"5. Reduce the UTS threat by outlawing most domestic surveillance capitalism. Including having severe criminal penalties for companies found illegally capturing, compiling, retaining, selling, sharing, or leaking what has been designated as rightfully private data."
For an example, its quite well known you can do a lot with an off the shelf SDR.
Technically those receivers can capture cell phone signals and other data passively. It would be almost trivial to set up an overlay network in target regions, its not much harder than putting together a local LAN/point to point connection.
There is no indicator its happening because its not active. This also applies to collectors that operate on TEMPEST principles (i.e. the emissions from your device displays).
Active MITM poses worse outcomes, but not strictly needed for these things. Encryption prevents most of this, if its secure but security comes from the visible industry, and visible industry lags behind where the landscape actually is.
There are companies and nations who put satellites in orbit that collect this data who may offer it as a service. Technically you can passively collect any raw signals with an appropriate length of wire for an antenna so there isn't much of a manufacturing bottleneck authorities could exploit.
Without immediate and existential level of consequence, no criminal penalty will ever be enough. Incarceration isn't an existential consequence.
The laws in effect only keep the honest people honest, and equally punish honest people for pointing out the emperor has no clothes.
The FBI/DEA made an anonymous toll-free tip line for people to call with tips on the cartel activity. The cartel was able to get the phone records for people who called the tip line through bribes, extortion, or violence to the telco employees. They identified the people who called the tip lines, and then one-by-one eliminated them all.
makeitdouble•7mo ago
> The hired hacker [...] was able to use the [attache's] mobile phone number to obtain calls made and received, as well as geolocation data, associated with the [attache's] phone."
> the hacker also used Mexico City's camera system to follow the [attache] through the city and identify people the [attache] met with
bilbo0s•7mo ago
It's like the advice I would give to anyone, assume anything you put into a networked digital device, your voice, text, gps trails, oven temperature, anything.. is public, with an unknown publish date. Full stop. Plan your organization's operations in accordance with that assumption.
trod1234•7mo ago
The issues we are having today are also the direct consequential result of collection in those treasure troves of security exploits; instead of fixing them, and their subsequent leaking.
Technically speaking for most common devices and software today, an AS# level attacker can transparently terminate encryption early to MITM with no indicator of compromise.
They can also disrupt interrupt driven communications with similar level of access (where a communication is strategically not sent without either parties awareness of the occurrence except as indirect after-action backscatter).
Princeton wrote a paper on it related to Tor back in 2014 iirc (the Raptor attack or something like that). The structure can easily be applied to more than just Tor, and that level of access would be quite valuable to well funded adversaries.
The incentives toward profit and power along with lack of liability for security, prevent many of the mfg companies involved from having effective security.
I can't remember where but there was a comment in either a talk or -con presentation where someone said the paper suggests TLS fails completely to these type of attacks; and there has been some speculation online as to if there is a connection between this and why leaked guidelines from various places say to never trust TLS.
The lack of security as an outcome can be seen as caused by government regulation mandates for the ISP industry, as thoroughly called out in this talk:
https://cyphercon.com/portfolio/exposing-the-threat-uncoveri...
You can find it available on youtube if they no longer have the direct link on the site.
Security has always had an issue with usability being compromised as security requirements increase. Organizations can't really compete on an even field with their competitors if the competitors have a technological edge because they happen to not be being attacked.