Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
I was sorry to read about the dissolution of CPSR in Peter Neumann's recent Risks Digest. CPSR was one of the first computer-related activist groups, and their members and speakers at conferences and events, including myself on occasion, typically provided a colorful commentary and insightful critique of technology policy issues. But I strongly disagree with Douglas Schuler's assessment that "the age of the participatory membership organization is over." Far from it. What is waining are the stodgy inbred groups that have failed to continue to attract audiences beyond the greybeard set, in part due to their leadership's inability or unwillingness to use social media. CPSR's website at <cpsr.org> looks like it hasn't been updated since 2008, and doesn't sport links to Facebook, LinkedIn, and Twitter pages (likely because it never set up any). This notice of its disbanding in 2013 seems like a belated formality. Many socially-relevant groups, like EFF and Richard Stallman's Free Software Foundation, are still going strong. IEEE has over 400,000 members world-wide, with many thousands who are actively involved in their stateside public policy arm, IEEE-USA. Meetup provides a forum where anyone with any particular pet peeve can find like-minded others and easily establish a group, some of which grow to 1000+ in membership in less than a year. Princeton Tech Meetup, though not specifically policy-focused, is a good example. Their recent meeting notice included mention of an upcoming event "Hacking Asbury" by an associated group, Jersey Shore Tech Meetup. “It's more than a conference and more than a hackathon—it's a community event for people to come out and hear some great speakers, sit with some outstanding mentors, or build something cool to show the community. Throw in some food and beer and it's pretty much a summer BBQ for hackers, builders, & entrepreneurs'' If one wants to talk about public policy or make changes at the grassroots level, this is a great way to do it. CPSR has only itself to blame for not adapting to the times while still retaining its focus on its key issues that are even more relevant in an era of cel-phone triggered bombs, ubiquitous spy-cams, and killer drones. Yet their Public Sphere Project, though well intentioned, is another example of backward-thinking. Cataloguing of activist groups is unnecessary, partly because some prefer to operate underground, but mainly because the rest can already be found via search engines and social media. There's no way that the PSP list will ever be able to stay as current or comprehensive as these other methods, so it is a futile effort. Although it is sentimentally sad to see CPSR go, the lesson in its departure is that those groups that cannot keep up with the constant change of technology will, and perhaps should, be left behind. As Dylan sang, "...don't criticize what you can't understand...your old road is rapidly agin', please get out of the new one if you can't lend your hand, for the times they are a-changin'." Sayonara, Rebecca Mercuri. [Note: Permission granted to post this message, only in its entirety, without editing.]
http://news.slashdot.org/story/13/05/25/139218/worlds-biggest-agile-software-project-close-to-failure [Agile Is Fragile? PGN]
Chris Paoli, *Redmond Magazine*, 22 May 2013 http://redmondmag.com/articles/2013/05/22/patched-office-flaw.aspx
One of the problems that anyone who's been familiar with typical IT projects can recognize the problems that a department head at Kia Motors America Inc., D. Casey Flaherty, talks about in his article "Trust, But Verify". http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202592919953 (Free registration required) He mentions how you contact a vendor, and despite the fact they do keep track of what they do and how long it usually takes, they usually can't give a good estimate of what it will take to do the job in terms of resources, how much it will cost, and how long it will take. Now, is Mr. Flaherty CIO at KIA or someone involved in software development? No, he's Chief Legal Counsel and 'a vendor' is outside counsel at a law firm. He gives an example: "Request that outside counsel provide you with a budget estimate for a common task, such as an opposition to a motion for summary judgment. When counsel respond that they are unable to construct a budget for a content-free hypothetical, ask that they merely provide you a range of costs for a final budget. If they supply that range, ask how they developed it, and what data it is based on... Most law firms are religious about recording attorneys' time... Yet, ask for a budget for a prospective task and you typically are fed a word salad about uniqueness, idiosyncrasies, contingencies, etc. In short, you are subjected to that most lawyerly of all phrases: 'It depends.'" The article might be extremely comical except for the fact it points up (which he is not aware is also a problem in other industries than his own [like ours]) a rather nasty problem that we, as programmers, analysts, developers and (allegedly!) software professionals, working in a technologically-advanced