Every year, security researchers, hardware hackers and other deep geeks from around the world converge on an English nature reserve for Electromagnetic Field, a hacker campout where participants show off and discuss their research and creations.

Connecting voting machines to the internet is a terrible idea: the machines are already notoriously insecure, and once they're online, anyone, anywhere in the world becomes a potential attacker.

A group of researchers from Oxford and TU Berlin will present their paper, White-Stingray: Evaluating IMSI Catchers Detection Applications at the Usenix Workshop on Offensive Technologies, demonstrating countermeasures that Stingray vendors could use to beat Stingrays and other "cell-site simulators" (AKA IMSI catchers).

Police who rely on vulnerabilities in crooks' devices are terminally compromised; the best way to protect crime-victims is to publicize and repair defects in systems, but every time a hole is patched, the cops lose a tool they rely on the attack their own adversaries.

During the Standing Rock confrontations, the Electronic Frontier Foundation got reports of police use of IMSI Catchers — secretive surveillance devices used to gather data from nearby cellphones, often called Stingrays or Dirtboxes — so it dispatched lawyers and technologists to monitor the situation, and filed 20 public records requests with law enforcement agencies.

An outstanding post on the EFF's Deeplinks blog by my colleague Ernesto Falcon explains the negligent chain of events that led us into the Stingray disaster, where whole cities are being blanketed in continuous location surveillance, without warrants, public consultation, or due process, thanks to the prevalence of "IMSI catchers" ("Stingrays," "Dirtboxes," "cell-site simulators," etc) that spy indiscriminately on anyone carrying a cellular phone — something the FCC had a duty to prevent.

The baseband firmware in your phone is the outermost layer of software, the "bare metal" code that has to be implicitly trusted by the phone's operating system and apps to work; a flaw in that firmware means that attackers can do scary things to your hone that the phone itself can't detect or defend against.

If you spend enough time looking at Flightradar24's data about fly-overs of American cities, you can figure out where and when the feds are flying domestic spy-aircraft, watching for the tell-tale circling patterns and mapping the planes' owners to companies that investigative journalists have revealed to be fake cut-outs for the FBI.

Orange County has many claims to fame: Richard Nixon, the S&L scandal, subprime boiler-rooms, Disneyland, an airport honoring a cowboy named Marion, and now, the revelation that its police force secretly uses low-flying surveillance aircraft to break the encryption of thousands of cellphone users, track their movements, and intercept their communications.

The Intercept has obtained a secret government catalog that law enforcement agencies use to source even-more-secret cellular spying devices, mostly variants on the Stingray/Dirtbox, which pretend to be cellular towers in order to harvest the subscriber details of all the people within range (up to an entire city, for the airplane-mounted Dirtboxes).

The DHS's newly released policy statement on the use of Stingrays (stationary fake cellphone towers used to track people in a specific location) and Dirt Boxes (airplane-mounted surveillance that tracks whole populations) represents a welcome, if overdue, transparency in the use of cellphone surveillance by federal agencies.

Governor Jerry Brown has signed the Electronic Communications Privacy Act, which "bars any state law enforcement agency or other investigative entity from compelling a business to turn over any metadata or digital communications—including emails, texts, documents stored in the cloud—without a warrant. — Read the rest

The military surveillance devices known as "Dirtboxes" have been in secret operation for more than a decade, tracking citizens' locations and intercepting their calls, breaking the encryption on hundreds of calls at once.