http://www.macleans.ca/news/world/its-time-for-canada-to-stand-up-to-chinas-censorship-crackdown/

It’s time for Canada to stand up to China’s censorship crackdown

China just strengthened its Great Propaganda Firewall to limit what its citizens can see and read about the outside world. The Liberals should be outraged.

Terry Glavin

July 24, 2017

Chinese President Xi Jinping and Canadian Prime Minister Justin Trudeau at the Diaoyutai State Guesthouse in Beijing, China August 31, 2016. REUTERS/Wu Hong/Pool

You won’t hear any loud alarms being rung about this from either the starry-eyed or the sinister China trade enthusiasts in Justin Trudeau’s cabinet, or Global Affairs Canada, the Canada China Business Council or the Asia Pacific Foundation, but the Ministry of Industry and Information Technology in Beijing has made it official.
The Communist Party of China has ordered a shutdown of all unauthorized and unmonitored communication between China’s 1.3 billion people and the outside world. In its formal statements, the Ministry announced that it is closing the last digital breaches in the Great Firewall of China—the outer ring of the regime’s vast snooping, censorship and website-blocking superstructure.

MORE: Ottawa’s despicable display in China

Any VPN (virtual private network), proxy server or special cable service operating without Beijing’s approval, under Beijing’s tight controls, are now outlawed.
Chinese citizens require independent VPNs to access Google, Facebook, Twitter, Instagram, Snapchat, Dropbox, Youtube, Tumblr and all the other web applications that allow one-on-one and group discussions with the outside world that the regime has blocked. The technology research firm GlobalWebIndex reckons that one in three Chinese citizens has used VPNs, which redirect Chinese web traffic through offshore servers, allowing users to access outside-world websites undetected.
The corporate sector needs VPNs too, which is why Beijing has been biding its time. International companies with operations in China will be able to hold onto some perks, at least on paper. Foreign firms will still be permitted to use VPN services—but only to communicate with head office. The VPN must be a Chinese corporation. Sensitive company data must now be stored in China. The identities of every employee using a VPN workaround must be given to the ministry.
Without VPNs to traverse the catacombs under the Firewall or to scale circumvention “ladders” to get over it, Chinese citizens cannot access the regime-banned New York Times, the Wall Street Journal, Le Monde, the Economist, the Financial Times, or Reuters news services—for starters. The CBC has been blocked in China since 2014. According to the results of a URL test attempted Sunday on the freedom-of-information site ‪Greatfire.org, “100 per cent” of CBC’s online presence is off-limits inside China.
The ministry has set a deadline of March 31, 2018 to fully secure the regime’s propaganda wall around China by “urgent regulation and governance” of China’s internet systems, in order to correct what it called the industry’s “disordered development.” To that end, internal censorship has gone into overdrive in recent weeks, most noticeably to cover up the scandal surrounding the torment and July 13 death of the imprisoned Nobel laureate and democracy activist Liu Xiaobo.

READ MORE: As the U.S. retreats on trade, China is quietly picking up the pieces

A further tightening of the regime’s paranoid censorship of public discussion was already in the works, besides, owing to the upcoming national congress of the Chinese Communist Party, at which President Xi Jinping is expected to further consolidate his stranglehold on the Chinese state. Unless he rewrites the rules, Xi and Premier Li Keqiang are expected to be the only members of the seven-member Politburo Standing Committee who won’t be shuffled out.
The one glimmer of hope is that Beijing’s efforts at an across-the-board VPN clampdown may not even be possible. Fast-moving offshore operators usually pick up a lot of the slack when Chinese VPNs get shut down. Within three years of the regime’s banning of the online edition of the New York Times in 2012, the newspaper had regained its pre-censorship readership through VPNs.
Now, however, it’s not clear how Chinese citizens will find out how to access offshore VPNs, or whether they will risk attempts to go over or under the Firewall. On WeChat and Weibo, two of China’s most widely used (though intermittently non-functioning) discussion platforms, Beijing’s censors have now added “VPN” to the list of keywords that trigger eavesdropping, blacklisting and blackouts.
Last month, the Ministry of Public Security’s Network Security Squad was already issuing orders to internet service providers, warning them to expunge all software that circumvent the Firewall. China’s state-owned telecommunications giants, among them China Telecom, China Unicom and China Mobile, were instructed to bring themselves in line with President Xi’s draconian “internet sovereignty” push. The popular Hong Kong Chinese proxy-service provider GreenVPN told its customers it was being shut down by the authorities in Beijing. Last week, Guangzhou Huoyun Information Technology Ltd. told Reuters that the company had received a directive to begin blocking VPN services. Similarly leaked and off-the-record accounts have been coming fast and thick in recent weeks.

READ MORE: China is no friend to Canada

The Ministry of Industry and Information Technology communiques don’t just make it official that a digital Iron Curtain is shutting China off from the rest of the world. The ministry is putting the lie to any further claims by Canada’s China trade lobby and its many friends in the Liberal government that “free trade” talks are about bringing Canadians and Chinese people closer together. That is not what is happening here. We are being driven further apart.
Article 19 of the Universal Declaration of Human Rights, proclaimed by the U.N. General Assembly on December 10, 1948, could not be more plain in this matter: “Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.”
This is not just about the rights of Chinese citizens, to speak freely with one another, without fear, through any media, across frontiers. It is about the rights of Canadians to do the same. It is an inalienable human right that is being trampled upon here, openly and brazenly, and the Liberal government has only one choice in this: to carry on in its disgrace, serving the Chinese slave state as a collaborator and an accomplice, or to stand up for once and fight.
MORE ABOUT CHINA:

• François-Philippe Champagne has things to say
• Canada’s regulatory process will deter Chinese infrastructure investment, says envoy
• Trudeau downplays security fears in Chinese tech firm takeover
• Canada signs no-hacking deal with China
• As the U.S. retreats on trade, China is quietly picking up the pieces
• Is war between America and China inevitable?
• Is China to blame for the global avocado shortage?
• China and Europe want to build a ‘Moon Village’