profession, often don't even have information about what we're doing, we have no metrics to even offer reasonable estimates, and when we do offer estimates they're (also, like lawyers) often woefully deficient in both time and resources. Plus, programmers tend to be horrible negotiators, if management demands the impossible, if the programmer or (former programmer and now) programming manager, is asked to accomplish something by a date certain that he (knew or) should know/should have known, doesn't provide enough time to do so, instead of pushing back and saying the deadline is too tight, will go along, and end up with either a missed deadline, a rushed and buggy project, or, worse case, the project gets canceled and you might simply have wasted both the money spent to build the project as well as the time lost to work on it (and the time of the people who spent time working on it), that either you never get back, or, worse, if you need something to solve the problem and can't just walk away and not do anything (and continue with the existing solution), you now have to start a brand new project and start all over (and take a risk that you'll end up, with what would otherwise be another in a laughingly humorous cycle of 'lather, rinse, repeat'=A0 failed projects. Only no one's laughing, or worse, your company ends up wasting so much resources that it goes out of business). And, looking at his article, this adds a new set of risks. If an IT project is too expensive or is going to take too long, you can cancel it and either use what you were doing before or perhaps use what you did get and do something else for the part it doesn't accomplish. If you're having to sue someone—or worse, defend your company against a suit—you can't just cancel the lawsuit, you'd either default and never get relief for a contract breach or some injury, you'd have to pay a default judgment (which if the plaintiff asked for an unreasonable amount of money, like a trillion dollars, they might actually be awarded that as a judgment), or in the worst case, some people could be subject to criminal liability and maybe someone goes to jail or prison. But if you can't even get reasonable estimates from your outside lawyers, no wonder lawsuits are so expensive. ABut we do have one advantage, at least if you cancel a partially completed IT project you might have a partial solution! A partially completed lawsuit leaves you with nothing but a very expensive fiction story. (If you actually believe the stuff in legal briefs has anything to do with truth or reality, well, I have some ocean-front property in Las Vegas you really want to buy! ('really' = 'before you regain your sanity/come to your senses, and stop payment on the check').
First some background: a) Everybody who is doing business in Greece, whether a person or company, needs to have a unique id which is called the AFM. When issuing an AFM the Greek IRS collects information about the "entity" (individual or company) which includes the name, address, telephone number of the entity. If the "entity" is a self employed person, then this information most likely is his or her home address. If any of this information changes, the "entity" must notify the Greek IRS so that the record may be updated. b) The agency (www.gsis.gr) that handles IT for the Greek IRS has recently created a web-based interface to its database so that anybody (without authentication or prior registration) may submit an AFM and receive the informational record of the entity that corresponds to that AFM (or an error if the entity is not active or the submitted number has not been allocated to an entity). c) Since the AFM numbers consist of 8 numeric digits (plus a check digit which is derived from the other 8) and are clustered in large allocation chunks, it clearly follows that somebody could data mine the GSIS system (by submitting all possible combinations of AFM numbers within each cluster) and create a duplicate of the GSIS database [1]. And, of course, someone did. So we have a site (greekafm.com) that provides a web-based application that gives the same information as the GSIS site. Now here comes the interesting part. Google has indexed the greekafm site, thus the entire copy of the GSIS database is now available for searches via Google. Possible queries include searches not only by AFM, but by telephone number, name, street address and so on. I wonder how long it will be before somebody integrates this with Google maps. Another probably beneficial side-effect is that now everybody can see the numerous errors that this database contains (dead people who are still considered active, extinct companies that appear to be in business, 7-digit phone numbers, despite the fact that these have been obsolete for more than a decade, and so on). Vassilis Prevelakis, Institut fuer Datentechnik und Kommunikationsnetze Technische Universitaet Braunschweig [1] Amazingly, the GSIS system did not mind if large numbers of queries of sequential AFM numbers were submitted from the same IP address over a short time frame. This would indicate that the GSIS administrators did not care if someone was overtly copying their database.
