diff options
authorhellekin <>2016-09-12 13:58:26 +0000
committerhellekin <>2016-09-12 13:58:26 +0000
commit06568cd6f3587f54f384b317c1ec0744ded164b5 (patch)
parent00b15c8c5a33fae4e4bc257cd48558f36797d4b1 (diff)
Add Markdown draft for Snowden narrative0023
-rw-r--r--theme/static/static/one-ring.pngbin0 -> 45348 bytes
2 files changed, 973 insertions, 0 deletions
diff --git a/content/ b/content/
new file mode 100644
index 0000000..7f49fa7
--- /dev/null
+++ b/content/
@@ -0,0 +1,973 @@
+Title: Against the Law: Follow the White Rabbit
+Date: 2016-09-12
+Author: hellekin
+_Direct Radio Introspection_ promises to counter _lawful abuses of
+digital surveillance_. On the mode of existence of Neo900's approach
+to privacy protection in the light of Snowden & bunnie's exploration
+of consumer grade smartphone _modding_ to protect journalists.
+{: .lead :}
+# Follow the White Rabbit
+At Neo900, among [tinkerphones][2], and in hackerdom in general, we
+share the idea that technologies can and should be created by whoever
+has the determination to make them happen, not only corporate
+designers blessed by infinite capital, armies of lawyers, and
+manipulative marketers, who certainly don't know better how to
+accommodate the 'best interest' of the commons. When technologies are
+provided by biased interests, consequences abound: from programmed
+obsolescence to privacy invasion, and the silly idea that you do not
+own what you buy, consumerist ideology wants us to believe that
+technologies come pre-packaged from the supermarket, and what they are
+is what you need.
+Both Andrew 'bunnie' Huang and Edward Snowden are known for frowning
+at such pre-chewed, pre-digested contemporary myths techies call <abbr
+title="Fear, Uncertainty, and Doubt">FUD</abbr>, from the 1950s sneaky
+marketing tactics pushed on their unsuspecting customers by the then
+superpower <abbr title="Industrial Business
+Machines">IBM</abbr>. <abbr>IBM</abbr>'s <abbr>FUD</abbr> consisted in
+instilling fear, uncertainty and doubt in potential buyers, leading
+them to fall for their fear of missing out, and get the goods before
+their competitors would.
+George Orwell in his book _1984_, and Yevgeny Zamyatin before him in
+his: _We_, described societies where the powerful would lie to the
+public in order to keep them obedient and convinced of the genuine
+nature of their political agenda. Maybe both science-fiction writers
+inspired the alarms sent by Lord Arthur Ponsonby to the people of the
+United Kingom (_Falsehood in Wartime_, 1928) just a decade before and
+after the large scale butcheries known later as World War I and II.
+Belgian historian Anne Morelli recomposed and expanded upon Ponsonby's
+warning to his fellow citizens to generalize them in a book titled:
+_10 Elementary Principles of War Propaganda_[^1] with the subtitle:
+_to use in case of war, hot, cold, or tepid._
+Since Snowden's revelations about the <abbr>NSA</abbr>, and their
+british partner in crime <abbr title="Government Communications
+HeadQuarters">GCHQ</abbr>, the public knows about techniques used by
+the Five Eyes to find, fix, and finish people--in military parlance:
+"to obtain a jackpot"--using their smartphone, and without even
+stripping them from their citizenship[^2]. Such news alone should
+have provoked a worldwide indignation and destitution of the
+democratic leaders in charge of (taming) the monopoly of violence.
+Yet, no such thing happened.
+Instead, Snowden and other whistleblowers, and hackers such as bunnie,
+keep hitting nails to insist and persist in revealing the injustice,
+and the necessity to revolt against such evil behaviors. If showing
+the truth doesn't work to mobilize consciousness in a world of
+disarray facing so much violence, would working around people's
+rationalization do?
+On July, 21st, 2016, bunnie and Snowden published [Against the Law:
+Countering Lawful Abuses of Digital Surveillance][0]. _Against the
+Law_ and its underlying technique is taking on the global surveillance
+narrative from another, specific perspective: journalist's protection.
+Huang made a habit of kicking the anthill and putting the finger where
+it hurts, denouncing the one-size-fits-all lack of thought the major
+electronics vendors and giant technologies producers want to shove
+down our throats; but technologies are not pre-packaged goods in the
+hands of the powerful, generously granted to unknowing and grateful
+consumers who can eat one product after the next, in awe and wonder.
+> Without the right to tinker and explore, we risk becoming enslaved
+ by technology; and the more we exercise the right to hack, the
+ harder it will be to take that right away.
+ -- Andrew "bunnie" Huang, [2013][5]
+Unlike classical Hollywood heroes, Edward Snowden is a very articulate
+person who knows how to promote an argument convincingly: he makes in
+smarts what he doesn't in violence. Heroic, bold, handsome, nuanced
+if not radical, Snowden projects an image difficult to dismiss by the
+establishment: no wonder the Press loves him.
+When one of the most prominent hardware hackers[^B] teams up with the
+whistleblower who brought awareness to the world of the illegal,
+immoral, unethical, and systematic abuse of the intelligence
+community, and especially the U.S.'s <abbr title="National Security
+Agency">NSA</abbr>, curious minds want to peek into the rabbit hole
+and follow Alice and Bob to see where it goes.