CHINA IN CONTEXT

http://mailchi.mp/epochtimes/without-lips-the-teeth-are-cold?e=772a3f03d9

Dear readers, North Korea, famous for its nuclear brinksmanship, has recentlycriticized its Chinese ally with unprecedented candor. Recent nuclear and ballistic missile tests have angered the Xi Jinping administration in Beijing, causing something of a fall-out between the two communist powers. The state-run Korean Central News Agency published a report on May 3, warning China that there would be “grave consequences” for “chopping down the pillar of the DPRK–China relations.” (DPRK stands for the Democratic People’s Republic of Korea.) Rumors abound that China is preparing armies along the Yalu River to secure its border with North Korea. This signifies a sharp reversal in relations from when the two countries formed a communist bloc that stopped United Nations forces in the Korean War and granted the Kim regime over six decades in power. But if North Korea collapses, what's in store for Beijing? As the ancient Chinese political saying goes, “without lips, the teeth are cold.” The end of Kim Jong Un's multigenerational communist regime would weigh heavily on China, which is under another communist regime that formerly, under Mao Zedong, resembled today's North Korea writ large. Since the launch of China's economic reforms, Pyongyang's eccentricity has allowed China to project an image of normalcy and progress even as grievous human rights abuses—including those unprecedented in the history of totalitarian abuse, such as forced live organ harvesting—took place en masse under the direction of the Chinese regime’s communist leaders. North Korea's nuclear threat also provided a convenient point of crisis that leaders in Beijing could use to leverage against its neighbors and the United States. Under Xi, however, Beijing has arrived at a crossroads. The nuclear threat is too grave to tolerate for much longer. And as U.S. President Donald Trump's many recent negotiations with his Chinese counterpart suggest, the Xi administration is open to cooperating to neutralize the Kim regime. At the same time, viewed from the lens of Communist Party doctrine, Xi and his cohorts cannot afford to simply give up on North Korea, which still holds a solid place in the revolutionary mythos. Adding another dimension to the problem is the upcoming 19th Party Congress of the Chinese Communist Party, where Xi Jinping has a chance to clear the Politburo Standing Committee of his factional rivals—or spend another five years locked in some degree of political impasse. How Xi's government handles North Korea, should the crisis flare up again, could make—or break—his designs for the reconstitution of China's leadership. —Leo Timm Across China, regional communist leaders affiliated with former regime leader Jiang Zemin continue to trouble the Xi Jinping leadership, writes Larry Ong. Xi and his administration have removed and replaced dozens of provincial leaders shown to be close to Jiang, reducing their numbers by two thirds. China may be preparing for instability or even national collapse in North Korea, writes Joshua Philipp. According to reports, the Chinese authorities are urgently looking to recruit workers in areas like border security, public security, trade, customs, and quarantine, as well as Chinese-Korean interpreters. The anti-corruption agency of the Chinese Communist Party has putVancouver-based real estate developer Cheng Muyang on its wanted list, writes Larry Ong. Cheng, accused of embezzlement and “concealment of illegal gains,” fled China in 2000 and became a political donor. The Canadian Liberal Party and Prime Minister Justin Trudeau continued to accept Cheng’s donations and support, despite a tip off about his background, according to an exposé by South China Morning Post. China's new impetus to rein in its financial sector has been underway for more than three months. Its effects are already being felt in the financial markets, impacting short-term borrowing rates and the global commodities market, writes Fan Yu. The China Banking Regulatory Commission, under the direction of new chairman Guo Shuqing, has issued a flurry of new policy directives with the goal of regulating the shadow banking sector and reducing liquidity in the banking system. American universities risk promoting Chinese regime interestsvia the heavily subsidized and ideologically narrow Confucius Institutes, writes Gary Feuerberg. A Canadian documentary released last year and an April 26 report commissioned by the National Association of Scholars offer new insights on the the discriminatory and repressive practices of the institutes. Canadian human rights lawyer David Matas gave a presentation on the persecution of Falun Gong practitioners in China at a conference held at Presidency University in Kolkata, India, writes Jonathan Zhou. In particular, Matas said that hundreds of thousands of people are thought to have been murdered for their organs under the direction of the Chinese communist regime.

The "TrumpEffect" at the UN> April 2017 Monthly Forecast "Reviewing Peacekeeping Operations"

PEACEMAKING, PEACEKEEPING AND PEACEBUILDING

Reviewing Peacekeeping Operations

Expected Council Action

In April, at the initiative of the US, the Council is expected to hold a briefing on reviewing peacekeeping operations. Secretary-General António Guterres will brief.

Background

A concept note circulated ahead of the meeting stresses the important role that political foundations play in the success of peacekeeping missions. One of the conclusions of the 2014-2015 review by the High-Level Independent Panel on Peace Operations (HIPPO) was the “primacy of politics”, which implied the need for the Council to bring its collective leverage to bear in support of political solutions. 


In a 25 November 2015 presidential statement, the Council underlined “the significant impact its statements and actions can exert in situations of armed conflict or in support of peace processes.” However, the Council has often failed to agree on a political strategy in support of peace operations for many reasons, including decision-making processes that do not prioritise the emergence of strategic or collective thinking, divergent political priorities, inadequate Secretariat analysis and planning, and host state hostility.

The concept note encourages Council members to review missions and identify areas where mandates no longer match political realities, asking whether it is advisable or possible to operate a mission without the strategic consent of the host government. 

Even though the Council resolved in 2016 to send a regional protection force to Juba in South Sudan, and a police component to Burundi, these decisions have not been implemented promptly, if at all, in part due to the resistance of host states. 

The fact that the resolutions adopting these decisions were non-consensual testifies to the divisions among Council members faced with host state resistance. However, host state hostility has also featured in situations where the Council has continued to unanimously extend mandates of long-standing missions in Darfur and in the Democratic Republic of the Congo (DRC).


The achievability of Council mandates and the need to bridge the gap between expectations and resources have been a key element in the discussions related to peace operations reform since at least 2000. The HIPPO report observed how, in recent years, mandates have become lengthier and more specific, and at times less realistic, manageable or achievable. 

It maintained that “too often, mandates and missions are produced on the basis of templates instead of tailored to support situation-specific political strategies”. This is particularly relevant in missions facing “conflict management” situations for which the concepts, tools, mission structures and doctrine originally developed for peace implementation tasks may not be well suited.