In a short, droll video about Twitter's two-factor authentication, Alexander congratulates Twitter for joining a "security two-step program" and taking the first step, admitting a problem exists. He then goes on to illustrate just how little the SMS-based two-factor authentication helps. "Your new solution leaves the door wide open," said Alexander, "for the same man-in-the-middle attacks that compromised the reputations of major news sources and celebrities." http://j.mp/10YVC2m (PCMag via NNSquad)
[Note: This item comes from friend Steve Schear. DLH] Mark Frauenfelder, *BoingBoing*, 22 May 2013 http://boingboing.net/2013/05/22/curious-press-release-from-pho.html Seecrypt costs $3 a month and allows subscribers to make encrypted phone calls to each other. It promises a "100% protected network through encryption between two callers anywhere in the world." Sounds interesting and useful for keeping government snoops away. However, the press release issued today tells a somewhat different story: Seecrypt CEO Mornay Walters: `Seecrypt will pro-actively assist law enforcement agencies to prevent criminal activity being carried out using this encryption service. Our technology is designed to restore privacy rights for legitimate usage, Seecrypt's Privacy Network has been designed so that it can terminate access rights immediately for any individual identified by law enforcement or other governmental authorities as suspected of improper use.'' Does that mean that if someone is using Seecrypt and the government starts investigating them the service simply shuts off? If so, it's a great way for criminals to learn that they are under investigation. Or does it mean that Seecrypt will let the suspect make calls without letting them know that the encryption has been disabled? Or, does it mean Seecrypt will do something else that I can't think of? I e-mailed Seecrypt to find out and will share my answer when I get it. ... Dewayne-Net RSS Feed: <http://www.warpspeed.com/wordpress>
"Google Android, Apple iOS, BlackBerry, and Windows Mobile devices have an inherent security weakness in the method they use for connecting to Wi-Fi networks that has the potential for exploitation by skilled cyber-attackers says security expert Raul Siles. The vulnerability is dependent on how the network is added to the device and stems from the procedure where Mobile devices keep a list of manually configured wireless networks plus any networks it has previously connected to on a Preferred Network List (PNL)." http://j.mp/16agpYE (Net-Security via NNSquad)
Stephen Lawson, IDG News Service, InfoWorld Home, 22 May 2013 Attacks on mobile devices are rising just as PC malware soared with the Web, Kaspersky Lab says http://www.infoworld.com/t/mobile-technology/growing-mobile-malware-threat-swirls-mostly-around-android-219147
German hackers discovered Microsoft was visiting websites up to 3 hours later after they were mentioned in Skype messages, which was then verified by creating some special weblinks on their own servers that could not have been discovered any other way—sure enough, visits took place shortly after mentioning them on Skype. The details can be read at http://www.h-online.com/security/features/Skype-s-ominous-link-checking-facts-and-speculation-1865629.html, but here is a summary: Attentive hackers found that encrypted website links (https) were visited from a Microsoft owned location up to several hours after they were mentioned in Skype messages. After this was verified, Microsoft was asked for answers, and it replied with statements that did not seem to match the fact. However, even more important is that the activity ended after those questions, which suggests to me that this wasn't some automatic system buried somewhere in their infrastructure—it was an actively supervised process. Which raises its own questions... Peter Houppermans, Private & Confidential Group, Switzerland E ph@pncg.ch T +41 43 433 1090 W http://pncg.ch
Recently Microsoft has been running TV commercials deriding Google for reading your e-mail to cue advertisers to send you "targeted" spam. How ironic that Microsoft's Skype service has been caught using the contents of chat messages passed through their service. http://siliconangle.com/blog/2013/05/21/skype-privacy-doesnt-exist-sorry-microsoft-can-read-everything/
http://www.infoworld.com/d/security/microsoft-peeking-your-skype-messages-219100 John P. Mello Jr., PC World/InfoWorld Home, 22 May 2013 Ars Technica says Microsoft appears to be scanning Skype messages for security reasons, but what's done with the information is unknown.