+[^B]: _bunnie_ was once lead hardware designer for [Chumby], known for
+ [Hacking the XBox][5] in the 2000s, and more recently for suing
+ the U.S. Government [against section 1201 of the <abbr
+ title="Digital Millenium Copyright Act">DMCA</abbr>][6] that
+ restricts and jeopardizes legitimate research and reverse
+ engineering.
+## Countering Lawful Abuses of Digital Surveillance
+_**Note:** unless specified, the quotes in this article come from
+[Andrew 'bunnie' Huang & Edward Snowden, July 21, 2016][0]._
+Abstract of _Against the Law_:
+> Front-line journalists are high-value targets, and their enemies
+ will spare no expense to silence them. Unfortunately, journalists
+ can be betrayed by their own tools. Their smartphones are also the
+ perfect tracking device. Because of the precedent set by the US’s
+ “third-party doctrine,” which holds that metadata on such signals
+ enjoys no meaningful legal protection, governments and powerful
+ political institutions are gaining access to comprehensive records
+ of phone emissions unwittingly broadcast by device owners. This
+ leaves journalists, activists, and rights workers in a position of
+ vulnerability. This work aims to give journalists the tools to know
+ when their smart phones are tracking or disclosing their location
+ when the devices are supposed to be in airplane mode. We propose to
+ accomplish this via direct introspection of signals controlling the
+ phone's radio hardware. The introspection engine will be an open
+ source, user-inspectable and field-verifiable module attached to an
+ existing smart phone that makes no assumptions about the
+ trustability of the phone's operating system.
+### Objective: Awareness
+Consistent with previous work by both bunnie and Snowden, _Against the
+Law_ wants to promote awareness to the public. Awareness of the dire
+situation faced by journalists, activists, rights workers exposed to
+unprecedented amounts of suveillance and retaliation for their work
+informing the public of dangerous and often illegal activities of
+increasingly repressive regimes around the world, thanks to pervasive
+communication technologies turned into surveillance apparatus.
+According to the <abbr title="International Federation of
+Journalists">IFJ</abbr>, and other international organizations,
+[deadly attacks on journalists][n2] have [increased dramatically][n3]
+in the last decade. <abbr title="Reporters Sans
+Frontières">RSF</abbr>'s Secretary-General wrote that <q
+is unfortunately clear that many of the world’s leaders are developing
+a form of [paranoia about legitimate journalism][n4]</q>.
+Snowden and bunnie describe in their paper a technical development
+they're exploring in their seeming attempt to respond to the question:
+"what is the shortest path to giving awareness to people risking their
+lives to inform and save others', whose enemies are determined to see
+them dead rather than facing an informed public?"
+> trusting a phone that has been hacked to go into airplane mode is
+ like trusting a drunk person to judge if they are sober enough to
+ drive.
+Their response consists in a simple and attractive solution, a
+"hardware plugin" to existing Apple smartphones pervasive among
+front-line journalists: given a minimal amount of electronics skill
+and effort, a stock iPhone 6 could be _modded_ to receive an extra
+case with independent monitoring electronics to warn its operator in
+case of suspect radio activity emanating from the smartphone. Their
+focus on a specific model aims at reducing time-to-market for a
+solution that they claim is otherwise adaptable to other devices.
+> we aim to provide field-ready tools that enable a reporter to
+ observe and investigate the status of the phone’s radios directly
+ and independently of the phone’s native hardware. We call this
+ direct introspection.
+Although the current investigation concerns **modded** iPhone 6
+devices, i.e., they need to pass through a (slightly) trained phone
+repair workshop, we can intuit that they're looking forward to vendor
+cooperation to provide full compatibility with unmodified stock
+### Reception in the Press
+Within the couple of days following the announcement, the online Press
+'covered' the announcement in such a superficial way that it warrants
+a note, and this in-depth article. The Press coverage resembled, as
+it became the norm, a rush to announce faster than the competitors an
+event that came from a newfound _guru_, without much scrutiny. Snowden
+became a Midas of contemporary times, turning into gold everything he
+touches; meanwhile, media coverage became a dumb repeater and
+amplifier of the voice of the Great Men.
+From Cory Doctorow[^6] to Bruce Schneier[^7], from Wired[^8] to
+Fortune[^9] and The Guardian[^10], the voice of the media was all but
+critical in announcing the newborn dual-star system, mainly relaying
+the contents of the published paper, hardly reading it thoroughly, and
+certainly not taking the time to ponder the act and its significance.
+Robert Hackett (Fortune) gets the palm for worst title for using
+"Spy-proof iPhone case": packaged goods with a shiny sticker, whereas
+_computer security_ is all about trade-offs and relativity of cost
+benefits, and there's no _anything_-proof absolutes in security.
+Two exceptions to the media coverage so far include Bob Baddeley's
+[accurate and humble article in
+that puts the emphasis on the **exploratory** aspect of the project,
+and Micah Lee's article in The Intercept, who took the time to provide
+some context: [Edward Snowden’s New Research Aims to Keep Smartphones
+From Betraying Their
+Nevertheless, Micah Lee keeps building upon a problematic premise set
+in the paper: Marie Colvin's example, and the **allegedly technical
+trace using her phone** that informs the premise of his story and the
+turning point calling for the _Against the Law_ paper.
