Schneier on Security

Clive Robinson • November 2, 2021 1:58 PM

@ Stéphane Bortzmeyer,

So, turning off your tracking device (your smartphone) now makes you a suspect.

It is the modern version of “behaving suspiciously”.

Anyone who plans to do something has two problems with regards the planed scene to be,

1, Explaining they were not there.
2, Explaining where they were.

Those with sufficient resources solve both be getting another party to carry out the plan.

They then just behave normally, or make the plan coincide with some public function they attend and have many independent witnesses. Their only problem is ensuring they are noticed and remembered which is not that hard when you think about it.

Others used to “loan” a friend who looks similar to them their credit card, mobile phone, etc so they go out for the night and spend on the cards in various places maybe send a few texts fron there etc (but not take or make voice calls). The friend being wise enough to be careful to avoid CCTV. Obviously this is getting more difficult due to the increase not just of CCTV but the miniaturization and hiding of high resolution cameras that make facial recognition and other ML systems to identify people etc a breeze…

Streetwise kids in London go out in groups and swap not just phones, but travel cards, and as they go along clothes and back packs etc they also “mill” amongst themselves making tracking hard. That is they create so much noise in the CCTV footage that it’s never going to be believable in court, and almost anyone can say they were “in the group”.

So what does someone planing to do something do to not be where they are carrying it out.

Well the first is to “run silent” that is no phone use only cash have clothes etc in a bag they can use to change their appearence several times. Unfortunately CCTV is to numerous and “body build” and “gait” are very very hard to disguise.

A second option is “run under false flag”. Which is to appear as an identifiable individual using their phone, cards, clothes etc. This is a highly risky strategy for a whole variety of reasons, but it can be done.

One variation that is almost in the realms of fantasy is for you to “set someone up” to be the prime suspect. That is in effect you carefully get travel cards, burner phone etc and associate them with the target in various ways prior to the planed action. You then at the planed place ensure that there is “contact” / “trace” of the objects, and likewise contact evidence of the place on the objects. Having carried out the plan you then arange for the objects to be found at a place such as the targets home in a way that looks like there was an effort to destroy them that failed. Whilst it is a near fantasy for people making plans, a variation of it most definately not. That is “fitting up” suspects that certain UK police forces have been caught doing over the years to “get results”.

But that still leaves the problem of being somewhere else and this is actually quite hard to do convincingly. Just leaving your phone at home or turning it off is not going to work.

The reason “humans are creatures of habit”. Unless you plan otherwise for quite some time before hand the change in your behaviour will show up in cell phone records etc, like a shining beacon.

So you have to do two things as a minimum,

1, Change your habits a long time in advance (ie six months or more).
2, Have a believable and verifiable reason to have changed your habits.

The easiest way to do this is not to have a plan and then have to change habits, just change your habits now bit by vit. That is say tommorow you become just a little eratic in how you use your phone, and over time become more erratic or make changes for shopping and going out that gives you “me time” or “windows of opportunity” etc.

That is if you plan to go out for the evening with the girls/guys, turn your phone off the night before when you go to bed, putting it on charge. Then only turn it on when you say get to work in the morning. Over time you make the night before put on charge or turn off earlier and earlier then you have a believable window. Sometimes just turn it off before you leave work. If anyone asks why “saving the battery for night out” helps establish patterns in other peoples heads as well as cell records. Bit by bit you build up space or “windows of opportunity” that you can, if you later need to plan something use to your advantage. Likewise if something unexpected happens the fact that your phone was off when it’s most likely to happen gives you space.

There are several other things you can do, but the point is “habits are a strong signal”. Much worse if you “break habits they are as strong a signal” of “difference” thus circumstantial evidence that can be easily made to look like “guilt”.

If you don’t have “habits” then all you make is “noise” which makes the circumstantial evidence harder but still arguable by a prosecutor. The real trick is to have weak habits that work in your favour that way you have counter argument to assumptions of guilt.

People get taught such techniques as part of basic “field craft” courses so that if they have to meet a handler or visit a drop box etc there is not a visable pattern in what they do that correlates such meetings etc.

Aside from people “flapping their gums” which gets police well over 80% of their suspects, t’s all about “finding,patterns”. Not just in your activities but in other peoples activities that coincide or correlate over time. In communications we talk about “Traffic Analysis” in other activities they talk about “contact networks” and similar. In all cases they are looking for patterns and correlation. These are getting the “trickle down” effect and moving out from intelligence agencies into law enforcment agencies, as well as private contractors / consultants working for large corporates etc.

In all cases the investigators MO is get a list of potential suspects as a starting point, droping those who have credible alibies etc, till there are just a few “likely suspects” then the game changes the investigators stop looking to eliminate suspects, but find indicators of guilt. But at all points of an investigation individuals are automatically assumed guilty untill proven not guilty in one way or another. Circumstantial evidence almost never makes you “not guilty” but it very often does make people “guilty”.