The City of Akron is in the process of getting to taxpayers who may have had their information posted on a hacker website. City officials confirm that a hacker group in Turkey posted personal and financial information of nearly 8,000 Akron taxpayers. rest: http://www.akronnewsnow.com/news/local/item/87525-cyber-attack-affects-thousands-of-akron-taxpayers or: http://goo.gl/OsLCG
Making Quantum Encryption Practical Larry Hardesty, *MIT News*, 20 May 2013) Massachusetts Institute of Technology (MIT) researchers who proposed solutions to practical problems with quantum key distribution (QKD) as a method of secure data transmission have now demonstrated their method experimentally, proving all of their theoretical predictions. QKD is intended for cryptographic key distribution for non-quantum cryptography, because every bit received requires the transmission of an enormous volume of bits, which is acceptable for key distribution but not for general-purpose communication. In addition, QKD systems depend on photon properties and thus are highly susceptible to signal loss, especially over large distances, and usually only work across distances of about 100 miles. The MIT team addressed these challenges with a new quantum communication protocol that is far more resilient to signal loss than QKD, and transmits only one bit for every one received. The mutual dependency of electron spins orbiting the nucleus of an atom at the same distance is known as entanglement, which is delicate and begins to break down as soon as particles interact with their immediate environments. With the new protocol, even if the entanglement between two light beams breaks down and correlation returns to classical limits, it can remain much higher than it would be if the beams had started with a classical correlation. http://web.mit.edu/newsoffice/2013/making-quantum-encryption-practical-0520.html
Anton Troianovski, *Wall Street Journal*, 21 May 2013 Big phone companies have begun to sell the vast troves of data they gather about their subscribers' locations, travels and Web-browsing habits. The information provides a powerful tool for marketers but raises new privacy concerns. Even as Americans browsing the Internet grow more accustomed to having every move tracked, combining that information with a detailed accounting of their movements in the real world has long been considered particularly sensitive. The new offerings are also evidence of a shift in the relationship between carriers and their subscribers. Instead of merely offering customers a trusted conduit for communication, carriers are coming to see subscribers as sources of data that can be mined for profit, a practice more common among providers of free online services like Google Inc. and Facebook Inc. When a Verizon Wireless customer navigates to a website on her smartphone today, information about that website, her location and her demographic background may end up as a data point in a product called Precision Market Insights. The product, which Verizon launched in October 2012 after trial runs, offers businesses like malls, stadiums and billboard owners statistics about the activities and backgrounds of cellphone users in particular locations. ... http://online.wsj.com/article/SB10001424127887323463704578497153556847658.html
> The *World Street Journal* (16 May 2013) ran an article on systems that > allow pilots and air traffic controllers to communicate via text messages > [1]...... the risks of the new technology seem to get a short shrift. This is not "new technology", it is well-tried and -tested technology. The protocol is called CPDLC (for Controller-Pilot Data-Link Communication) and it has been in regular use for a decade and a half on trans-Pacific flights, and for many years in Europe at the Maastricht center. See the second paragraph of the WSJ article. There is an ICAO spec for it. It's newer to the US, though, which I take it is why the WSJ is interested now. For the history of CPDLC use, see the "Implementation" section of http://en.wikipedia.org/wiki/Controller–pilot_data_link_communications which is more or less accurate. The point about CPDLC is that it replaces voice for routine communications. Obviously "text messages" are the payload for the kind of information transmitted. A concern which I had 15 years ago was that the payload is transmitted in cleartext and thereby theoretically open to spoofing. I didn't think that would be much of a problem with the transoceanic FANS/1 implementation, because that goes via satellite. But it turns out there haven't been any significant incidents of spoofing with any of the implementations, nor with the other protocols (there are many) which involve air-ground exchange of textual information. Peter Bernard Ladkin, Causalis Limited and University of Bielefeld www.causalis.com www.rvs.uni-bielefeld.de
I fully agree that text-based communication can be better than voice-based. My worry is about those "pop-up windows with various choices of standard messages" described in the article. I think that having the controllers actually *type* short unambiguous messages that would follow a specific protocol would be less risky. Choosing by accident the wrong element from a pop-up window will result in a valid but incorrect message that the other end is likely to act upon. On the other hand, a mis-typed message is far more likely to appear garbled or nonsensical on the other end prompting a request for a correction.