+### About Marie Colvin's Case
+In their paper, Snowden and bunnie invoke the example of war
+correspondent Marie Colvin, as an example of mobile-phone-based
+targeted attack on a journalist, _de facto_ suggesting that with a
+_direct introspection engine_, the journalist could have been warned
+in advance of her being under surveillance by the Syrian government.
+Unfortunately their hyptothesis cannot stand the facts.
+On July 9<sup>th</sup>, 2016, two weeks before the _introspection
+engine paper_, [Dana Priest reported][wapo] in the Washington Post
+that Marie Colvin's family had acquired proof that the journalist was
+killed on purpose by the Assad military forces during the siege of
+Homs, Syria, in February 2012.
+> The top floor of the building I’m in has been hit... It’s a complete
+ and utter lie that they are only going after terrorists.
+ -- Marie Colvin on TV, the day before she died.
+At the time, the Syrian regime still in place today had forbidden
+access to the city of Homs to journalists--including a kill order
+against trespassers, and Colvin, along with a few others, had braved
+the ban and crossed the artillery lines into the city, where she could
+bear witness live on TV that the military, while officially targeting
+'terrorists', were indeed shelling civilians indiscriminately.
+Officially, Colvin was killed by an <abbr title="Improvised Explosive
+Device">IED</abbr> planted by 'terrorists', but her family claims
+having the proof that the Assad regime deliberately targeted her and
+her colleagues with artillery fire. In a [32-page
+they reveal the methods used to locate and destroy the Baba Amr Media
+Center in Homs, where Marie Colvin and other journalists were
+reporting from.
+Micah Lee in The Intercept starts his piece with an account of the
+Marie Colvin event that emphasizes the alleged technical source of the
+killing. He writes:
+> Syrian forces may have found Colvin by tracing her phone, according
+ to a lawsuit filed by Colvin’s family this month. Syrian military
+ intelligence used “signal interception devices to monitor satellite
+ dish and cellphone communications and trace journalists’ locations,”
+ the suit says.
+But nothing like this appears in the original document that is linked
+from Dana Priest's Washington Post article: he's misquoting her
+paraphrasing the filed complaint, and paraphrasing from the _Against
+the Law_ paper that prudently refers to Dana Priest's article
+(emphasis mine):
+> The lawsuit describes how her location was discovered _in part_
+ through the use of intercept devices that monitored _satellite-dish
+ and_ cellphone communications.
+What the actual document says is that <q
+intelligence forces intercepted Colvin’s broadcast signal and traced
+it to a location inside Baba Amr</q>, the district in southwest Homs
+where a clandestine Media Center was hidden. The precision of this
+location is not indicated, but from the context we can deduce that it
+was **imprecise enough to require intervention of an informant**, and
+subsequent confirmation by undisclosed means.
+Quoting from page 3 (also reported by Dana Priest):
+> Throughout February 2012, the Assad regime received tips from
+ intelligence sources in Lebanon that Colvin and other foreign
+ journalists were traveling to Syria through Lebanon and reporting
+ from the Baba Amr Media Center. Acting on these tips, senior members
+ of the Assad regime formed a plan to intercept the journalists’
+ communications, track their movement to locate the Media Center, and
+ kill the journalists with artillery fire.
+On February 21<sup>st</sup>, 2012, <q
+Colvin made audio broadcasts via satellite dish</q> (nothing is said about phone) <q
+BBC News, CNN, and Channel4 from inside the media center.</q> Page 4:
+> That same night, an Assad regime informant tipped off the leadership
+ of the Homs Military - Security Committee that foreign journalists
+ were present at the Media Center and revealed the precise location.
+Then, on page 5 (my emphasis):
+> General Shahadah determined that the _informant’s description_ of
+ the Media Center matched the location of Colvin’s _intercepted
+ satellite broadcast signal_.
+With regard to the statements found in the original complaint, and the
+known state of location techniques using radio waves, it's safe to
+assume that in Colvin's case, no phone hacking was used, nor necessary
+to locate her and her colleagues. _Technically_, using the case of
+Marie Colvin does not serve the purpose nor the narrative of the
+_instrospection engine_. It certainly provides a timely, rethorical
+argument, but may confuse the reader (and the interested journalist)
+both about the 'technical' danger and the adequation of the proposed
+solution. But since Micah Lee and Edward Snowden had access to secret
+documents from the "Snowden Leaks", maybe they're referring to yet
+undisclosed documents: although we know <abbr title="Joint Special
+Operations Command">JSOC</abbr> operatives has been referring to ["The
+a tool to instantly locate a specific phone around the world, seldom
+information leaked so far about how this apparatus works, notably
+whether it [requires prior compromise][QT] of the device (e.g., using
+[DROPOUTJEEP][ANT1] or [MONKEYCALENDAR][ANT2]), or whether it makes
+use of readily-available backdoors or bugs in the baseband processor,
+the <abbr>OS</abbr>, etc.
+[^coin]: Coincidentally, Dana Priest's article revealing "The Find"
+ (probably XKEYSCORE) was also published on a 21<sup>st</sup>
+ of July.
