• mechoman444@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    4 months ago

    Never keep anything on your phone that would require you to lock it.

    I’ve never locked my phone.

  • Uriel238 [all pronouns]@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    29
    ·
    4 months ago

    It’s always a contest between security tools and penetration tools. The problem comes when law enforcement can do this without fair protections of privacy, say if they can easily establish probable cause ( My detection dog is signalling you have illegal data on your phone ) or they are allowed to get a warrant post-hoc for an otherwise illegal search.

    …Or they do the illegal search and then engage in parallel reconstruction e.g. make a fake story about following up on an informant.

    Once the police just seize and crack your phone on a whim, then the state no longer respects your privacy and autonomy, which means you can no longer consent to be governed, rather are controlled by gunpoint (surveillance and use of force). This is one of the critical ingredients to autocratic rule, since it does a lot to neuter the capacity of discontent turning into revolt.

  • Chozo@fedia.io
    link
    fedilink
    arrow-up
    115
    arrow-down
    4
    ·
    4 months ago

    Without knowing how they got into his phone, this is a non-story that is just a retelling of older stories. For all we know they just took his dead finger and put it on the reader. Or maybe he used the same 4-digit PIN for his debit card or lock box or something else that they were able to recover. Maybe some detective just just randomly entered the shooter’s birthday, only to say “Hey sarge, you’re never gonna believe this… first try!”

    There’s nothing useful that can be taken away from this story yet, until more details come out.

      • SineNomineAnonymous@lemmy.ml
        link
        fedilink
        English
        arrow-up
        2
        ·
        4 months ago

        “We tried 0000. Tony, write up a press release about how incredible we are at our job and how we spent 400% of our usual overtime on it and send it to the tech press. Make sure they mention we need to triple next year’s budget for security and shit.”

    • glowie@h4x0r.host
      link
      fedilink
      English
      arrow-up
      19
      arrow-down
      1
      ·
      4 months ago

      Or unknown NGO software was used. But you’re right. A nothing burger for now.

    • 0x0@programming.dev
      link
      fedilink
      English
      arrow-up
      24
      arrow-down
      1
      ·
      4 months ago

      they just took his dead finger and put it on the reader.

      My bet’s on this.

    • XNX@slrpnk.net
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      16
      ·
      4 months ago

      Using a dead persons finger is not possible though

    • SineNomineAnonymous@lemmy.ml
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      4 months ago

      Exactly. The article doesn’t shy away from a bit of free publicity for Cellerite. Which is nowhere near as much of a magic bullet as the “tech media” makes it out to be.

      How do I know it? By doing the most basic of research by heading to their website and looking at their manuals and documentation.

      And Cellerite won’t tell you this publicly because their bottom line depends on their ability to massively overprice their services which they sell to technically illiterate people.

      Any article that mentions Cellerite without a caveat about the dubiousness of their publicity can be disregarded and shouldn’t be taken seriously.

  • Maggoty@lemmy.world
    link
    fedilink
    English
    arrow-up
    10
    ·
    4 months ago

    This is the would be assassin’s phone.

    They gave that to the NSA or FBI Counter Intel guys who are hooked in with NSA.

    Your phone is not going there.

    However I would be on the lookout for that tech coming down the pipelines.

  • anlumo@lemmy.world
    link
    fedilink
    English
    arrow-up
    29
    arrow-down
    1
    ·
    4 months ago

    I’m pretty sure it used to be easier with phones that didn’t have full disk encryption.

  • AutoTL;DR@lemmings.worldB
    link
    fedilink
    English
    arrow-up
    6
    ·
    4 months ago

    This is the best summary I could come up with:


    Just two days after the attempted assassination at former President Donald Trump’s rally in Butler, Pennsylvania, the FBI announced it “gained access” to the shooter’s phone.

    Cooper Quintin, a security researcher and senior staff technologist with the Electronic Frontier Foundation, said that law enforcement agencies have several tools at their disposal to extract data from phones.

    The bureau famously butted heads with Apple in late 2015 after the company refused to help law enforcement get around the encryption on the San Bernardino, California shooter’s iPhone.

    Early in the following year, Apple refused a federal court order to help the FBI access the shooter’s phone, which the company said would effectively require it to build a backdoor for the iPhone’s encryption software.

    “The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor,” Cook wrote.

    Riana Pfefferkorn, a research scholar at the Stanford Internet Observatory, said the Pensacola shooting was one of the last times federal law enforcement agencies loudly denounced encryption.


    The original article contains 1,208 words, the summary contains 180 words. Saved 85%. I’m a bot and I’m open source!

  • communism@lemmy.ml
    link
    fedilink
    English
    arrow-up
    5
    ·
    4 months ago

    For GrapheneOS full disk encryption, am I correct in understanding that the disk is encrypted when my phone is locked and decrypted when I unlock it? So I don’t need to turn it off for it to be encrypted, as long as it’s locked it’s encrypted?