 The Secretariat and the Council have been unable to escape the so-called “Christmas tree mandates”, where template language for many tasks routinely appears in mission mandates. This is influenced by the lack of restraint on the part of Council members—and those lobbying them—in pressing specific issues, and internal Secretariat negotiations reflecting an arbitrage of interests rather than prioritisation. 

Although the 25 November 2015 presidential statement stated that the Council will consider sequenced and phased mandates, where appropriate, when evaluating existing UN peace operations or establishing new ones, so far this agreement in principle has had little impact on the Council’s mandating patterns. Prioritised and sequenced mandates, geared towards the achievement of clear objectives, could also provide a framework for clearer exit strategies. 

The concept note asks what the Council should do in situations where missions serve a valuable protection role, but without any conceivable conclusion to this role, and quotes the HIPPO report’s injunction that “protection mandates must be realistic and linked to a wider political approach.”

One of the issues raised in the concept note is the need for the Council to re-examine the value of a mission where there is no political process or the political process breaks down. In Council practice, most mandates are reviewed at the end of their cycles, irrespective of developments, unless these are especially dramatic, as in South Sudan in December 2013. 

Even though the conditions on the ground might change (for example, an increase in asymmetric attacks, a change in the nature of threats to civilians or the unravelling of the political process), Council members are often reluctant to reassess the appropriateness of mandates in light of bad news in the hope that tactical changes within the existing mandates can mitigate the new threats. 

The HIPPO report recommended that independent evaluations of peace operations should be commissioned at key decision points to provide objective assessments of progress in mandate implementation and overall context. 

The Secretariat has conducted several “strategic reviews” of peace operations, sometimes at the request of the Council, but these have had no independent element.

Some recent dynamics show increased attention to the political context of peace operations: Council members are now regularly inviting regional actors, including mediators, to engage with them, formally and informally; and despite political divisions, Council members are increasingly striving to deliver unified messages after private meetings or during visiting missions.

 At the meeting, Council members are expected to discuss the range of options at the Council’s disposal to exert its political leverage.


The US decision to hold this discussion follows Ambassador Nikki Haley’s statement, in her Senate confirmation hearing, regarding the need for a mission-by-mission review of peacekeeping as well as the intention of the US administration to reduce its peacekeeping funding. 

The case for a close re-examination of the assumptions underpinning Council mandates throughout the life spans of peace operations challenges the past management of mandates by the Council, dominated by the P3 as penholders, as well as by the Secretariat. Other Council members may resist an approach which appears budget-driven, while recognising that these are issues which have not been sufficiently addressed since the HIPPO report.

 Council negotiations regarding the reduction of the troop ceiling in the renewal of the UN Organization Stabilization Mission in the DRC (MONUSCO) have already seen divisions. The briefing constitutes an opportunity for the Secretary-General to lay out his approach to greater effectiveness of peace operations reform and for the Council to have a candid discussion about the way it establishes and oversees mandates.

UN DOCUMENTS ON PEACEKEEPING OPERATIONS

April 2017 Monthly Forecast     www.securitycouncilreport.org/monthly-forecast/2017-04/reviewing_peacekeeping_operations.php

 