+## The One Rogue Chip
+<img src="/static/one-ring.png" style="float:left;margin:0 3rem 3rem 2rem" alt="One Ring">
+> One Ring to rule them all
+ One Ring to find them
+ One Ring to bring them all
+ And in the darkness bind them
+ -- J.R.R. Tolkien, _The Lord of the Rings_
+In our [previous article][3] we recalled that **the baseband chip (the
+modem) design is a proprietary, undisclosed black box.** In practice,
+the baseband processor is its own proprietary specialized
+system-on-chip, a micro-computer within the smartphone, running its
+own <abbr title="Real-Time Operating System">RTOS</abbr> to
+accommodate the technical requirements for precise timings in signal
+processing, and U.S. regulations.
+Any cryptographer will refer you to [Kerckhoffs's Principle][4] that
+states any cryptographic system should work even if the attacker knows
+its design: in fact, the secrecy surrounding baseband processors is
+technically spurious, and refers to the secrecy of a competitive
+business of proprietary interests that put the user's integrity and
+agency in jeopardy since it gives an avenue for a coercive power to
+abuse it without any scrutiny. In Neo900, we abide by Kerckhoffs's
+principle and thus distrust the hardware parts we fail to understand
+because their design is not public. The modem, indeed, is the one
+rogue chip that fails to pass our criteria for transparency.
+As the specifications of baseband processors are not available to the
+public, scrutiny of the well-foundedness of their design is only
+available to hired teams with non-disclosure agreements (preventing
+them from publishing any results of their research if they found a
+vulnerability) and teams of hackers: some are institutional, like the
+ANT division of <abbr>NSA</abbr>'s Tailored Access Operations, in
+charge of hardware compromission and... _automated network
+tethering_?; other hacker teams are independent, like academic or
+hobbyist security researchers, and some specialized companies such as
+GSMK, makers of Cryptophone 500, who spent significant effort to
+reverse-engineer the baseband processor of the specific commercial
+product they chose as the basis for their work, etc.
+Once again, the _security by obscurity_ upholded by proprietary
+vendors meets the limit of their approach: being secret, they don't
+have the incentive to abide by the Kerckhoffs' Principle and, being
+submitted to the upbeat rythm of harsh competition, will release, more
+easily than free software vendors, half-baked solutions prone to
+error: [Nothing is checked, everything is automatically
+without mentioning deliberately shipping backdoors, like the ones
+recently found in Samsung or Intel-based devices.
+In practice, each device has a unique identifier called <abbr
+title="International Manufacturer Electronic Identifier">IMEI</abbr>,
+like a <abbr title="Media Access Control">MAC</abbr> address for an
+Ethernet network device. A phone can be sold "naked", or come with a
+subscription. The <abbr title="Subscriber Identity Module">SIM</abbr>
+card can then be used to uniquely identify the user of this device via
+a 15-digit <abbr title="International Mobile Subscriber
+Number">IMSI</abbr>. The combination of <abbr>IMEI</abbr> and
+<abbr>SIM</abbr> is unique, like the combination of the serial number
+of a car's chassis and its license plate.
+The difference between a car and a smartphone still lies in the
+capacity of the latter to serve as a live location tracker. In its
+normal usage, the phone emits and receive radio signal to and from the
+cell towers, allowing the telecom operator (and any agency capable of
+coercing it to reveal this information) to locate the device within
+the range a one or more cell towers, following its path from one to
+the next. Once the device remains in range on a single tower (or
+two), the location can be pinpointed by other means.
+Moreover, normal radio methods to locate a transmitter can be used
+independently of primary cell location, such as, and not limited to:
+triangulation, multilateration, or uplink-time difference on arrival
+(<abbr title="Uplink-Time Difference On Arrival">U-TDOA</abbr>), etc.,
+with a precision of about 50 meters.
+It is a [well-known
+that there are methods to activate smartphone functions remotely,
+without the user's consent or knowledge, including the microphone, the
+camera, and probably other sensors, by way of corrupting the normal
+functions of the operating system. Literature about known techniques
+seem to point to _spear-phishing_, a social engineering technique to
+lure the device owner into activating a malware from visiting a link,
+whereas _phishing_ is not targeted to a specific individual or
+organization. But a sustained flow of vulnerabilities are discovered and traded, and used in e.g., XKEYSCORE, to routinely attack devices recent vulnerabilities in <abbr>iOS</abbr> (see
+below), Apple's mobile <abbr>OS</abbr>, demonstrate that bugs in
+proprietary systems can offer a wealth of possibilities to exploit
+smartphones without even resorting to potentially visible attacks.
+Therefore, having proprietary subsystems on smartphones leave the
+doors open to successful remote compromission; when such subsystems
+are not isolated from the rest of the circuits, total compromission
+that remain invisible to the <abbr>OS</abbr> become a practical
+Indeed, a rogue chip, hence a compromised smartphone, may bypass the
+order of shutting down the baseband processor, and could as well
+activate the on-board <abbr="Global Positioning System">GPS</abbr>
+chip to reveal the precise location of the device. This explains in
+part why the "direct introspection engine" introduced in _Against the
+Law_ tries to address more than just the modem's activity, and relies
+on hardware not under the influence of the <abbr>OS</abbr>.