  • henfredemars@infosec.pub
    link
    fedilink
    English
    arrow-up
    14
    ·
    4 months ago

    Easier is a very relative term. It’ll be really expensive to use a genuine zero-day to do it. Such exploits are few and far between.

    • catloaf@lemm.ee
      link
      fedilink
      English
      arrow-up
      4
      ·
      4 months ago

      But known exploits that have been patched, but not applied because they didn’t update their phone, are plentiful enough.

      Update your phones. Reboot them regularly, too.

      • henfredemars@infosec.pub
        link
        fedilink
        English
        arrow-up
        3
        ·
        4 months ago

        This is true, but becoming an increasingly less important factor because devices now ship with automatic updates enabled by default.

        Personally, if I had to guess as someone who studies exploits for a living, I’d wager the device isn’t the most recent model and is probably a few years old, so there are likely known unpatchable bootrom or firmware bugs that can be used from their private arsenal without having to risk an actual zero day exploit.

    • dwindling7373@feddit.it
      link
      fedilink
      English
      arrow-up
      10
      ·
      edit-2
      4 months ago

      How is it expensive? It is if it eqates to the zero day becoming of public domain, and this is not the case here. They can say they guessed the password while in fact they exploited some unknown vulnerability…

      • henfredemars@infosec.pub
        link
        fedilink
        English
        arrow-up
        3
        ·
        4 months ago

        Zero days are extremely expensive costing in the millions of dollars even if you’re not publishing exploit details. Just using it is extremely costly because each attempt exposes your bug to the world, which is an opportunity that it could get caught and patched. Android and iPhone both have mechanisms to detect and report crashes which could easily cost you your bug. Plus, on the exploit markets, a bug that hasn’t been used is worth more because there have been literally zero days of opportunity to defend against it.

        There is definitely a cost to using something that expensive and that requires a necessary level of risk. You’ve got to be worth it, and the supply of such bugs is extremely low and sometimes zero depending on your exact software version.

        • dwindling7373@feddit.it
          link
          fedilink
          English
          arrow-up
          1
          ·
          4 months ago

          Yes except we are talking about the government of the USA? Markets law are warped in this context. Do you think they sell those? To who? To what purpose, finance healthcare spending? The phone may call home and have things patched? You think they are unable to prevent a phone to call home?

          What?

          • henfredemars@infosec.pub
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            4 months ago

            It is not as simple as you imagine. Sometimes a specific bug requires the device to think it’s online and providing this illusion is not perfect. You don’t just plug it in and push a button and you’re good unless perhaps you’ve got a really good bug. Often times, hitting the precise code area required to exploit a bug involves weird scenarios. For example, you might have to talk to the base station for the cell phone tower that can properly authenticate first before you can attack a bug. Sometimes, the bug involves an interaction between multiple phones. It’s not just some magic signals you sent down the cable necessarily. You have to hit the weird behavior. Most trivial stuff exposed over USB has been examined thoroughly. You need to get creative to find more attack surface. There are bugs like that, but you are mistaken if you think categorically there is not risk in exploiting some bugs that can break into a phone. Sometimes it’s trivial to ensure information about your bug is contained. Sometimes it’s not.

            The money isn’t a concern about greed or actually making cash. The money reflects the value and scarcity of these bugs. With that said, yes they sell the exploits. Usually, the people who find the bugs are the ones doing the selling. There’s actually an entire market that exchanges this information if you know the right people. As an obvious example, mercenary malware contains exploits for these bugs. These are organizations like NSO group that buy and sell the information that you would use to do this.

        • SineNomineAnonymous@lemmy.ml
          link
          fedilink
          English
          arrow-up
          2
          ·
          4 months ago

          to be fair to the incompetent people in law enforcement, I do believe “trying to kill a presidential candidate slated to win and being a millimeter away from getting it done” would justify relying on a 0-day.

  • bdonvr@thelemmy.club
    link
    fedilink
    English
    arrow-up
    30
    arrow-down
    3
    ·
    4 months ago

    Good chance it was just putting the dead dudes finger on the scanner lmao

      • bdonvr@thelemmy.club
        link
        fedilink
        English
        arrow-up
        16
        ·
        edit-2
        4 months ago

        Unless disabled by timeout, restart, or otherwise manually I’m curious to know why that would be?

        Of course the dude had to know this was a one way trip, I’d have wiped everything but then again maybe they didn’t care at that point.

        • kingthrillgore@lemmy.ml
          link
          fedilink
          English
          arrow-up
          2
          ·
          4 months ago

          Wiping isn’t a 100% thing with either Hard disks or Flash. He should have thrown everything into a wood chipper. And yes, this absolutely has to be a one way trip. Either they get you, or you turn the gun on yourself. Nothing good will come of you surviving.

        • willsenior@lemm.ee
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          18
          ·
          4 months ago

          It is hit or miss. The fingerprint button is also looking for the electrical signals of a living person. Apparently, that doesn’t end immediately upon death.