> What could possibly go wrong? Plenty, but the relevant question is how this compares to the current situation using voice communication and often impenetrable accents. It also seems to me that it depends a lot on the details of the implementation, e.g., if the popup leaves some sort of hint on the plane's track to remind the controller of what message he or she sent.
>> What could possibly go wrong? > Plenty, Actually, very little. The protocol is known as CPDLC, and replaces voice communications with electronic messages, when desired. It has been running at Maastricht Upper Airspace Control (MUAC), some of the busiest en-route airspace in Europe, for over a decade. This is upper-airspace stuff, concerned with routing on airways and assignment of flight levels. The routine error rates are known through long experience with CPDLC at Maastricht. More precisely, > The Maastricht Upper Area Control Centre (MUAC) has been pioneering the use of CPDLC for over a decade, and in 2012 close to 105,000 logons by some 77 different airlines were recorded, exchanging an average of 670 messages with MUAC every day. The proportion of flights resorting to CPDLC has been regularly increasing in recent years. http://www.eurocontrol.int/sites/default/files/content/documents/official-documents/brochures/2013-cpdlc.pdf There is a fair amount of information on all aspects of Maastricht upper airspace control at http://www.eurocontrol.int/articles/maastricht-upper-area-control-centre-muac-publications I see the security concerns to do with spoofing. If you work through the possibilities of spoofing, you will find that the necessary error-correction is already present in the routine defined activities of voice-based ATC. As I just said in private to Diomidis: If you as a pilot get an odd ATC clearance then you decline and confirm by voice, whereby the spoofing becomes immediately apparent. Since this is broadcast, any confirmation by an aircraft of an illicit clearance will be seen by ATC and immediately queried. Any spoofed confirmation by an aircraft will result in ATC querying why the aircraft is not following the accepted clearance (which is a phenomenon which occurs regularly in any case). Any spoofed request will result in an ATC reply, which will be seen by the aircraft and queried. Suppose in any case that a spoof works (even though I have just argued that it shouldn't). Then an aircraft will be deviating from flight level, or from route. This will be apparent on radar; even picked up and flagged by some of the supervision SW with which ATC systems work nowadays. And result in an ATC query. That is just routine work. There might be a question how the presence of CPDLC spoofing attempts would affect the statistics on error during the routine activities. We can't know that until somebody starts spoofing on a grand scale. If that should happen, I imagine RTCA and EUROCAE (the industry bodies which define these protocols) will move quickly to a version of CPDLC with encryption. Exactly the same question arises with railway control. There is a European-wide system for wireless control defined, based on a wireless transmission protocol known as GSM-R (that is, mobile-phone GSM adapted for rail). As with CPDLC, it supplants voice control. They have gone overboard on the security. All they need is authentication, but they have gone for a symmetric scheme with centralised key management. When I heard about it at a conference last November, I said "what on earth are you doing that for?" and gave some colleagues in German rail a hard time. But they pointed out that the scheme is already European law so that is what everyone has to implement. (Yet more evidence that political science should become a required part of engineering education.) >> ....but the relevant question is how this compares to the current >> situation using voice communication and often impenetrable accents. >> >> It also seems to me that it depends a lot on the details of the >> implementation, e.g., if the popup leaves some sort of hint on the >> plane's track to remind the controller of what message he or she sent. > > I fully agree that text-based communication can be better than >> voice-based. My worry is about those "pop-up windows with various >> choices of standard messages" described in the article... As far as I know, the relevant human factors analysis has gone into the design of the current CPDLC interfaces (Eurocontrol has some of the leading people in human-machine-interface human factors) and at this point there has been considerable experience with these systems. I can probably put you in touch with the people who are involved with it if you want to pursue it. Peter Bernard Ladkin Causalis Limited and University of Bielefeld www.causalis.com www.rvs.uni-bielefeld.de
> As far as I know, the relevant human factors analysis has gone into the > design of the current CPDLC interfaces (Eurocontrol has some of the > leading people in human-machine-interface human factors) and at this > point there has been considerable experience with these systems. Great, this sounds quite reassuring. It seems we're learning from past mistakes.