+## Direct Radio Introspection
+The _Against the Law_ paper describes the difficulties with
+smartphones that led Snowden and bunnie to choose the <abbr
+title="Direct Radio Instrospection">DRI</abbr> approach:
+- device complexity means a porous attack surface (more components,
+ more software)
+- no secure hardware design: what we call the "rogue chip problem"
+- no sure way to prevent malware from entering a journalist's device
+The latter point seems to be the main vector for taking over devices,
+rather than _rogue chips_.
+### Assumptions
+> [T]his work starts with the assumption that a phone can and will be
+ compromised.
+> Our work proposes to monitor radio activity using a measurement tool
+ contained in a phone-mounted battery case. We call this tool an
+ introspection engine. The introspection engine has the capability to
+ alert a reporter of a dangerous situation in real-time. The core
+ principle is simple: if the reporter expects radios to be off, alert
+ the user when they are turned on.
+> Our introspection engine is designed with the following goals in
+ mind: Completely open source and user-inspectable (“You don’t have
+ to trust us”)
+ Introspection operations are performed by an execution domain
+ completely separated from the phone’s CPU (“don’t rely on those with
+ impaired judgment to fairly judge their state”)
+ Proper operation of introspection system can be field-verified
+ (guard against “evil maid” attacks and hardware failures)
+ Difficult to trigger a false positive (users ignore or disable
+ security alerts when there are too many positives)
+ Difficult to induce a false negative, even with signed firmware
+ updates (“don’t trust the system vendor” – state-level adversaries
+ with full cooperation of system vendors should not be able to craft
+ signed firmware updates that spoof or bypass the introspection
+ engine)
+ As much as possible, the introspection system should be passive and
+ difficult to detect by the phone’s operating system (prevent
+ black-listing/targeting of users based on introspection engine
+ signatures)
+ Simple, intuitive user interface requiring no specialized knowledge
+ to interpret or operate (avoid user error leading to false
+ negatives; “journalists shouldn’t have to be cryptographers to be
+ safe”)
+ Final solution should be usable on a daily basis, with minimal
+ impact on workflow (avoid forcing field reporters into the choice
+ between their personal security and being an effective journalist)
+> This work is not just an academic exercise; ultimately we must
+ provide a field-ready introspection solution to protect reporters at
+ work.
+## Choice of Device
+### Existing Solutions
+With current state of smartphone insecurity, only two commercial
+offerings are available on the market: the Cryptophone 500 (based on
+Samsung Galaxy S3) and the Hoox M2. Both devices share inconvenients:
+they're very expensive, and only work with their own, making them hard
+to use in generic environments.
+#### Cryptophone 500
+> Five years ago, businesses were asking me why I was so paranoid.
+ Now they’re all nodding when you give the presentation.
+ -- Björn Rupp, founder of GSMK, the maker of Cryptophone
+The [Cryptophone 500]( is the most prominent
+independent attempt at providing a secure device to the smarphone
+market. The Cryptophone solution remains _mostly_ a software
+solution, including a hardened version of Android using Cyanogenmod,
+and a unique _baseband firewall_ constructed by thorough
+reverse-engineering of the Samsung Galaxy S III modem. Its price tag
+ranges well over $2500 a piece.
+#### Hoox M2
+The [Hoox M2]( by Bull SA is a <abbr
+title="North Atlantic Treaty Organization">NATO</abbr>-approved secure
+phone system resembling the Cryptophone, with the exception that it
+seems to be the company's design and includes a proprietary
+Cryptosmart chip by Ercom to provide the extra cryptographic
+features. A unit costs about the same as the Cryptophone and requires
+using specific phone network components within an organization for
+large deployments.
+### Snowden's Choice: Apple iPhone 6
+> The choice of model is driven primarily by what we understand to be
+ the current preferences and tastes of reporters.
+> Although the general principles underlying this work can be applied
+ to any phone, reducing these principles to practice requires a
+ significant amount of reverse engineering, as there are no broadly
+ supported open source phone solutions on the market. Thus we focus
+ on a single phone model, the 4.7” iPhone 6 by Apple Inc., as the
+ subject for field deployment. The choice of model is driven
+ primarily by what we understand to be the current preferences and
+ tastes of reporters.
+> It has little to do with the relative security of any platform, as
+ we assume any platform, be it iOS or Android, can and will be
+ compromised by state-level adversaries.
+This choice seems a bit at odds with the recent release of iPhone 7,
+boasting features some journalists might want (e.g., water and dust
+protection, a 12MP camera, and support for RAW image format). Yet the
+"best iPhone Apple has ever made" removes the audio jack in exchange
+for a new Bluetooth audio, opening another attack vector that
+journalists should be aware of. We could say, like Apple's Schiller
+during the keynote, that the reason for Snowden and bunnie to stick to
+a second-hand iPhone 6 was “Courage, the courage to move on," from the
+endless cycle of novelty.
+#### Recent Apple iOS Vulnerabilities
+Apple recently [published iOS
+9.3.5]( to patch the
+following vulnerabilities:
+- [CVE-2016-4655](
+ The kernel in Apple iOS before 9.3.5 allows attackers to obtain
+ sensitive information from memory via a crafted app.
