[Discussion] Surveillance and the Police State

General observations on surveillance and accrual of police powers.

What really pisses me off is that the CIA is actively working to keep us vulnerable, by having vulnerabilities inserted in American software.

Not sure of the best thread for this, as Information Security is Surveillance-adjacent, and Joy of Programming-adjacent. Do we have a specific thread for Info Sec and related?

RAND Corporation published a really nice analysis of zero-day vulnerability research based on a data of set of years of data collected on 0days and their usage. The preface is pretty awful, but the actual report details are pretty good.

http://www.rand.org/content/dam/rand...

https://boingboing.net/2018/05/12/ex...

Cops have a secret, unaccountable system for tracking you by your cellphone. They abuse it frequently, and is yet another example of the police getting around judge's rulings by finding new technology and saying "this doesn't count."

But, hey, who would have a problem with dirty cops, and friends of dirty cops all being able to track people in real-time by their phones. Something something Blue Lives Matter.

For anyone who remembers, this an excellent Deep Dive podcast with Bobby Chesney and Steve Vladek of Lawfare and the DC Circuit on the history and legal considerations in the Anwar Al-Awlaki case. It's pretty interesting.

https://www.lawfareblog.com/national...

Anyone else think that the 10 year challenge people have been doing on Facebook (where you post your first and current FB pic) is just helping some company with their facial recognition tech?

NathanialG wrote:

Anyone else think that the 10 year challenge people have been doing on Facebook (where you post your first and current FB pic) is just helping some company with their facial recognition tech?

You're not alone.

No. Facebook and Google already have all of your pictures they don’t need to invent a dumb meme to get them.

LeapingGnome wrote:

No. Facebook and Google already have all of your pictures they don’t need to invent a dumb meme to get them.

This objection is literally covered in the wired article.

tl;dr: it isn't about having the pictures or not, it's about having a nice clean dataset for machine learning purposes.

Well, I just learned that TVs are super cheap now because they track and sell your data so between that and my robot servant Alexa interjecting into conversations she wasn’t asked to participate in, this isn’t surprising.

This could actually convince me to get a Google Home or Alexa or one of those things...

DanB wrote:
LeapingGnome wrote:

No. Facebook and Google already have all of your pictures they don’t need to invent a dumb meme to get them.

This objection is literally covered in the wired article.

tl;dr: it isn't about having the pictures or not, it's about having a nice clean dataset for machine learning purposes.

Eh to me that theory doesn't make much sense. Occam's razor, etc...

As far as the 'listening' assistant devices the only one I would trust and bring into my house is Apple. Amazon has already had privacy incidents and also proven they are happy to go along with whatever the government wants. Google is literally the worlds biggest advertising company. Apple has proven they care about user privacy, repeatedly baked better encryption into their products than the rest of the industry, and gone to court against the government multiple times to protect their users' privacy.

WipEout wrote:

This could actually convince me to get a Google Home or Alexa or one of those things...

Seriously, why not just push the button to turn off the listener?

Robear wrote:
WipEout wrote:

This could actually convince me to get a Google Home or Alexa or one of those things...

Seriously, why not just push the button to turn off the listener?

And why would you trust this thing more than the others? Especially something called Parasite.

Robear wrote:
WipEout wrote:

This could actually convince me to get a Google Home or Alexa or one of those things...

Seriously, why not just push the button to turn off the listener?

If you are going to walk over and push a button every time you want to use it, why have it all?

Leaping, we usually turn it on for a session, giving multiple voice commands, then turn it off before we leave the room or start doing other things. It's no big deal. However, the initial context was security, and the truth is that implementing security is always more inconvenient than not having it.

Yeah I can see that if for example you want to use it and play something while you are cooking dinner in the kitchen. I think that is the small minority of people that would do that though, and also not how they market the devices.

LeapingGnome wrote:

Yeah I can see that if for example you want to use it and play something while you are cooking dinner in the kitchen. I think that is the small minority of people that would do that though, and also not how they market the devices.

It's also fundamentally not reliable. It's not like they will build a hardware switch to physically disconnect the microphone, and they're not going to secure its network interface well. So it's just a surveillance device waiting for a bored teenager or cyber criminal gang to get bored.

Great for targeting unpaid, disgruntled government employees with access to confidential information, too. Can't imagine where we could find any of those.

lunchbox12682 wrote:
Robear wrote:
WipEout wrote:

This could actually convince me to get a Google Home or Alexa or one of those things...

Seriously, why not just push the button to turn off the listener?

And why would you trust this thing more than the others? Especially something called Parasite.

Largely due to the fact that its source code is openly shared on Github. That's a major sign of trust for me. One could go through the code and "clean" it of any potential threats, unlike the actual smart speakers.

WipEout wrote:

Largely due to the fact that its source code is openly shared on Github. That's a major sign of trust for me. One could go through the code and "clean" it of any potential threats, unlike the actual smart speakers.

Dumb question - how do you know that the code they post on Github is the code that's running in the device?

Jonman wrote:
WipEout wrote:

Largely due to the fact that its source code is openly shared on Github. That's a major sign of trust for me. One could go through the code and "clean" it of any potential threats, unlike the actual smart speakers.

Dumb question - how do you know that the code they post on Github is the code that's running in the device?

Not that I've done it myself, but I'd say the answer to your question is that you build it yourself. So you're free to check over the code, compile it and install it on your own Raspberry Pi.

WipEout wrote:
Jonman wrote:
WipEout wrote:

Largely due to the fact that its source code is openly shared on Github. That's a major sign of trust for me. One could go through the code and "clean" it of any potential threats, unlike the actual smart speakers.

Dumb question - how do you know that the code they post on Github is the code that's running in the device?

Not that I've done it myself, but I'd say the answer to your question is that you build it yourself. So you're free to check over the code, compile it and install it on your own Raspberry Pi.

Ok, but once you've done that, how do you verify that your homebrew device is functionally identical to the real one?

I'm just trying to understand how the software being open source can be used to allay security concerns. To my mind, that only works if there's a way to verify that the code posted on GitHub is the same code that's actually running in the device.

Jonman wrote:
WipEout wrote:
Jonman wrote:
WipEout wrote:

Largely due to the fact that its source code is openly shared on Github. That's a major sign of trust for me. One could go through the code and "clean" it of any potential threats, unlike the actual smart speakers.

Dumb question - how do you know that the code they post on Github is the code that's running in the device?

Not that I've done it myself, but I'd say the answer to your question is that you build it yourself. So you're free to check over the code, compile it and install it on your own Raspberry Pi.

Ok, but once you've done that, how do you verify that your homebrew device is functionally identical to the real one?

I'm just trying to understand how the software being open source can be used to allay security concerns. To my mind, that only works if there's a way to verify that the code posted on GitHub is the same code that's actually running in the device.

I suspect (though I’m not sure) that you can connect to the device and see the version of software running on it, and I further suspect that the version is a git hash ( which would allow you to verify that the software running on the system is the same as the thing that you have just in theory downloaded and compiled).

You build the device and install the code yourself. So you download the project from Git, check it over for security concerns, compile, install on a Raspberry Pi you bought yourself, put the Pi in the 3D-printed body, attach it to your smart speaker.

The homebrew device is the real one.

There is still the possibility for a compromised compiler changing how things work. Aaaaand... sadly, that is not a theoretical concern, it's been done.

But it's also not really a thing you can let yourself be super concerned about.