large amounts of data.

A separate agreement, dated February 5, 2002, from the office of the assistant Veterans Affairs secretary for policy and planning, allowed the worker to access Social Security numbers for millions of veterans.

A third document, also issued in 2002, gave the analyst permission to take a laptop computer and accessories for work outside of the VA building.

“These data are protected under the Privacy Act,” one document states. The analyst is the “lead programmer within the Policy Analysis Service and as such needs access to real Social Security numbers.”

The department said last month it was in the process of firing the analyst, who is now challenging the dismissal.

It is not the analysts fault for being robbed. It is the VA’s fault for having insufficient procedures for handling personal data, the analyst apparently followed established procedures for taking and handling the data. This is not just a problem with the VA but with corporate and government organizations all over.

Few things in this world get me to cussing. When a grown man gets into my personal business is one of them.

AT&T rewrites rules: Your data isn’t yours
AT&T has issued an updated privacy policy that takes effect Friday. The changes are significant because they appear to give the telecom giant more latitude when it comes to sharing customers’ personal data with government officials.

Let’s understand. Who I call is only the business of me the person I call and those entities THAT I HIRE make the call possible. Being that I am the customer I feel those ENTITIES in my employ are are obliged to keep that information to themselves. THEY ONLY exception to this rule is when ordered by a court to do otherwise. I expect that their policies and practice to reflect these ideal. Anything less is a betrayal.

I suppose it is a good thing I am not a customer if AT&T. Verizon, this is for you TOO.

Spy Court Judge Quits In Protest
Jurist Concerned Bush Order Tainted Work of Secret Panel

By Carol D. Leonnig and Dafna Linzer
Washington Post Staff Writers
Wednesday, December 21, 2005; Page A01

A federal judge has resigned from the court that oversees government surveillance in intelligence cases in protest of President Bush’s secret authorization of a domestic spying program, according to two sources.

If they don’t need you … might as well go home.

this is a cool idea to combat the Patriot Act, and the growing erosion of personal privacy.

You’ve seen anonymous cash cards already; you may even have received them before. They’re better known as gift cards. Using the same principle, libraries can issue a borrower card that uses cash, rather than personal ID information, as collateral. Here’s an example: If a privacy-minded user deposits $20 to get an anonymous library card, she can check out The Terror State without identifying herself. Her account balance is temporarily reduced by $15, and when the library checks the CD back in (in good condition), her balance is restored to its original value.

dap:/.

Real ID pretty much sailed through the House. Will most likely do the same in the Senate and signed in to Law. C|Net has got FAQ detailing everything you need to know about this bill. Including a link to how each Congressman voted.

What’s going to be stored on this ID card?
At a minimum: name, birth date, sex, ID number, a digital photograph, address, and a “common machine-readable technology” that Homeland Security will decide on. The card must also sport “physical security features designed to prevent tampering, counterfeiting, or duplication of the document for fraudulent purposes.”

Homeland Security is permitted to add additional requirements–such as a fingerprint or retinal scan–on top of those. We won’t know for a while what these additional requirements will be.

One might note that easiest way to “prevent tampering, counterfeiting, or duplication of the document for fraudulent purposes” is to NOT PUT IT ON THE CARD.

Another Little gem

You said the ID card will be electronically readable. What does that mean?
The Real ID Act says federally accepted ID cards must be “machine readable,” and lets Homeland Security determine the details. That could end up being a magnetic strip, enhanced bar code, or radio frequency identification (RFID) chips.

In the past, Homeland Security has indicated it likes the concept of RFID chips. The State Department is already going to be embedding RFID devices in passports, and Homeland Security wants to issue RFID-outfitted IDs to foreign visitors who enter the country at the Mexican and Canadian borders. The agency plans to start a yearlong test of the technology in July at checkpoints in Arizona, New York and Washington state.

RFID. What the heck does that mean? That mean that ANY PERSON with an RFID reader can send a signal to my drivers license and get the info on it. If a person wanted to tamper with, counterfeit, or duplicate the document for fraudulent purposes he wouldn’t have to rummage though my garbage, a get me to download spy ware on to my computer, I would just have to WALK down the freaking street.

Note to self: I see a future for wallets lined with aluminium foil.