+- [CVE-2016-4656](
+ The kernel in Apple iOS before 9.3.5 allows attackers to execute
+ arbitrary code in a privileged context or cause a denial of service
+ (memory corruption) via a crafted app.
+- [CVE-2016-4657](
+ WebKit in Apple iOS before 9.3.5 allows remote attackers to execute
+ arbitrary code or cause a denial of service (memory corruption) via
+ a crafted web site.
+Each of these vulnerabilities could be used to install rogue software
+on the device, that would help bypass the _introspection engine_
+monitoring by not requiring activation of any of the monitored systems
+outside of their normal use. (?)
+## "Airplane Mode"
+> With the lights out, it’s less dangerous
+ Here we are now, entertain us
+ -- Smells like Teen Spirit (Nirvana)
+["Airplane Mode"]( is a
+_regulatory_ term enforced by air travel companies to avoid radio
+interference from transmitting devices on-board a plane that could
+confuse the navigation systems. In 2013, the U.S.'s <abbr
+title="Federal Aviation Administration">FAA</abbr> published revised
+implementation guidelines to accommodate the combined growth of air
+travel and mobile communications from a time where planes were not
+designed to cope with radio interference.
+Nowadays, most planes and most portable electronic devices are
+compatible with each other, and smartphones have a relaxed way of
+implementing "Airplane mode". Usually, your device provides an easy
+access to that mode, that is expected to stop the baseband processor
+and other radio frequency subsystems from transmitting. In practice,
+the scope of implementation varies from one manufacturer to the next,
+and enforcement from one model of plane to the next, or from one air
+travel company to the next.
+The iPhone 6 that can be _modded_ to plug in the white rabbit responds
+to Apple's implementation of ["Airplane mode" for iOS. <q
+cite="">In Airplane Mode,
+these wireless features are turned off: Cellular (voice and data),
+Wi-Fi, Bluetooth</q>. Note that <abbr>GPS</abbr> is **not** affected
+by this mode, and that Wi-Fi and Bluetooth can be enabled
+Nevertheless, the "direct introspection engine" proposed by Snowden
+and bunnie takes as a premise that the phone may leak its location
+**in a moment outside of its normal function**, and more precisely
+**when the so-called "airplane mode" is activated**, and thus the
+radio is not supposed to emit. In other words, it helps figuring out
+whether there's a chance that the device is not shutting down the
+radio when told to. But it remains a question whether the
+<abbr>DRI</abbr> is able to distinguish between normal and rogue
+activity during regular usage.
+For example, a smart exploit could detect the "airplane mode" is
+currently activated, and instead of trying to leak data right away,
+keep recording location and timing (and other) data for ulterior
+transmission and post-processing when the radio is turned on again.
+**In that case, would the electronics monitor of the inspection engine
+be defeated?**
+### Monitored Systems
+- Cellular modem – 2G/3G/4G
+- Wifi / BT
+- GPS
+- NFC (Apple Pay)
+> we restrict our exploration to only RF interfaces that can directly
+ betray a user’s location.
+This premise doesn't take into account normally available ways to
+locate a radio-emitting device (such as a phone during conversation)
+by passive means, for example [<abbr title="Uplink-Time Difference of
+Arrival">U-TDOA</abbr>] <q cite=""> a
+wireless location technology that relies on sensitive receivers
+typically located at the cell towers to determine the location of a
+mobile phone.</q> It can locate a phone within a 50 meter range, like
+<abbr title="Global Positioning System">GPS</abbr>, without the need
+to activate the device any further than its normal behavior.
+> the final physical design of our battery case will likely include a
+ feature to selectively obscure the rear camera lens.
+This is an extra, but definitely geeky feature: nowadays you can
+recognize privacy activists by the fact their laptop cameras are taped
+or covered with stickers. This is because there's a widespread
+consciousness among hackers about the possibility to remotely access
+computer peripherals, especially a camera, without the user being able
+to notice, as was revealed in late 2013 by former <abbr title="Federal
+Bureau of Investigation">FBI</abbr> Marcus Thomas[^11], and later used
+in cases of online stalking (and extortion)[^12].
+Intel-based computers[^15] and Lenovo laptops[^16] are especially
+suspicious, but it's Apple that holds a series of patents on digital
+camera apparatus ranging from camera-display-superposition[^13],
+allowing eye-contact during video conferences--but preventing taping the
+camera, to infrared-triggered-camera-prohibition[^14]--granting any
+third-party the authority to actually forbid video capture
+arbitrarily, in an obvious (mis-?)step that can harm freedom of the
+There's no current plan in the Neo900 case design to integrate a
+physical shutter to mask the rear ("selfie") camera.
+### How it works
+> From the outside, the introspection engine will look and behave like
+ a typical battery case for the iPhone 6. However, in addition to
+ providing extra power to the iPhone 6, the case will contain the
+ introspection engine’s electronics core. The electronics core will
+ likely consist of a small FPGA and an independent CPU running a code
+ base completely separate from the iPhone 6’s CPU. This physical
+ isolation of CPU cores minimizes the chance of malware from the
+ phone infecting the introspection engine.