Catching IMSI Catchers

 YOUTUBE Transcript

0:05

is my third talk today has anyone made

0:06

all three yeah it's not just too this is

0:10

the third you made all three this is

0:14

just like all right we'll see maybe that

0:15

I've got some after party tickets to

0:17

give away so maybe by the end I'll have

0:21

a worthy challenge for someone okay

0:29

what's on deck today hi I'm Jeff hi nice

0:37

it's my third talk today and pleasure to

0:41

be here with all of you and if somebody

0:43

could get a picture and tweet me with me

0:46

up here with from his backdrop that'd be

0:47

pretty pretty amazing d so what we're

0:51

gonna talk about today is MZ catcher's

0:53

and if you're not familiar with those

0:54

I'll go through it and how you might go

0:56

about detecting them you're going to

0:59

hear an exciting tale of my adventures

1:00

in Vegas looking for them and you're

1:04

going to learn how to avoid being caught

1:06

up in an mg catcher so hopefully this is

1:09

you're in the right talk and that's

1:10

where you want to be so I'm Jeff I'm a

1:14

security engineer with security

1:16

innovation we do app sack pen testing

1:18

and advisory to pretty much any area of

1:21

the sdlc we help people build secure

1:23

software that's really my goal I used to

1:27

be a high school prison teacher or high

1:29

school and/or prison teacher and

1:31

university teacher and I work a hundred

1:35

percent from home so it was a big

1:37

stretch to come all the way from Toronto

1:38

to here to be with you today so thank

1:42

you for joining me as well so I'm going

1:46

to go through some definitions and just

1:48

sort of explain the technologies a bit

1:49

i'm not going super deep on the

1:52

technical level but i'll just give you

1:54

an overview so you can understand what's

1:55

going on and then we'll get into some of

1:58

the work I've done so an indie catcher

2:01

when you hear mg catcher think any rogue

2:04

cellular device designed to capture

2:07

phone traffic often used by police or

2:11

government and the most popular brand

2:13

is sting ray which is sold to police and

2:17

governments by the Harris Corporation

2:18

and the MZ is your international mobile

2:24

subscriber identity it's unique to your

2:26

cell phone you actually have to you have

2:28

one for your cell phone and one for your

2:29

SIM card they can rotate but it's what

2:33

defines you on the cellular network then

2:36

the carriers will look that up to your

2:39

subscriber information to get your cell

2:43

phone number your address stuff like

2:44

that and one thing that's really

2:46

interesting around these is the vendors

2:49

impose very strict nda's around

2:53

disclosure of how their use or what

2:56

their capabilities are so you can't

2:58

actually even the police in government

3:00

since and in warrant cases where they're

3:04

submitting warrants to the courts can't

3:06

describe in too much detail what these

3:09

technologies do as part of the other

3:11

they'll be in breach of the NDA so they

3:13

keep them pretty tight-lipped in terms

3:16

of their capabilities plenty of room

3:19

down front so this is what they look

3:24

like the one on the top left there is

3:27

the the Harris stingray and they can

3:31

come in different forms you can see them

3:33

in big police vehicles with antennas

3:37

coming up though or you could I'm

3:38

convinced you could probably get them

3:41

down to the size of a cell phone with a

3:43

little bit of a work or you could just a

3:45

little work with your antenna drivers

3:48

and maybe a secondary antenna with your

3:51

cell phone and you might be able to just

3:52

build it into the cell phone in the

3:54

future the one in the top right I'll

3:57

talk a bit a little bit later but it's

3:58

basically a DIY kit that you can make

4:00

your own reasonably inexpensive this is

4:04

a specifications of them if you see in

4:07

the last image in the top left there

4:09

there's the for antenna jacks that's for

4:12

four different antennas that you can

4:15

hook up so they are capable of

4:16

intercepting and monitoring 2g 3G 4G or

4:20

LTE communication simultaneously in both

4:24

see

4:24

and gsm there's the different types of

4:26

networks that your cell phone might be

4:28

on depending on your carrier and that

4:30

the antennas in it the devices can

4:36

launch attacks requesting devices to

4:38

connect over weaker channels so they can

4:41

jam the 4g or 3g networks forcing you to

4:44

go into the 2g network which is of lower

4:46

security and no encryption which would

4:48

then mean they could intercept all of

4:51

your traffic and read your text messages

4:52

and stuff like that even with the 3g

4:55

it's reasonable to assume that they are

4:58

capable of doing that as well there's

5:01

two modes for an mg catcher active and

5:04

passive in passive mode it's simply just

5:07

grabbing information out of the air

5:09

whatever it sees in active mode it's

5:13

actively proxying your traffic and it's

5:15

doing its best to convince cellular

5:18

devices to connect to that rogue device

5:21

and then proxy it on to a legitimate

5:25

device but in the middle basically

5:26

doesn't Mamet ack and intercepts all of

5:28

the traffic these are some proven

5:33

stories of how they've been used these

5:36

some of these range from mundane to

5:39

quite scary this is all sourced and

5:41

there's additional information on all of

5:43

the sources by a report written by

5:45

Citizen lab at a Toronto when we think

5:47

about cyber warfare and nation state

5:52

actors and human rights the Citizen lab

5:55

is a research center focused on

5:57

protecting civil liberties so confirming

6:03

the presence of a device in a target's

6:04

home prior to the search thereof so

6:06

let's say you had a search warrant for a

6:08

house and you want to make and you knew

6:10

that a assailant or drug dealer or

6:12

whatever was using the cell phone for

6:15

their business and you want to make sure

6:17

the cell phone was in the house before

6:18

you search the house they have confirmed

6:21

cases of that identifying an individual

6:25

responsible for sending her accessing

6:26

text messages it's been used and

6:29

documented in that case as well so all

6:31

of these there are court documents that

6:33

support these in the report locating a

6:36

stolen mobile device as

6:38

precursor to searching a home in the

6:40

vicinity I don't know the whole

6:42

backstory on that but basically saying

6:44

hey there's a stolen device in there in

6:46

that house we're going to go search the

6:48

house now now locating specific

6:52

individuals by driving around a city

6:53

until that known m0 MZ number is found

6:56

so you could pretty much just drag net

6:59

and pick up every MZ number until you

7:02

see the one needle in the haystack you

7:03

find and there are cases of them doing

7:06

that they are mounted on airplanes by

7:08

the United States Marshal Service to

7:10

sweep entire cities for specific mobile

7:12

devices so now you can see where

7:15

everyone is all at once if you don't

7:17

already have access to the cellular

7:19

providers to monitor all devices within

7:23

range of a prison to determine whether

7:25

or not prisoners are using cell phones

7:27

that have smuggled in some of these you

7:30

know get very interesting at least

7:33

there's some i would say scary

7:34

reportedly they've been used at

7:38

political protests to identify everyone

7:40

participating in a protest that's so you

7:42

bring yourself onto a protest they're

7:44

going to know and they're going to

7:45

follow up with you later to monitor

7:47

activity in offices of an independent

7:50

irish police oversight body i don't know

