Microsoft Windows 7/Vista Law Enforcement Guides

Public Intelligence got a hold of some interesting slides that Microsoft seems to present to law enforcement personnel. Microsoft explains the weaknesses in their privacy/security functions and how law enforcement et al. can leverage them best.

Here are some highlights:

InPrivate

 

Microsoft Law Enforcement Cover Your Tracks

A benefit to law enforcement of InPrivate is that website data for sites added to favorites will be left alone if a box remains ticked.

Microsoft Law Enforcement Tor Project

Not surprisingly, The Tor Project comes up in the presentation (because anyone using Tor must be doing something bad!!), associated with the user name ‘bad guy’.

Microsoft Law Enforcement InPrivate

Common uses of the InPrivate mode include checking e-mail on public computers and “shopping for gifts” on family computers.

Microsoft Law Enforcement InPrivate 3

In a plea to not lose their law enforcement buddies because of the inclusion of these inconveniencing features, Microsoft says that they’re not alone including private browsing functionality, ie. they were forced to do this because the competition was doing it (good job Firefox and Chrome).

Microsoft Law Enforcement InPrivate 2

Bitlocker

Microsoft Law Enforcement Bitlocker

Microsoft says that it’s not all bad, BitLocker isn’t available to any commoner, it “has a number of ‘Recovery’ scenarios that we can exploit”, and that users are scared of encryption.

Microsoft Law Enforcement Bitlocker 2

“We are the good guys!” Who are the bad guys then? The people using encryption/BitLocker?

Microsoft Law Enforcement Forensic First Responders

Virtual PC Undo Disks

Microsoft Law Enforcement Virtual PC Undo Disks

Virtual PC Undo Disks are scary for law enforcement.

Full presentations are here.

Secret SIS Search Warrants and Telco Data Retention

This phone is tapped

The SIS and police confiscated digital devices belonging to Former Fijian cabinet minister Rajesh Singh last week “in connection with an alleged plot to assassinate Fiji’s leader Voreqe Bainimarama”.

A woman from the SIS turned up with three plain clothed police officers and said she had a search warrant. But she couldn’t show Rajesh it or give him a copy because it was classified. Because you know, wanting to know why people are raiding your house is a completely unreasonable request.

Idiot/Savant asks why, if the alleged plot was actually reasonable, was Rajesh or someone else not arrested. @civillibertynz points out that this secret warrant wouldn’t even need to be presented in court later on.

The laptop and phone were returned later in the day, assumedly after being copied. I wonder if the SIS are allowed to install spyware?

Data retention by NZ telecom providers

I also wonder whether they needed physical access to the phone for what they were looking for. Telecom companies here are very vague about how long they keep user data for. It doesn’t seem like customer facing staff (and thus customers) are generally privy to the period of time information is actually kept.

Telecom says text message content is stored for two to three months. Vodafone says up to six months. 2degrees said six months, but that the technical team could access archives further back than that (a detail I wonder if others didn’t mention).

I requested my data from 2Degrees and they sent me every text message I had sent involving 2Degrees (18+ months worth), including nine months of text messages I had sent to 2degrees customers when I was on another network.

I wonder whether in practice this Telecommunications Information Privacy Code rule is being followed:

“A telecommunications agency that holds telecommunications information must not keep that information for longer than is required for the purposes for which the  information may lawfully be used.”

I understand that there’s no legal requirement for telcos to keep a hold of this data at all (section 40).

Whose interests are being served by keeping information for such an unnecessary amount of time, especially when customers have no idea it’s happening?

And whose interests are being served when a secret search warrant is served on an ex-foreign cabinet minister in relation to a dubious overseas assassination plot?

Image credit: tenaciousme

Where Is The CCTV Footage From The Dotcom Mansion Raid?

CCTV camera

Ars Technica sez:

“Since January, the Dotcom legal team has asked for the footage, but police refused, until finally the agency agreed that an IT expert for DotCom could come and collect a copy of the footage. When the IT expert arrived at the police station, he found the server completely disassembled, and authorities said they could not reassemble it or give him any footage. Now, no one outside the police agency is sure the footage still exists.”

Here’s what the Police said to me on 13 February:

“Police do not have any equipment which may hold this security footage. This equipment is held by the Official Assignee on behalf of the Crown, not Police.”

And here’s what the Insolvency & Trustee Service said on 17 February:

“The Official Assignee has no knowledge of any security camera footage.”

So what exactly does this footage show that the police and friends don’t want getting out?

Image credit: Charbel Akhras

I Know What You Downloaded Last Summer

YouHaveDownloaded.com
I'm a good boy.

YouHaveDownloaded.com

An interesting site popped up near the end of last year called YouHaveDownloaded.com. You might not have visited it, or even heard of it, but if you’ve been using torrents, it might have heard of you.

The site is quite simple, it tracks torrents and the people (IP addresses) downloading them, much like copyright holders do (or hire companies to do for them). They claim to be tracking roughly 4%-6% of all torrent downloads and 20% of torrents from public trackers, like The Pirate Bay.

The difference to the copyright holders is that this site makes the information is collects public. You can see what it thinks the IP address you’re using has been used to torrent, or any other IP address you can think of. It might not be right, or it might be spot on.