+### Pros and Cons of DRI
+#### Benefits
+- creates awareness about the insecurity of smartphones
+- field-ready addon (although it requires _modding_ a stock device)
+- potentially enables multiple SIM cards
+#### Limits of This Approach
+As mentioned above, this approach cannot prevent passive ways to
+locate a device: it's pretty clear the only way to do so is to **not**
+use a smartphone. Most journalists simply cannot work with this fact,
+despite 'terrorist laws' may have been putting their sources at risk
+repeatedly over the last decade, including in the U.S.A. and the U.K.
+- "when the devices are supposed to be in airplane mode."
+ -> only addresses one feature.
+- only gives awareness, doesn't prevent the abuse: if the artillery is
+ shooting at you, it's probably too late.
+##### "Methods that Do Not Meet our Criteria"
+**semi-intrusive countermeasures**
+> Numerous semi-intrusive countermeasures were considered along the
+ way to our current solution, including but not limited to RF
+ spectrum monitoring, active jamming, and the selective physical
+ isolation or termination of antennae. Semi-intrusive countermeasures
+ would require minimal modification to the phone itself, which is
+ desirable as it simplifies field deployment and could even enable
+ reporters to perform the modifications without any special
+ tools. Unfortunately, all of these methods were deemed to be
+ inadequate, as discussed in the following paragraphs.
+- **RF spectrum monitoring** consists of building an external radio
+ receiver that can detect transmissions emanating from the phone’s
+ radios.
+ The problems with this approach is thatl
+ - 1) it can only reliably detect active transmissions from the
+ radio, and
+ - 2) malware that passively records the user’s position and delivers
+ it as a deferred payload when the radios are intentionally
+ activated cannot be detected.
+ - Furthermore, this approach is subject to spoofing; false positives
+ can be triggered by the presence of nearby base stations. Such
+ false alarms can confuse the user and eventually lead the user to
+ be conditioned to ignore real alerts in hazardous situations.
+- **Active jamming** consists of building an external radio
+ transmitter that attempts to inject false signals into the
+ radios. Thus, even if malware were to activate the radios and listen
+ for position-revealing signals, it would, in theory, report largely
+ bogus position information. This is particularly effective against
+ GPS, where GPS signals are very weak and thus even a weak local
+ transmitter should be able to overpower the GPS satellites. However,
+ active jamming was ruled out for several reasons.
+ - The jammer’s emissions could create a signal that can be traced to
+ locate the reporter;
+ - the jammer will require substantial battery power, and the user is
+ left vulnerable once the jammer’s power is exhausted.
+ - Furthermore, nearby base stations may still be detected by the
+ receivers, as modern radio protocols have sophisticated designs to
+ protect against unintentional jamming.
+- **Selective physical isolation or termination of the antennae**
+ consists of inserting an electronic switch between the connectors of
+ the logic board and the antenna. The switch, when activated, would
+ shunt the antenna to a matched resistive load, which would greatly
+ reduce the transmission power and receive sensitivity of the radios.
+ - However, experimental verification on the WiFi subystem indicated
+ that removing the antenna connection and permanently terminating
+ with a shunt resistor still leaked sufficient RF into the
+ receivers for local base stations (e.g., within the same room) to
+ be detected, which could be sufficient information to betray a
+ reporter’s location.
+##### "Methods that meet our criteria"
+(too long to reproduce here, please see paper)
+### What's on the market to address that or similar problems?
+cryptophone's cell tower misconduct monitoring (only a software
+solution, assumes phone not hacked into disabling that feature)
+### How Neo900 design addresses the Rogue Chip problem?
+If you consider the <abbr>CPU</abbr> can go rogue, an extra layer of
+security is always fine, and an external white rabbit module might be
+useful (granted it successfully addresses the normal vs. suspect
+activity to defeat delayed data leak attacks.)
+Nevertheless, Neo900 has a different approach to the Rogue Chip
+Problem: not only it provides awareness, it also prevents the rogue
+chip from accessing power: no antenna monitoring, but upstream,
+straight into the chip's capacity to abuse its status.
+Therefore our hardware design limits what that this potentially rogue
+chip can do to the rest of the system: it cannot access the
+<abbr>RAM</abbr> used by the <abbr>OS</abbr>, drastically limiting the
+possibility of software compromise; it cannot draw on the electrical
+power directly, and must ask the <abbr>CPU</abbr> for authorization,
+leaving the user a chance to refuse suspect requests via the
+<abbr>OS</abbr>; it cannot pass orders to the audio chip or other
+peripherals, making it practically impossible to access the microphone
+and camera remotely. As Neo900 can run on 100% free software <abbr
+title="Application Programming Environment">APE</abbr> (e.g., a free
+operating system running the Linux kernel), we consider our approach
+to _direct radio introspection_
+### Can this design benefit Neo900, and
+ are there plans to integrate it?
+> The techniques developed in this work should also be applicable to
+ other makes and models of phones. Pervasive deployment of radio
+ introspection techniques could be assisted with minimal cooperation
+ of system vendors. **By grouping radio control test points together,
+ leaving them exposed, and publishing a terse description of each
+ test point, direct introspection engines can be more rapidly
+ deployed and retrofitted into future smartphones.**
+@wpwrak: what is the status of the highlighted part in Neo900?