7:52

the full back story on that but when

7:55

you're using it against other governing

7:56

bodies that's pretty interesting as well

7:59

so again all the sources are very

8:00

welcome to look it up these are two

8:04

other cases so we're talking about how

8:06

much are they used there were fourteen

8:08

hundred confirmed cases in baltimore

8:10

alone this came out in the last year and

8:14

actually just just last month by this

8:17

month and they were predominantly used

8:22

in black neighborhoods so they took that

8:24

1,400 those fourteen hundred cases and

8:26

heat map them around areas and then

8:30

geographically around demographic and

8:32

were able to find that those were in

8:33

predominantly black neighborhoods

8:36

suggesting they were over used against

8:38

various races and then thousands of

8:41

times in florida since 2007 for crimes

8:44

as small as someone hanging up on a 911

8:46

operator dialing 911

8:48

and they would go around with the sims

8:50

ii catcher so they are widely used in

8:52

use there it's hard to find

8:55

documentation about it because they come

8:57

out years later in court documents and

8:59

through Freedom of Information requests

9:00

so you don't always know a lot I know

9:03

that the RCMP and Canada are using them

9:06

as well as other European nations but I

9:09

haven't seen any you probably you've

9:10

probably heard more of specific cases

9:12

than I have in the EU the manual for how

9:16

to you how to use one of these things

9:18

was leaked this summer so that's an

9:21

interesting read if you want to have a

9:22

look at that I have you it talks it goes

9:26

into depth about the capabilities how

9:28

they're used there Rizzo what what

9:31

features and options are available in

9:33

different models and this is a

9:34

relatively old document but it only

9:37

finally came out now where to buy one

9:41

unfortunately they're only sold to

9:43

government police military with those

9:46

strict NDA's and high level service

9:48

contracts I can only imagine how much

9:50

they're paying for them but for fourteen

9:51

hundred dollars you can build your own

9:52

there's the link I'm not telling you to

9:55

go build your own you're probably

9:56

illegal in most areas because you don't

9:59

have the rights to broadcast at that

10:01

frequency I don't know where the gray

10:04

areas are around just observing my

10:07

frequency that might be a different case

10:09

so in terms of strategies to find one of

10:15

these devices there aren't really any

10:17

good detection methods they're entirely

10:21

anomaly based and what that means is you

10:25

have to basically walk your entire

10:26

neighborhood and make note of all cell

10:28

phone towers and ids and find you find

10:31

and their location so you walk around

10:33

and you identify everyone you can and

10:35

you continue to do this for a while

10:37

until you're sure you found all of them

10:38

and then you have to continuously

10:42

monitor your area to see if any new ones

10:44

pop up and when those new one pops up

10:46

you suspect it's an MC device so you go

10:50

and find it then you can go and tell you

10:52

found it what do you win I don't know so

10:58

there's some tools to help you out

11:00

there's open cell ID which is

11:02

interesting as a database of mostly user

11:04

reported cellular Tate it cellular data

11:07

their devices and the location

11:10

identifier 'he's problem with this is if

11:12

i was a large government and wanted to

11:14

publish wanted to place an mg catcher in

11:18

a particular location permanently i

11:19

would just send that data to open cell

11:21

ID as well and that it becomes part of

11:24

the set so you have no there's no real

11:25

verification on this a is it's so

11:29

Android NZ catcher detector app is the

11:33

tool that I used in this work and it's

11:36

basically every tower device you connect

11:39

to it logs it and then you can map it

11:41

and analyze it and you can compare it

11:44

against the open cell ID data which is

11:45

what I did it does require a rooted

11:47

device so you probably wouldn't use it

11:49

on your regular everyday device which

11:50

makes it harder for you to detect them

11:53

because you'd always have to carry two

11:55

phones with you and then at the same

11:58

time when I was in Vegas this summer at

12:00

Def Con I was walking around looking for

12:02

NZ catcher's Eric Escobar was presenting

12:06

on a on a device he built for fifty

12:08

dollars where you can better triangulate

12:10

devices and he presented this year the

12:12

white papers there and I haven't seen

12:13

the video yet but it's available to you

12:15

as well we're sorry yes so that's for

12:22

fifty dollars my guess is his is

12:23

probably much better at finding the

12:24

exact location than a mobile device so I

12:27

I'm still to build a couple of those all

12:30

right so it's story time just by show of

12:35

hands anybody not familiar with blackout

12:37

or Def Con Vegas it's okay if you want

12:39

to wanna admit it anybody been was

12:44

anybody there this year okay so I'm

12:46

gonna go on to do something that you

12:47

don't have you know first-hand

12:48

experience about the conference or

12:50

anything like that so first thing you

12:53

need to know is that before you go to

12:54

DEFCON or black hat everyone warns you

12:57

about how dangerous the networks are in

12:59

in Las Vegas during black or Def Con now

13:03

accounts range depending on who you talk

13:06

to from a hostile network to the most

13:10

hostile network on earth now

13:14

I'm a hacker and when I hear the most

13:17

hostile network on earth I think hmm can

13:20

I think of any more hostile networks so

13:23

I tried to think about some and I

13:26

thought well I'm sure there's some

13:27

countries where tweeting views in

13:31

opposition to the ruling regime is

13:33

probably pretty dangerous it might get

13:35

you a visit or interrogation or any sort

13:40

of prison or anything like that so that

13:42

seems like it would be a pretty hostile

13:43

environment to tweet in or anything like

13:45

that and then I remembered the Arab

13:47

Spring where people were holding up

13:50

their phones and getting shot at by

13:52

snipers while trying to take pictures of

13:53

police brutality so those seem like

13:55

pretty hostile networks to me how does

13:59

Def Con compared to those during the

14:02

week in Vegas that's what I wanted to

14:05

find out so instead of taking a broad

14:11

approach i decided to narrow solely on

14:14

wireless I didn't want to focus on

14:17

everybody everybody knows yeah you don't

14:19

you sure you don't use the hotel

14:20

wireless but what about cellular

14:23

networks or what about other networks so

14:25

I decided to focus on the GSM cellular

14:27

network because that's the type of phone

14:29

I had was a GSM cell phone so before I

14:33

get too deep into the work I did I need

14:35

to go on a bit of a rant bear with me

14:37

please personally I pride myself on

14:41

someone who cares deeply about the

14:43

security and privacy of regular people

14:45

one of my core values is to help people

14:49

be safe online and in their daily

14:51

activities and one of my talks earlier

14:53

today was actually on the same subject

14:55

so I feel that as a hacker or security

14:59

professional it is my job or duty to

15:02

educate and share our knowledge with the

15:04

broader public all that said what are we

15:08

doing to help the people who just happen

15:11

to come to Vegas during black hat or

15:12

DEFCON are they to be unknowingly swept

15:15

up in the mass dragnet

15:17

of surveillance and exploitation that it

15:20

occurs at this conference many of us