This site just highlights what is going on all the time. Torrenting is a very public activity unless you’re making an effort to protect your privacy (like using a proxy or VPN from a reputable provider). Privacy is not the default on the interwebs.

IP addresses are more like PO Boxes than physical addresses — most people have dynamic IP addresses that regularly change, and add in the fact that some people have insecure Wi-Fi, the results on the site aren’t that accurate.

The site brings up an interesting statistic, especially if it’s true: “About 10% of all online shoppers, in the US, are torrent users as well.” In the future will advertisers link an IPs torrenting history to an advertising profile. Is this already happening?

The removal form

The site provides a form that supposedly enables people to request removal from the site. Don’t use it.

Previously it asked people to sign in using their Facebook accounts, and the CAPTCHA to get to the non-Facebook removal form didn’t work (ie. they wanted to link your data with a real name, cue warning bells). Now it seems like Facebook has revoked their access to use Facebook logins (they say Facebook logins are “Temporarily disabled due problems with Facebook”), so it brings up the removal form, which asks for a name and an email address.

I’m not saying this is what the people behind the site are doing, but this would be all the information they would need, in addition to the information they have on torrents associated with your IP address, to send an extortionate email your way. Or sell your data (probably not to copyright holders, because they hire people to do this for them already).

Here’s what their removal terms are (and yeah, the rest of the site is worded like this too):

Removal Terms
The Details: By submitting a request to have your download activity removed from our database, you are acknowledging that the activity was, in fact, carried out by yourself. This means that you are only submitting a request to have the details of your own personal activity deleted. Any unrecognized activity, such as files you did not download or do not remember downloading, are not — I repeat, are not to be included in your removal request. Why is this imperative? Well, we actually don’t have to explain ourselves…sorry.

The important part is that you understand these terms and conditions before hitting that beautiful button that will erase your criminal back ground, at least for now. Wait, you did remember to read these terms before making the decision to submit a removal request, right? Of course you did, everyone reads the fine print.

Other Important Things to Consider: We make no guarantees that your information will not appear on any other databases. We may have erased your bad behavior but, keep in mind that your data on this site is aggregated public domain. So, if by chance, another sadistic group of people decides to open a similar web site, we have no control over what they do with your information. Furthermore, if you continue to involve yourself in activity like this, your future download history will, without a doubt, appear in our database again and we may not be as nice about it next time.

If any part of these terms is still unclear, please visit your local elementary school and ask to repeat grades 3 through 5.”

Giving the people or company behind the site any more information about yourself is not a good idea, even if they claim that the site is a joke and you shouldn’t take it seriously.

And anyway, if your IP address is listed on the site, it must be because of the person that used it previously. Right?

The only redeeming feature of the site? You can look up the content companies that take people to court for illegal file sharing.

Three Strikes Law Shifted File Sharing From Torrents To Tunnels

Cables

Shifting file sharing

A survey commissioned by the MPAA and friends last year stated that seven out of 10 people surveyed said that they would stop illegally sharing files after they received one notice from a copyright holder under the three strikes scheme.

Perhaps they should have also asked how many people would just change how they download files illegally?

The WAND Network Research Group at The University of Waikato has been measuring how traffic flows through a New Zealand ISP. They can split traffic into types with a pretty high degree of accuracy without having to “look inside” too much. Donald Clark compares it to looking at the postmark of a package and giving it a squeeze and being able to tell, in general terms, what’s inside, without having to open it.

Here’s a graph (ht Tech Liberty/1through8) showing the change in traffic volume in September 2011 and January 2012 by type relative to January 2011. In January 2011 the Copyright (Infringing File Sharing) Amendment Act (the three strikes Skynet law) wasn’t in force. On September 1 2011 copyright holders could start sending notices to IPAPs, and around that time there was a strong media interest in the law. January 2012 is a few months later.

The resulting data is a valuable insight into how residential DSL customers at this particular ISP reacted to the new law.

WAND Three Strikes ISP data

More graphical goodness can be found in the slides from a NZNOG presentation here.

There was about a 75% decrease in BitTorrent traffic straight after the law was introduced, largely sustained into 2012, with huge increases in remote and tunneling traffic. The law isn’t stopping file sharing, just moving it underground, using VPNs, seedboxes and sites like now closed Megaupload.

There was also a big decrease in newgroup traffic, even though it doesn’t appear to be targeted by the new law.

Here’s what the project leader, Shane Alcock said:

“P2P, P2P structure, Unknown, Newsgroups and Encrypted [not all shown in the graph above] have all decreased massively from their January 2011 levels. Interestingly, each of these categories can be tied to the illegal downloading activities targeted by the CAA [Copyright Amendment Act]. P2P and P2P structure are obviously related, Newsgroups are a common source of torrent files and the Unknown and Encrypted categories were strongly suspected of containing a significant quantity of encrypted P2P traffic.

Even more interestingly, Remote, Tunneling and Files experienced similarly large growths in the amount of traffic downloaded by DSL users. This is probably indicative of people changing their approach to downloading copyrighted material. Instead of participating in file sharing on their home machines, it has become more common for people to use machines based in other countries and ship the file back home via another protocol. This might be via SSH, VPN or FTP, for example, which are all covered by the growing categories.