+> Furthermore, direct introspection may be extendable beyond the radio
+ interfaces and into the filesystem layer. We theorize an
+ introspection engine attached to the mass storage device within a
+ phone; for example, an FPGA observing the SD bus between the CPU and
+ the eMMC in a typical Android phone implementation. This
+ introspection engine could observe, in real time, file manipulations
+ and flag, or even block, potentially suspicious operations. With
+ further system integration, the introspection engine could even
+ perform an off-line integrity check of the filesystem or disk
+ image. The efficacy of filesystem introspection is enhanced if the
+ system integrator chooses to only sign OS-related files, but not
+ encrypt them. As core OS files contain no user data or secrets,
+ baring (sic) them for direct introspection would not impact the
+ secrecy of user data while enabling third-party attestation of the
+ OS’s integrity.
+@wpwrak, @joerg_rw: anything useful to comment here?
+## A Faraday Cage Cautionary Tale
+**In conclusion: about expectations and reality, and how Maxwell got
+it right, but was ignored, while Feynman got it wrong, and nobody
+> “Security in itself is useless... The upside is always somewhere
+ else. The security is never the thing that you really care about.”
+ -- Linus Torvalds
+The same day Snowden and bunnie published _Against the Law_, the
+Oxford mathematician Lloyd N. Trefethen published [_Surprises of the
+Faraday Cage_][cage], where he tells a quite astonishing story about
+how Richard Feynman's analysis of the Faraday cage in his famous
+_Feynman Lectures_, <q
+his conclusion of exponential shielding, are completely wrong.</q>
+He goes on explaining why he got interested in the Faraday cage
+effect, how he discovered that nobody seemed to explain it properly,
+ending up asking how one of the most famous effect of electrical
+engineering have remained unanalyzed for 180 years, and how can a big
+error in the most famous physics textbook ever published have gone
+unreported since 1964?
+I leave you with an invitation to read this fantastic cautionary tale,
+and apply, as a conclusion, Trefethen's remark about Feynman's
+description of the Faraday cage effect, to the white rabbit:
+> This is a plausible intuition, but it's wrong.
+Even if an _introspection engine_ would work in practice, it wouldn't
+prevent the rogue signal from being sent. The approach provides a
+good way to heighten public awareness of these issues, and opens a
+debate on concrete ways and means to resist dragnet surveillance of
+communications, explore the intricacies of technical issues at hand,
+and recognize the power struggle regarding proprietary hardware,
+software, and international regulations.
+But to address the problem of having a device that you can take notes
+on, record interviews, take pictures and video, and that is not a
+tracker, another solution exists: to use a computer without a baseband
+processor, with an easily movable storage that you can attach to a
+phone for transmission, when you choose to. _Modding_ an existing
+consumer grade tablet to remove the baseband processor sounds much
+easier than trying to detect when you're being under
+surveillance--hint: as a front-line journalist, you must consider that
+you are. With Neo900, you don't even need to have two devices:
+hardware switches can effectively cut off the baseband processor from
+the power line, by design.
+[3]: /news/about-the-asn1-vulnerability
+[4]:'s_principle "Kerckhoff's Principle"
+[^1]: Interestingly, this book was not translated into English so far.
+[^2]: Philosopher Giorgio Agambem asserts in _Homo Sacer_ the shift
+between nation as territory to nation as people, and respectively
+between human as citizen to human as animal with political rights,
+that needs to be stripped of its citizenship for its life to be
+considered disposable ("sacred"). But the U.S. global surveillance
+program and drone strikes dramatically surpasses this concept, as it
+introduces another distinction: "for us, or against us", regardless of
+[^6]: Cory Doctorow in BoingBoing: [Ed Snowden and Andrew "bunnie"
+Huang announce a malware-detecting smartphone case][1]
+[^7]: <>
+[^8]: Andy Greenberg in Wired: [Snowden Designs a Device to Warn if
+Your iPhone’s Radios Are
+[^9]: Robert Hackett in Fortune: [Edward Snowden Designed a Spy-Proof
+[^10]: Nathaniel Mott in The Guardian: [Edward Snowden designs phone
+case to show when data is being
+[^11]: Craig Timberg and Ellen Nakashima in the Washington Post,
+December 6, 2013, [FBI’s search for ‘Mo,’ suspect in bomb threats,
+highlights use of malware for surveillance](
+(original, inaccessible:
+[^12]: Ashkan Soltani and Timothy B. Lee in the Washington Post,
+December 18, 2013: [Research shows how MacBook Webcams can spy on
+their users without
+[^13]: Zach Spear in Apple Insider, January 8, 2009 [Apple files
+patent for camera hidden behind
+[^14]: Ivana Kottasova in CNN Money, June 30, 2016 [Apple patents
+technology to block your phone
+[^15]: [Known vulnerabilities and exploits of Intel AMT](
+[^16]: [Lenovo Caught (3rd Time) Pre-Installing Spyware on its Laptops](
diff --git a/theme/static/static/one-ring.png b/theme/static/static/one-ring.png
new file mode 100644
index 0000000..0714d79
--- /dev/null
+++ b/theme/static/static/one-ring.png
Binary files differ