> A few days later, the county asked Harris for a demonstration open to county supervisors. The company refused, Mr. Simitian said, noting that “only people with badges” would be permitted. Further, he said, the company declined to provide a copy of the nondisclosure agreement — at least until after the demonstration.
> At the meeting in Santa Clara County last month, the county supervisors voted 4 to 1 to authorize the purchase
How on Earth are our elected officials agreeing to such insane requirements? Our Democracy requires transparency to work, and that especially includes allowing oversight by our Legislative members and allowing them to communicate that oversight to their constituents.
There's still a pervasive fear of being the one who let the terrorists win. It's utterly absurd, but when the DHS and FBI are saber rattling and procurement departments have the backing of all the three-letter agencies, town and city officials often show deference. People have been trained to respect authority - not entirely unjustly - but don't realize that we put them in office to be the check we can't be as average citizens.
When people say "nothing will ever be the same" this is what they're talking about.
Edit: we should respect authority, but we shouldn't bow down to it unjustly or allow it to run amok based on FUD.
> How on Earth are our elected officials agreeing to such insane requirements?
Unfortunately, this is what happens when Good People don't get involved in politics. We let the lowest common denominator rule; and they are easily bamboozled by the terror bogeyman.
Word to fellow techies: there are more ways to help your fellow human beings than just doing a "hack for good". Get involved in politics; run for your local office.
> “Disclosure of even minor details” could harm law enforcement, he said, by letting “adversaries” put together the pieces of the technology like assembling a “jigsaw puzzle.”
Then I think this is tied into a much bigger and well-organized system of surveillance. Everyone already pretty much gets they bug cell phones; what's left to piece together? Parallel reconstruction seems crucial enough to our government it's probably semi-automated and I'd wager StingRays are a core component of that.
Security features are not being obscured, exploits and vulnerabilities are. That, of course, is very valuable if you presume that knowledge of vulnerabilities would lead to them being closed and fixed.
In this particular case, the obscurity seems nonsensical because we know very well how StingRay and IMSI catchers in general operate. The reason the vulnerabilities they exploit are not closed is down to inertia in what is a huge market. That's only half of the equation, though; the other side is that while it's a huge market, it is dominated by very few big global companies that posess the necessary resources to pursue R&D in this very specialized area of technology. This is an area where every opensource solution is easily 10, 20 years behind if there even is one at all, and they run on hardware the same age.
The only curious thing here is why theres been this recent hightened interest in IMSI catchers, as the concept is very old, and why there is a particular interest in obscuring the mode of operation, as again, that is theorethically known. The only explanation I can think of is that advances in hardware have made it possible to produce a small (think truck sized) system that can crack various propietary (and generally old) encryption systems used by mobile phones in realtime and thereby gather more data than you could with an IMSI catcher telling victims to use no encryption. But then with 3G and other systems came improved encryption systems that can certainly not be broken in realtime yet.
The only other explanation I can think of is that Harris has deals with various telcos to get the encryption keys beforehand, which would be worth obscuring.
There is also a possibility here that I'm overthinking all of this and the typical defence contractor that is 20 years behind at all times just thinks IMSI catchers are the hot stuff and their IP they need to protect.
> The only other explanation I can think of is that Harris has deals with various telcos to get the encryption keys beforehand, which would be worth obscuring.
I was thinking today about how countermeasures could be developed. A 'GSM base station in a box' went through my hands last year and I played with it a little before reselling/exporting it. To get a phone to signon I had to broadcast the network ID expected by the SIM, otherwise it would see the real one and go there. However, I got successful signons without having any cryptography enabled, so maybe the keys are not necessary.
It would be interesting if the Stingray would be visible with a site survey tool, I imagine it might show up as an additional base station. Maybe it would use a unique ID that did not fit the pattern of the telco's provisioning and therefore stand out.
Or maybe it steals the ID of a base station on the air and acts as a proxy, encouraging devices to signon through it because they would see the higher field strength of the Stingray.
The basic problem with all of them is that the chip in your device with all the information, the baseband, is a separate high-powered processor running completely propietary software, and as such can not be modified to include protection or detection features. The app above only works with root access to a phone with a Qualcomm baseband that happens to have a diagnostic interface installed, which was then reverse-engineered to pickup the necessary information.
The situation is far, far from ideal if you consider that baseband chips will actively collaborate in compromising your privacy and run embedded systems that have never been vetted and are presumably vulnerable to any number of trivial exploits such as buffer overflows.
For GSM the base station does not need any keys, the network is implied trusted.
The "Stingray" will, for sure, show up as an additional base-station, otherwise no mobile will find it... And not using a pattern according to the Telco provisioning is indeed how it will stand out. For example it wouldn't make sense for a "Stingray" (or IMSI catcher, as they are commonly called over here in Europe) to advertise the real Telco's neighbor cells in its advertisements...
> At the meeting in Santa Clara County last month, the county supervisors voted 4 to 1 to authorize the purchase
How on Earth are our elected officials agreeing to such insane requirements? Our Democracy requires transparency to work, and that especially includes allowing oversight by our Legislative members and allowing them to communicate that oversight to their constituents.