ICE is using fake cell towers to spy on people's phones
forbes.com665 points by coloneltcb 4 days ago
665 points by coloneltcb 4 days ago
Just wanted to advertise that the EFF recently released an open source tool for detecting cell-site simulators. The hardware is like $20 and it's pretty easy to setup yourself. Worth having around to stay aware of what's out there, especially if you live in one of the places recently targeted by the administration.
I wouldn't put it past the US to coerce Microsoft into injecting malicious payloads into these types of projects. EFF is putting complete trust in Microsoft's infrastructure: there's no out-of-band verification not served up by Microsoft itself (is there? It's just GitHub.com's TLS, and in-band SHA-1 hashes stored in the repo itself, which Microsoft controls; it can serve whatever bytes it wants, or different bytes on different requests...)
Microsoft has billions of dollars in US intelligence-cloud contracts and should leap at a chance to get an edge in on those. They've done things like this before; they provided incredible (and illegal!) cooperation with the NSA back at the time of the Snowden Leaks[0].
[0] https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-... ("Microsoft handed the NSA access to encrypted messages" (2013))
> I wouldn't put it past the US to coerce Microsoft into injecting malicious payloads into these types of projects. EFF is putting complete trust in Microsoft's infrastructure: there's no out-of-band verification not served up by Microsoft itself
Isn't a git commit trail basically a Merkle tree of checksums? If any developer tried to do a pull or fetch they'd suddenly get a bunch of strange commit messages, wouldn't they?
Also: code signing is / can become a thing.
I think GP is talking about a scenario where Microsoft would serve either malicious source tree or binaries to just one user, not all of them. that would be fairly hard to detect. but in such scenarios we'd also have to start asking questions about the state of the entire CA ecosystem.
Or detected easily with package builders like Arg Linux's makepkg that ship a hash along with the source URL. As soon as one user gets a different file, he has an alert and the compromised package for later analysis
like I said, if you assume your adversary is the US government then they might as well start issuing rogue TLS certs to target individuals.
It'd be a lot of trouble to interfere with the source, yes.
I think the release files is the place they could most easily tamper - generally they're stored on Github infra so the files could be changed, and the checksum on the download page also altered (or different files and different checksums provided to different people if targeted).
Unless the builds are totally reproducible it'd be tricky to catch.
Possible, yes, but pretty damming to Microsoft's reputation if proof that their infrastructure has been compromised and anyone realizes it's happening. This sort of thing killed Sourceforge when they started shipping adware bundled into installers of the programs they distributed.
> Also: code signing is / can become a thing.
To that end, I started a project last month so that code signing can be done in multiple geographical locations at once: https://github.com/soatok/freeon
I don't know why you'd trust a checksum structure your adversary has complete control over.
That Merkle tree prevents the naive case where the adversary tries to serve a version of a repo, to a client who already has an older version, differing in a part the client already has. (The part the client has local checksums for). They shouldn't do that. The git client tells the server what commits it doesn't have, so this is simple to check.
Code signing could be a safeguard if people did it, but here they don't so it's moot. I found no mention of a signing key in this repo's docs.
The checksum tree could be a useful audit if there were a transparency log somewhere that git tools automatically checked against, but there isn't so it's moot. We put full trust in Microsoft's versions.
Lots of things could be helpful, but here and now in front of us is a source tree fully in Microsoft's control, with no visible safeguards against Microsoft doing something evil to it. Just like countless others. It's the default state of trust today.
Lots of things could be helpful, but here and now in front of us is a source tree fully in Microsoft's control, with no visible safeguards against Microsoft doing something evil to it. Just like countless others
But it's written in rust.
> The git client tells the server what commits it doesn't have, so this is simple to check.
That won't work. The first thing the client does is ask the server for list of references with their oids (ls-refs). It only asks for oids and reports what oids it has after the server responds.
You'd need another way to identify that the client asking for references was the same one you vended the tampered source tree to, otherwise, you'd need to respond with the refs' real oids and the fetch would fail since there's no way to get from the oid the user has to the real one.
Because the developers have just that on their local machine...?
Git is a distributed vcs after all. Every checkout is its own complete git "hub".
Because GitHub can serve different bytes to different people. You log in as one of the project's devs, you get your own consistent, correct view of your project; some other people get malware instead. How do you reconcile the full picture? No one distrusts GitHub. There's no public log which git tools generically check against to see if GitHub is attempting something evil, the way they do with certificate transparency. GitHub is the public log.
Git may be designed as a distributed VCS; and it'd be a different situation if it were used that way in practice. For many projects, GitHub has a full MITM. They could even—forget about the checksums—bifurcate the views in between devs—accept commits from one dev, send over those commits with translated Merkle trees to another dev who has a corrupted history, and they'd never figure it out.
What happens when a dev tries to patch a bug in the malware and nobody can tell what the hell they're talking about?
Yes, but the moment you try to push your local git will complain that you are not aligned with the upstream repo.
Not so. GitHub would remember who you are; advertise to you and to you only a set of fake checksums consistent with your fake view of the repo. Your git client would see nothing amiss—your local fake checksums are consistent with the fake checksums the server sent you. Having accepted your push, the server would ignore the fake checksums, extract the content of your patch, apply it to the genuine repo, and compute a new set of checksums, extending the other checksum tree as if you had pushed directly to it. That's what an MITM is.
This falls apart instantly if you share a hash with anyone else, though. Which is exactly what happens when you send in a PR