15:23

like personally I took measures to

15:25

protect myself but people who are just

15:28

on their vacation probably didn't take

15:30

those same measures and that and I just

15:34

I think of the couple who just goes on

15:37

the vacation to get away from their kids

15:38

for a week and they know they do things

15:41

like use the ATM or connect to the hotel

15:44

wire wireless to book a show ticket or

15:47

something like that should there like

15:49

entire bank account be compromised

15:50

because of that I usually I feel pretty

15:54

bad about that and whether or not that

15:59

is the case is debatable but I often

16:02

found myself striking up conversations

16:03

with people around the casino and bars

16:05

or elevators who were in town but not

16:07

for the conference you know we talked

16:09

and I'm a pretty friendly guy who talked

16:11

to most people so the conversation would

16:14

lead to things like why they were in

16:16

Vegas and why I was in Vegas and I'd

16:18

have to tell them why I was in Vegas and

16:20

that I was a hacker and that would

16:21

usually elicit some sort of response

16:23

around fear and oh my god am i safe I

16:26

was like well I probably wouldn't use I

16:28

would probably say something to the

16:29

extent of a maybe wouldn't recommend

16:31

using the hotel wireless this week

16:33

because there's 40,000 of us in town and

16:35

it's probably probably not the safest

16:38

thing just because people like to hack

16:40

stuff and then I'd maybe give them

16:42

advice on how to better secure their

16:44

devices things like two factor

16:46

authentication and maybe use the

16:48

cellular networks or LTE while they're

16:51

here but it still made me feel pretty

16:54

crappy like I didn't feel good about it

16:56

I witness other people do the same thing

16:58

maybe with a little less finesse than me

17:00

it was more of a fear mongering I don't

17:02

really like that so I think as an

17:05

industry we need to think about the

17:08

rhetoric or message we're sending I

17:10

would much rather go to a conference and

17:12

be able to tell people yeah it's great

17:15

uh you you could while you're in Vegas

17:20

use the hacker net because it's the

17:21

safest one in the world and your data

17:24

will be safe i I realized I might not

17:26

get to that point but I wish that was

17:30

be the case or we could aspire to less

17:32

than most hostile network on earth that

17:36

would be a good first step I think okay

17:39

so end of rant and let's move on with

17:41

the show so before a DEFCON I had this

17:47

vision in my mind and of how this work

17:51

would go I had this idea that I would

17:54

take my cell phone I'd walk around Las

17:56

Vegas until I identified this rogue

17:59

cellular device is this MZ catcher I was

18:02

like haha I'm gonna find you and then I

18:04

would in my mind the conversation would

18:07

go I'd approach the person or individual

18:09

I'd say hey can I see what's in that

18:12

backpack I'm kind of curious or I'd walk

18:14

up to a hotel room and I figure it out

18:17

I'd narrow it down I'd knock on the door

18:18

and what would happen next would either

18:20

be hey that's really cool let's see this

18:23

here yeah I'm happy to show you all what

18:25

I'm doing or it could it could go

18:30

completely the other way it might be the

18:31

best version of a game called spot the

18:34

Fed at Def Con if you're not familiar

18:36

with it you have to consider that with

18:39

that many hackers in the area one time

18:43

it creates a target-rich environment for

18:46

federal authorities to buy people drinks

18:48

to get them to slip and talk about all

18:50

the illegal activity they're doing so a

18:52

lot of federal authorities do attend and

18:54

plain clothes and you know some of them

18:56

just come because they think it's cool

18:57

to and that's all right So Def Con has a

19:01

game that if you can spot the Fed and

19:03

you can prove that they're they're

19:05

working or trying to get information out

19:08

of you you win a t-shirt maybe a picture

19:10

and their their reward is they get to go

19:13

sweep sweep the parking lot so in my

19:16

mind that's that's what I was trying to

19:17

accomplish was just to identify and

19:20

tangibly say this is an in Z catcher I

19:23

wish they weren't using it tell me about

19:26

it so let's so that's the most hostile

19:32

stuff I was talking about it's my setup

19:35

I have the android NZ NZ catcher

19:40

detector app with my burner phone

19:42

next time it syncs with open cell ID but

19:45

before I left it wasn't quite working

19:46

properly for me so I I just analyzed the

19:51

data afterwards in future I would have

19:53

synced it better in advance my company

19:56

the for us at Def Con that's our big

19:59

everybody gets together we work all

20:01

across North America so it's our one

20:03

chance to get together as a team so we'd

20:05

go out in the limo and go to dinner and

20:06

everything like that while doing that I

20:08

was collecting data of all the towers I

20:10

was driving by so that's me war driving

20:13

the strip and style well that's Oyler

20:18

alert so some of the things i found that

20:24

real-time analysis and exact location

20:27

was pretty tough so i decided to just

20:31

collect the data and analyze it after as

20:33

i was walking around was like this isn't

20:34

making sense it's not quite working it's

20:36

not getting the right data so I'm just

20:38

going to collect and analyze after so

20:43

here's what I found so what I do is I

20:45

walked Vegas beforehand all the areas of

20:48

the conference collected all the tower

20:50

data and then after the conference I

20:53

looked at my data again from having

20:55

going around so here's what I found

20:57

please don't freak out so before the

21:01

conference and after the conference

21:02

there's a few more dots there don't

21:05

freak out yet so to the casual observer

21:09

this looks really bad and at first

21:11

glance i would agree i was concerned I

21:13

was like what the heck was there that

21:15

many mg catchers in Vegas while I was

21:17

there like this would confirm all of my

21:19

thoughts I knew that you know this this

21:23

isn't my main area of expertise I do a

21:26

lot of mobile app assessments and mobile

21:28

reverse engineering but not as much in

21:29

the in the cellular network areas so I

21:34

knew that I needed to do a little more

21:36

research and as I analyzed the data I

21:39

started comparing the results to open

21:40

cell ID which is a user again the user

21:43

database of discovered cellular devices

21:45

when I research the barest the sorry

21:49

there's bali's area of Las Vegas I found

21:51

that in many cases there were multiple

21:53

redundant device

21:54

is and this is to handle the load of a

21:56

lot of people in a very small area so

21:58

what you would see is that you could

22:00

have multiple devices might have three

22:03

antennas with three unique IDs and you

22:05

would have caught all of them just

22:07

depending on what time you walk through

22:08

so you'd really have to walk through

22:10

this dozens of times before you be sure

22:13

you caught every device and even still

22:16

there could have been someone multiple

22:17

floor so unless you're walking every

22:18

floor there's potential of you missing a

22:21

lot all right so what's the next one so

22:26

there could have been love it so I

22:27

acknowledge that there's probably lots

22:29

of false positives in that data there

22:31

could be multiple redundancy devices and

22:33

there could have been some GPS issues as

22:34

well the GPS accuracy on mobile devices

22:39

is something to be desired if I had