Similar trends are observed when looking at traffic transmitted by the DSL users. Categories associated with P2P file sharing have seen much less traffic compared with January 2011, whereas Tunneling, Remote and Files have soared.

It should be noted that although Tunneling has grown significantly, the overall amount of Tunneling traffic is still much less than the total amount of P2P traffic. But the sudden changes in application protocol usage are still very noteworthy and suggest that the CAA has had a major impact on people’s Internet usage.”

Image credit: technoloic

How To Counterfeit Money

PhotoShop banknote block

Not with Photoshop (and apparently Paint Shop Pro), or your printer, anyway.

The counterfeit deterrence system

If you try to open an image of specific currencies (and I assume at a specific resolution or higher) in Photoshop, you’ll receive the same error message as above. It’s interesting to note that New Zealand’s money isn’t blocked from being opened. Probably because we’re too busy trying to stop our passports from being counterfeited.

You can test it out using images from Banknotes.com. This one and this one throw up the error for me.

Here is Adobe’s information page on their ‘Counterfeit deterrence system’. What Photoshop is looking for is apparently a Digimarc digital watermark, different from the EURion constellation printers, or at least colour photocopiers look out for.

How to get around it

So what if your counterfeiting plans were going well so far, and now you’re at a standstill because of Adobe? You can use Gimp. It opens banknotes without trouble. So do old versions of Photoshop. And Microsoft Paint.

Why did Adobe think it was a good idea to add this? Counterfeiters will already know that they can use an older version of Photoshop, or use other software to get around this additional ‘feature’ and will be doing that.

All Adobe is doing is pissing off people who are trying to use Photoshop for a legitimate reason.

The Rules For Use website the dialog box directs users to even lists situations where you can reproduce banknotes legally (e.g. at a certain size), but Photoshop blocks opening banknotes full stop.

Why is it included?

Adobe will have had to spend time and money on including this system, with no returns in the form of additional sales. I assume they were pressured to include it, or even paid to include it by the Central Bank Counterfeit Deterrence Group.

Perhaps more concerning is that Adobe apparently has no idea what they have actually included in their software on behalf of the CBCDG:

“The inner workings of the counterfeit deterrence system are so secret that not even Adobe is privy to them. The Central Bank Counterfeit Deterrence Group provides the software as a black box without revealing its precise inner workings, Connor said.”

Secrecy

If you’ve bought Photoshop, were you aware of this system at the time of sale? You bought the software to open and edit images, but there are limitations you wouldn’t have been told about.

Here’s the two places where this system is talked about on Adobe’s website. A forum post and the information post linked to above.Adobe search CDS

Where’s the information page linked to from on Adobe’s website? My guess is not very many places, because they should have come up in the search too.

Printers are in on this too

I tried to print United States banknotes from Banknotes.com too. And the job failed. Here’s a New Zealand banknote that printed (and scanned) fine, with one of the United States notes below, which stopped printing halfway through.

Printing money

Here’s the error message in the print dialog.

Banknote print error reading pixels

Error 9707 seems to be specific to the counterfeit deterrence system, but is only described as “reading pixels failed”.

So I guess every time I print something, either the printer or the driver is all: “IS THIS LOOK LIKE MONEY?! NOPE, SEEMS TO BE A GIRAFFE.”

 

What I wonder is what other, potentially less visible and transparent “features” are being included in systems because of pressure or money?

I don’t want manufacturers including these non-features in their products for me and I don’t want my technology making decisions for me.

Eftpos Terms and Conditions

Credit cards

BNZ specifies an interesting use for your Eftpos card PIN that’s not permitted in their newest card terms and conditions – using it for the lock code on your phone.

1.5 PIN selection
… Your PIN should not be used for any other purpose including your lock/unlock code for your mobile phone.

In the new card letter they also make an interesting comparison of PINs to electronic signatures. But I think their next sentence shows why this is a potentially confusing example to give:

“When selecting a PIN please remember that this is your electronic signature. You must not keep a written record of your PIN, give your PIN to any other person or select a PIN that can be readily associated with you such as birth dates, addresses, parts of telephone numbers, car registrations, sequential numbers (eg 1234, 9999) or any other easily found personal information.”

Signatures are often written down, given away and are made up of personal information. Perhaps there is a better comparison available?

Image credit: Andres Rueda

Foodstuffs/New World Are Installing RFID Analytics In Their Stores

Foodstuffs/New World are using RFID technology on trolleys to track customer movement around the store.

Blue and purple RFID tag

Hi Matt,

Yes they are RFID receivers designed to pick up the signals from the front of most of our trolleys (although they are not currently active due to an issue with the some of the receivers). The project is being done by Foodstuffs so that they can better understand customer movements around the store. This will enable them to design better supermarkets in the future.

Regards

>Hi
>
>I noticed Symbol(?) units installed on the ceiling in the store. I’m just curious as to what they are for. Are they using RFID technology?
>
>Kind regards
>
>
>Matt Taylor

Image credit: Tim