That is in the eyes of investigators, circumstantial evidence is just “random” / “chance” when it might clear you. But “probative” / “probable” when it might make you guilty. This is a cognative bias at work, and nearly all investigators have it. Because they are almost always “results driven” and a “result” is “finding someone guilty” as far as they are concerned “anyone will do” even if the happen to be innocent. Because “results matter, justice is irrelevant”, “case closed move on”.

That’s why the sound advice is “Never ever speak to investigators even if you are innocent” there is absolutly no benifit in it for you, and potentially significant harm. Even telling the truth can make you look guilty. You say you were on a bus, they won’t try at all hard to find witnesses, it’s a lot of pointless work for them because you’re guilty anyway… They are more likely to try and find some one who thinks they saw someone vaguely like you, and warp their memory. That way in court the prosecution claim there was no evidence your story was true, but a witness very definately places you at the scene. That takes a jury just about long enough to have a cup of coffee to find you guilty…

Clive Robinson • November 2, 2021 5:34 PM

@ Alan,

If you read @bennybryant17, it’s clear his “core competence” is not cellular phones.

Because he missed something quite important.

If you read @tomiahonen thread in tweet /8 you find,

“There is a process called triangulation, by which the network knows roughly where you are, accuracy of about one city block“

Is realy not true for a whole host of reasons, not least of which is what counts as a city block anyway?

Very roughly in the US it’s an area 1/16th of a mile by 1/8th of a mile. This is not a shape that fits snugly into either a circle or the more traditional triangulation “cocked hat” triangle.

Yes I know some people informaly use a “block” as a measure of distance by saying “Oh it’s about five blocks from here” but again it has no meaning when talking about radient signals eminating from a point.

But there are other issues, triangulation by cell tower is not done by measuring angles, but by measuring “time delay” in theoryvas with GPS it could be very accurate…

In practice it’s not. If you are in a totaly open space and can see all three cell site masts then yes you get the best accuracy but it’s not that good. However the minute you can not see a cell site mast, there are two big issues that arise,

1, Multipath
2, Reflection increased path length.

Without going into details both can very significantly effect the times used to calculate distance thus position.

Anyone who has worked in the mobile phone industry should be able to tell you why they perform considerable surveys, and it’s not just to check to see if all streets get coverage.

Firstly even in a perfectly open environment the accuracy of the location varies with time delay from the mast. So you end up with a variable degree of accuracy. In effect you have a circle around each of the sites representing time delay. Where the three circles cross is aproximately where the mobile will be in theory… Each circle has a width so you end up with a very funny shape sort of triangle, called for historic reasons a “cocked hat” there four there are four places the mobile “might” be in. The first is inside the triangle, the other three are outside the triangle aproximately bounded by a distance equivalent to the point of the triangle furthest away from the side. In practice it’s quite a lot more uncertain.

If the mobile signal is blocked by a building from the direct path to a cell tower, then the signal will arive via one or more reflections that are of unknown extra time delay. This has the effect of moving that sites time circle to have a larger radius which can be quite significant. Thus the cocked hat will not just enlarge the cocked hat significantly it will have a high degree of uncertainty related to the number of reflections (think RMS).

Another side effect of reflections is as a mobile moves at a constant rate along a straight path, the position reported by the time delays “jumps” and if you just overlaid on a map you might well appear to jump several streets away in just a few seconds. In fact you could end up appearing to junp back and forth like a flea on a hot griddle, at very very unlikely speeds…

So where are you?

Are you at one end of the jump or the other or some point in between. The answer is “Err” that is it is unknown you are in effect in any or all of those places so you are in an elipse or lozenge shaped area with no real way of determining, because it does not matter what method you use to average, the only thing you will have any degree of certainty on is “It’s most likely wrong”.

Even 5G with it’s fancy beam stearing is not going to realy improve on things, in fact it could easily be a whole lot worse…

The point is these PlonkerBoys et al are very probaly not that bright, their alledged leaders certainly are not. They probably don’t have the levels of confidence a well trained infantry squad would have. Theirfore they are likely to either stay in eyesight of the leader or directly adjacent to an easily recognised land mark. Most probably they would stay quite close if not very close to each other. Which would have the net effect as far as cell tower triangulation of putting them in the same place.

Therefor I suspect as there was a lot of CCTV around and the idiots dressed in recognisable ways, the FBI would probably use CCTV footage rather than cell tower triangulation.

Thus I would say that @tomiahonen is putting way to much butter on his bread and hoping to get as much jam. Or if you prefere a more rural expression his story “ain’t worth the price of a pile of horse apples”.