22:41

identified a road one I probably could

22:44

have got within 20 to 40 feet of it but

22:47

any closer I think would have been a

22:48

challenge for sure I would have been

22:50

just relying on if I could see any

22:52

suspicious characters which at Def Con

22:54

is everyone so I then excluded all

23:01

devices that were reported to open cell

23:03

ID and this is what's left sorry the red

23:06

dots are on there they're a little small

23:08

I didn't realize the TV was a small but

23:10

those red dots represent the devices

23:13

that I did not see in my preliminary

23:14

walk and we're not already known to open

23:17

cell ID there's about 12 of them so

23:21

those are 12 devices are they all mg

23:24

catchers I don't know still so one of

23:32

it's possible that one of these is a in

23:36

Z catcher but I'm not sure there was

23:38

reports that someone was arrested for

23:40

using an mg catcher while at Def Con

23:43

that did circle around whether it was

23:45

rumor I believe it to be true but I

23:48

haven't seen a confirmed police report

23:50

or anything so I don't know it's

23:53

possible so but the next one is a little

23:56

peculiar so before I was at

23:59

Paris where as we're staying for defcon

24:02

the few days before I had a nice

24:05

vacation at Caesars and attended black

24:08

hat a little bit so I spent three nights

24:12

in Caesars before Def Con and what was

24:15

weird was lots of towers were picked up

24:17

while I was sleeping and it suggests a

24:21

bit of a drive by attack or a flyover

24:25

but I wasn't sure so I was also seeing a

24:28

lot of things my my phone was jumping it

24:31

would alert me every time it change

24:32

networks and it was alerting me all

24:34

night that it was changing networks

24:36

between LTE + gsm or 3g or 2g and it was

24:40

picking up all these towers so that

24:43

looked pretty peculiar and when I

24:48

removed the open cell ID ones he left me

24:52

with four so at least four of these

24:55

devices were not previously not known to

24:58

open cell ID and I did exclude a couple

25:00

others but they were only had only been

25:03

seen once before once or twice before so

25:06

there were four that would definitely

25:07

never been seen before and this is where

25:11

with other devices other there might be

25:14

30 or 40 reported sightings of a

25:16

cellular device so did not have seen one

25:20

is just it could be new there could be

25:22

other explanations so that's awesome

25:27

it's possible it hits suggests given the

25:29

concentration that there was either

25:31

somebody driving down the road or flying

25:33

over the area while I was sleeping doing

25:35

that I can't confirm it which which

25:37

sucks so part of my research is hey I

25:42

couldn't I was actively looking for

25:44

these devices and I couldn't easily find

25:46

one if you looked at your device right

25:48

now you wouldn't know if you were

25:50

connected to one like if I have one of

25:53

my bag or anything I don't but you

25:56

wouldn't know and that sucks so well do

26:01

you care and that really that depends on

26:05

your personal threat model if you care

26:08

about a government knowing where you are

26:09

and we saw the reasons and how they're

26:11

used if they want if they check to know

26:13

if your home if they check to know where

26:15

you've been if you were in the

26:17

neighborhood of a protest while it was

26:18

going on right so solutions don't use

26:25

your device sorry you don't want to be

26:31

caught up in this don't use advice and

26:32

interesting i was talking to a reporter

26:34

about this issue and we were

26:35

brainstorming some ideas i'm getting

26:37

around it but i'm convinced that if you

26:39

did Wi-Fi calling over a VPN you

26:44

wouldn't be caught in nimsay catcher and

26:45

if you were in vegas using DEFCON

26:50

wireless then you know you'd run the

26:52

risk of being caught on the network but

26:54

if you're doing a VPN maybe you'd be a

26:56

little bit up better off so or if you

26:58

were just in a normal situation not at

27:00

DEFCON you could use the you could use

27:03

the VPN with Wi-Fi calling in be of a

27:05

reasonable assurance that you wouldn't

27:06

be caught by one if you're concerned SMS

27:09

is completely plain text messaging so I

27:11

would recommend signal which is made by

27:14

open whisper it's an app for end-to-end

27:15

encryption between people and they were

27:19

recently sued by the government and they

27:21

said sorry we don't have anything to

27:22

give you we don't keep any data so they

27:24

just pretty good evidence that they have

27:26

your back I think that if a wireless

27:29

carrier published the tower IDs you

27:32

could at least know if an ID matched or

27:35

not it takes some work on their part

27:37

keeping that up to date but then it

27:39

would also lead to device spoofing and

27:41

you you just you would increase then you

27:45

make all those stingrays obsolete but

27:47

then they'd have to go buy more because

27:49

they'd have to have a new feature with

27:50

the ability to detect or just spoof

27:54

devices and then I would argue we should

27:58

pressure wireless carriers to implement

27:59

mutual authentication between devices

28:01

currently you meant you authenticate the

28:05

tower authenticates the user is allowed

28:07

to connect to the network but not that

28:09

user is not authenticating that the

28:11

tower is valid so that would be a big

28:14

step forward in the protocols so I had

28:17

some conclusions i would say that

28:18

they're very hard to detect this is what

28:21

part makes them so dangerous and you

28:23

really know when you're connected

28:24

devices I wish I could be more helpful

28:26

to you it's pretty thank you it's been a

28:31

wonderful visit thank you for your

28:33

audience well thank you and I've got to

28:42

say that this rank says the creepiest

28:46

presentation that I've heard here hey

28:50

you know there may have been less going

28:51

for there may have been others um are

28:55

there any questions turn off all your

28:57

devices and then ask um did anybody yeah

29:01

just a second though some more people

29:03

came in has anybody been to all three of

29:05

my talks today no the other two were

29:08

pretty full you've been to two all right

29:10

all right yes i will give you the Mike

29:12

because all of this is being streamed

29:14

and can you make a stingray replica

29:21

device by having a full duplex

29:23

separation of us are p board and so uh

29:26

if you'll have a full duplex separation

29:29

of us are p board like I'm 600 which has

29:33

a full duplex can you make a stingray

29:35

replica yeah the demo I showed you uses

29:39

you can buy your own for 1400 I think

29:44

you can probably it that down to 500

29:45

with the is it the hack RF or the blade

29:48

RF one's full duplex ones half duplex

29:50

just us our be bored the hell yeah any

29:53

full duplex RF generator will do it so

29:59

this one uses I think either the blade

30:01

or the hack RF or maybe I think you can

30:03

probably get it down to about five

30:05

hundred dollars I'm convinced with may

30:07

be very specific antennas and very

30:10

specific devices you can probably a

30:12

little cheaper so yes as your answer

30:15

that's that's how they did it with this

30:16

demo thank you okay well that was

30:21

slightly creepy question person there

30:24

but field one let me see

30:27

okay any more questions from the

30:30

audience no nobody is scared of this

30:36

nobody else is a journalist who might be

30:40

being followed by three or four of our

30:42

country's many security agencies who are

30:45

basically spent most of the time chasing

30:48

each other's tails but so I don't know I

31:00

even don't have a question I'm just know

31:03

now when not to go to Vegas so method I

31:05

go there very often but and I hope get

31:09

your your presentation and look and some

31:13

of these these links but these MC

31:17

devices are used mainly by by by

31:21

security forces of police and

31:23

intelligence agencies yeah it's

31:25

predominantly a government agency or

31:28

entity that's use and the ones that the

31:33

ones that are possibly engineer friend

31:36

there may be building out her garage is

31:39

that being said there's known

31:42

documentation of for instance mexican

31:46

drug lords deploying their own cellular

31:47

networks or other areas of the world

31:49

that people will deploy their own

31:51

networks because it's it's better or

31:53

more efficient or more secure than then

31:57

they want this what about privatized

32:01

private detectives who you know get

32:03

hired to find out you know somebody's

32:05

partner or spouse or something is up to

32:07

so the FCC in the States is challenging

32:10

this or the sorry the eff is challenging

32:14

this in the states with the FCC saying

32:16

we can't a petition Congress to say you

32:20

can't use these devices because it's not

32:22

getting anywhere but let's go through

32:24

the FCC and say you don't have the legal

32:26

right to broadcast on that bandwidth and

32:28

you don't have the licensing to

32:31

broadcast so you're violating the law in

32:33

that regard and they're trying to tackle

32:35

it from a frequency use perspective

32:37

these devices have to broadcast it

32:40

that just passed and I said there was

32:42

passive and active you know the active

32:45

ones are certainly more dangerous the

32:47

passive ones would pretty much just

32:48

collect your SMS over an insecure

32:51

Channel or break the crypto that they

32:54

look at you and they can locate you well

32:57

I mean that's where is a private private

32:59

detective they can catch your MZ value

33:01

which would allow you to look at them

33:02

for you would allow them to look you up

33:04

in terms of your phone number your

33:06

address and billing information so what

33:09

are the possible I mean you know you can

33:12

even look at the legality of security

33:14

agencies intelligence agencies following

33:16

you around in different ways but what

33:20

are the possible private and

33:22

unsanctioned or in illegal uses of these

33:24

these gadgets take your pick if you can

33:28

get in so just last week there was a

33:30

report that came out on somebody was

33:31

deploying their own base stations over

33:34

the LTE network and then they were

33:35

launching attacks over LTE to people who

33:37

connected to it or to the devices are

33:39

connected to it so then you're thinking

33:41

about how does your device your device

33:44

was certainly designed to handle text

33:47

messages and other types of data but

33:49

what happens if you start sending

33:50

malformed packets you start fuzzing it

33:52

then you look at areas where you could

33:53

potentially remotely exploit the devices

33:55

or send fake text messages or anything

33:58

like that send fishing links right to

34:00

anybody and the anybody walks by in the

34:01

area connects to that Network and you

34:03

send them fishing text messages right

34:06

get them to click and then further

34:07

exploit them from there okay um so you

34:11

can get your fourth bag here hey yeah it

34:15

gets me whenever there's there's a

34:16

question in the back I will bring you

34:18

the microphone so that you you will be

34:21

recorded and made I say I'm so somehow

34:25

missed it how can i detect by which

34:28

tower my phone is operated yep how to

34:31

find detecting two catchers like you

34:34

wouldn't know if your phone was

34:36

connected to it right now if you have an

34:38

app you could know what tower you were

34:39

connected so there's an app for that so

34:41

I can I can like know I've been operated

34:45

but our here or there yeah you would

34:48

there's there's a couple other apps in

34:50

this space as well the 1i use I

34:52

mentioned

34:52

it you can download this app and it'll

34:56

tell you which device you're connected

34:57

to if you don't trust that particular

35:00

tower you can blacklist it and then

35:03

you're choosing to blacklist that tower

35:04

and you'll connect to another tower

35:05

instead but I mean you you can't see the

35:08

where the location of the tower well you

35:11

have a general idea based on signal

35:12

strength and your GPS location yeah and

35:15

then if you wanted to walk around

35:16

further you could try latter ate it by

35:18

finding by going to different points

35:20

taking measurements and and that's

35:22

that's what you decided to you if you

35:23

see there's no tower so you you can go

35:26

and explore and see if there yeah so

35:28

when I say towers in you know rural

35:31

areas they're definitely towers but in

35:33

areas like this they're no bigger than a

35:35

home router yeah right with additional

35:38

antennas on it so you might see I didn't

35:40

check i could pull up my app we can see

35:42

how many we find in the building with

35:46

some reason i'm sure there's more than a

35:47

couple okay thank you just to clarify

35:52

would the app that allows you to detect

35:56

what tower you're on doesn't tell you

35:58

whether that's a good tower tower no it

36:01

doesn't so it doesn't so is there an app

36:03

to find the dark towers no the only way

36:06

is to have some sort of anomaly based

36:08

detection where you know all the good

36:11

ones in your area and then when a new

36:13

one pops up you get suspicious it's the

36:15

only way right now if it's not announced

36:17

by one of the operators the operators

36:18

here used too often you know celebrates

36:20

every every every tower out in the

36:23

middle of podunk nowhere Latvia you know

36:25

with a press release so okay any more

36:29

questions this is interesting this

36:31

affects all of us who have phones in our

36:33

pockets that are being followed by evil

36:36

forces so oh ok well you are at the back

36:41

ah right ok I'll have to give you the

36:44

Mike and I have two guys are grilling me

36:47

today

36:49

thanks for representation question about

36:54

the locating those stingers of false

36:56

towers actually you can put those towers

37:01

on the map only based on signal strength

37:03

from one device and your own coordinates

37:07

great so seeing distributed dots on the

37:13

map means that there were there was a

37:15

kind of several signals with several

37:20

strings yes so that's the other thing

37:24

that was questionable around the Caesars

37:27

Tower data I showed you is at night

37:30

Vegas goes to sleep eventually maybe by

37:34

four or five in the morning and the

37:36

usage of cellular towers goes down and

37:39

potentially like the the noise in the

37:42

area goes down which means you might see

37:44

a tower from further away that you

37:45

wouldn't see during the day so actually

37:48

developers of the application could

37:51

improve that to triangulate yes so you

37:55

could do it manually currently you could

37:58

improve on the app to better focus and

38:00

triangulate with it good things feature

38:03

request you're welcome to code it we

38:05

check with

38:10

ok any anyone else with a question you

38:17

can earn yourself I think he's been

38:18

given a pile of these after-party things

38:21

so you can earn yourself an after party

38:23

invitation if you well okay I think then

38:31

we'll we'll move on I'm supposed to give

38:34

you this even having one brought up here

38:36

because there is one in there yes