P.S. People should realise that most people who work for cell manufacturers or mobile service providers are not at all technical in fact they tend to be sales / marketing / admin / janitorial etc. The number of people who are actually involved with the design of mobile phones, again only a very small number will have technical expertise on the radio side. If memory serves, from an interview he gave to a podcast in the entirety of Nokia they only had one person doing the RF design work around the antenna…

When I worked in a similar environment the “electronics” engineers were few and only three had RF design capability and most of the time –more than 90%– they did not do RF work but all the other bits including mechanical design. In other organisations I worked in RF design was done by the “device manufacturer” as “App Notes” that just got copied. In fact there is only one company I worked for outside of the “Defence Industry” where true RF design and inovation was done. I was one and worked “contract” not “permi” the other was one of the owners of the company and he and I had gone to school together. Sadly he died accidentally a little over a year ago. The last project we worked on was a light weight low cost UV-C anti-viral personal breathing apparatus for doctors and nurses. We had developed a prototype but due to his death it all stopped.

Clive Robinson • November 3, 2021 5:09 AM

@ anon, SpaceLifeForm, ALL,

This is why I put a phone cradle on my Roomba so that my phone moves randomly around the house all of the time

Do not forget that Roomba’s are now[1] like ET… “They phone home” to the mothership, thus creating “third party records” of their movments…

Speaking of “movments” tell “Mr Kitty” that no matter what it looks like, the Roomba is not a “litter tray” 😉

[1] I’m not sure when the Roomba manufacturers actually went full on creepy with their “surveillance of the customer” “for fun and profit” but it is a very significant personal security risk, and thus the advice of “Do not give them house room” would appear to apply.

Clive Robinson • November 3, 2021 9:49 AM

@ Winter, ALL,

With regards,

https://wrongfulconvictionsblog.org/2012/06/01/cell-tower-triangulation-how-it-works/

It has several “errors” in it, that overal would give rise to a misunderstanding of the issues in reality.

This shows up most in the diagrams of tower fixes. They take a 20,000ft view of a perfect earth for the purposes of easy explanation. The reality is “anything but easy”.

So they diagrams are “simplified and idealised” which whilst making explanation easier on the eye they are misleading to put it politely even as a “first aproximation”.

The first thing to realise is the three sector antennas do not behave in the way indicated even in an idealised form. The antennas often used are “vertical” shallow open “corner reflector antennas”[1] which not only have a main or major forward lobe they also have side or minor lobes. Generally their “front to back ratio” is very high even though their forward gain is low for cellular work.

Take the one tower fix diagram, it shows the area nearly correctly for an idealised case. However in reality it would actually extend about one third of the way into the adjacent sectors as antenna “main lobe” radiation patters are never “straight line”, and that is before you consider “side lobes” effects.

Whilst in the second diagram the lozenge shape is nearly correct –it’s actually mostly slightly banana shaped as you are not equidistant– in an idealized way. However even in the idealised for it is actuall too small and in reality would be nearly twice as long as shown.

However the diagram of three towers shows it incorrect not just in that the area is less than a quater the size it realy is. Worse the shape in reality even as a first aproximation be either a circle or an elipse. It would be more triangluar as the underlying curves clearly show.

If you look carefully you can see the so called “cocked hat” triangle made by the bold brown, blue and green lines. The red circle just covers it which is wrong. To see why imagine the actual error width of those lines you can see from the first diagram, now superimpose them you end up with a much larger triangle.

But the diagram shows the towers more or less equidistant, which they almost never are. Also it shows the mobile being in the middle of each sector, thus they can use idealised circles. As indicated that does not happen in practice, so the shape of the curves is actually more like a clover leaf outline. You thus have to see that in your mind for even the first aproximation.

But it gets worse those near random objects distorting the pattern with reflections and shadowing even when mapped out by survey the are almost always inacurate. For instance imagine what effect a construction crane has when a short distance from the cell antennas? This happens frequently in cities not just at the Center but out into more urban areas, especially as “high rise housing” is spreading quite rapidly.

So in practice if you are just talking signal strength then the patterns would be considerably larger and fairly distorted and likewise the error on the mobile position almost entirely unpredictavle with any acuracy.

And importantlt changing constantly and unpredictably due to shadowing and reflection of objects rising up from the terrain, such as trees and their leaves in the dry and in the wet.

To see how bad this can all be, do you remember those “wave machines” from school lab classes, where an oscillating probe generats circularly radiating waves?

Do you remember the pattern when you put a pencil or finger in?

Now imagine the effects of three oscillating probe and say just four randomly placed pencils. Now imagine it with hundreds if not thousands of pencils or other objects.

Which brings us to,

“Using cell tower triangulation (3 towers), it is possible to determine a phone location to within an area of “about” ¾ square mile.”

That 3/4 square mile, is about 100 hundred US “city blocks” that are 1/16th by 1/8th of a square mile.

But as I’ve shown it is atleast 4 times that, so you are looking at an area of 3squ miles, or something like 3-10 “super blocks” or around ~350 “city blocks”. I’ll let others convert that area into a diameter because that is a not unreasonable indicator of the error…

So if you get out a map how much would that cover of say Pennsylvania Ave and surounding areas?

It’s why the time delay is prefered for aproximate location as on average it produces smaller areas. But on occasions due to multiple reflections can make larger areas of apparently compleatly random shape.

[1] For a more detailed analysis of coner reflector antennas see,

https://core.ac.uk/download/pdf/30695739.pdf

But it is a PhD thesis so may be heavy going for those not happy with playing with Maxwell’s Equations in three dimensional geometry.

[2] A simplified explanation of a deep corner reflector antenna,

https://electronicsdesk.com/corner-reflector.html

Because the corner is 90 degrees or less and the radiating element mounted deep wirhin it, the main beam is quite tight and has quite a degree of gain as can be seen in the radiation patern. For cellular use the corner is opened out to 135 degrees or more and the radiating element is mounted in a much more shallow or open way. This has the effect of reducing the gain considerably but opening the main or major lobe out such that it’s half power points are around 130-150 degrees. But also the side or minor lodes you see in the radiation diagram become not just wider but priportionate to the main lobe considerably larger. This obviously has a significant effect when talking about position finding by signal strength. The result is that on most cell antenna systems a mobile mostly appears in two of the three sectors, and sometimes all three.

Clive Robinson • November 4, 2021 8:13 AM

@ Winter, JonKnowsNothing, ALL,

Legwork, indeed.

Or,

“Parallel Construction”?

Or,

“Somewhere in between”?

We don’t know and don’t have any way to find out from afar, we will just have to wait on more information.

However for the point of discussion and potential “learning new tricks” that this old dog likes to do, lets “Walk it through”,

One of the things about security is it’s nearly all about “intelligence gathering and application”[1].

In the popular conception of the Inteligence Community(IC) they talk of “methods and sources” for intelligence gathering (observation).

The important point that is often missed though is normally,

“They Only work when the target is not aware of them”.

For instance the Chinese Government became aware of spys/agents because the CIA had bad handling techniques. Shortly there after the CIA lost it’s spys/agents.

The more recent Encrochat etc supposadly secure phones that “alleged” criminals were using. Now that “cat is out the bag” those who were not rounded up, are going to change their tactics.

So from a potential “crime prevention” point of view firstly a valuable information “source” has gone dark, but also now that “method” will not work again either (or should not if the alleged criminals have more than a couple of brain cells).

But it works the other way,

Which can be seen with physical defences. If you have a bullet proof electronic lock, then are criminals stymied? Yes, unless they gather intelligence and find out about it. If they do then that enables them to work out a way to bypass it or pursuade or trick someone into divulging the entry code.

So even physical defences rely in part on keeping them unknown to an adversary. But where that is not possible they can still work as a deterant or delaying tactic. That is a massive wall with barbed wire, CCTV, bright lights, etc tells a criminal two things,

1, Some one has spent a lot of money on defences.
2, They can not easily get past the defences “they can see”.

So they might well “assume” a lot of money has also been spent on defences they can not see… Which might well not be true but deters any way. Lesser criminals might consider what they can see is “too much trouble” so are detered. Whilst criminals who can get past also know it is going to take time, a lot of it, thus question if the delaying tactic is there because there are hidden alarms, that will bring a response before they can get not just in and out, but clear away.

Which brings us into “tactics” if you know an advarsary is going to take a certain route, Do you put up a show of force so they might “surrender” or do you put things out of sight create a “Take down area” / “kill zone” and ambush them?

The down sides of a show of force, is that the adversary might take hostages or worse “go down or run with guns blazing” either way creating casualties to your forces or uninvolved others (collateral damage).

That is “supprise” is achieved where your intelligence enables you to plan but the adverasaries intelligence fails to give them time to plan counter measures thus they have to “react” effectively instinctively.

Sometimes the best way to react is counter intuative to the monkey brain instinct that sends you scurrying up a tree. So the way to stop that instinct is by training and the “learned pattern” takes control.

It’s why there is the saying,

“Fail to learn, is plan to fail”

Which also gives rise to,

“Fail to plan, is learn to fail”

As an outcome…

Something the IT industry appears not to have heard…

[1] Yes even what we call “physical defences” such as fences, gates, locks, walls, barbed wire came about due to, the first three steps of the basic scientific method,

1, Observation.
2, Hypothesize.
3, Test.

Which actuall is the same as “inteligence gathering and application”.