http://lauren.vortex.com/archive/001034.html Oh boy. The "Commission on the Theft of American Intellectual Property" has released its long awaited report, and it's 90 or so pages of doom, gloom, and the bizarre—including one section that had me almost literally doing a "spit-take" onto my screens while sipping my morning coffee. ( http://j.mp/12BLvSj [IP Commission—PDF] ) I'm not going to try critique the entire report here and now. As you'd expect, it presents a dire scenario of intellectual property theft run amok, and while offering only a few words of lip service to the grossly flawed measurement methodologies that vastly overstate dollar losses in various sectors, the report instead suggests that those exaggerations are actually understatements—that the problem is far, far worse than we ever imagined. Oh, the horror. The horror. But we expected this sort of skew to massively hyperbolize the underlying actual problems of IP theft. What you may not have expected, however, is that the authors of this report appear to have been smoking "funny cigarettes" during its drafting. OK, we don't know this for a fact, but it's otherwise difficult to wrap your mind around this specific proposal in the "cyber" section of the report: "Additionally, software can be written that will allow only authorized users to open files containing valuable information. If an unauthorized person accesses the information, a range of actions might then occur. For example, the file could be rendered inaccessible and the unauthorized user's computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account. Such measures do not violate existing laws on the use of the Internet, yet they serve to blunt attacks and stabilize a cyber incident to provide both time and evidence for law enforcement to become involved." Booooing! Say what? Is this the parody section of the report? Something from "The Onion" or perhaps a "Saturday Night Live" skit? I'm afraid they're serious. And what they're proposing is no less than the legitimizing of a form of malware that has attacked vast numbers of Internet users, costing them immense lost time, money, and grief. You may have been unlucky enough to see this for yourself. It comes in various forms, but generally it claims to be a law enforcement warning (often saying it's from the FBI). It accuses you of having some kind of "illicit" material (usually a copyright violation and/or porn) on your system, and demands that you contact an address for "more information"—or even that you make immediate payment of a "fine" to release your computer. Your webcam may even be surreptitiously used to include your photo to further confuse and upset you. Of course, this is all a scam. If you go to that address, you'll likely download more malware, or be directed to provide credit card or bank account info to pay for your "violation" of law. Even if you pay, you have no assurance that this malware will go away. Even if it does seem to release you, it may hang around in the background sucking up your private information, bank account access data, and who knows what else. Consumers attacked by this class of malware have spent enormous sums to get it actually cleaned out, and very many have been directly defrauded by it as well. And of course, these systems can't be used for anything else while the malware is actively threatening you. So now we have the IP Commission suggesting that firms be allowed to use basically this same technique—pop up on someone's computer because you *believe* they've stolen something from you, terrify them with law enforcement threats, and lock them out of their (possibly crucial) data and applications as well. What the hell are these guys thinking? Outside of the enormous collateral damage this sort of "permitted malware" regime could do to innocents—how would the average user be able to tell the difference between this class of malware and the fraudulent variety that is currently a scourge across the Net? What's more, how can it possibly be justified to lock users out of their systems on this sort of unilateral basis? How much "theft"—even when it actually occurred—is enough to justify locking someone out of their private applications and data, some of which may be absolutely necessary to their daily lives. I could get into a lot of technical details about this, but we can just cut to the chase for now: the whole concept is utterly insane, and frankly calls into question the competency of the commission in general. With our own commissions coming up with idiotic, dangerous nonsense like this, we may have more to worry about from their kind of thinking than from the "cyber-crooks" themselves. And that's really, seriously, scary. Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren Co-Founder: People For Internet Responsibility: http://www.pfir.org/pfir-info Founder: - Network Neutrality Squad: http://www.nnsquad.org - PRIVACY Forum: http://www.vortex.com/privacy-info - Data Wisdom Explorers League: http://www.dwel.org - Global Coalition for Transparent Internet Performance: http://www.gctip.org Tel: +1 (818) 225-2800 / Skype: vortex.com
Dave, the best way in the past to ensure anonymity was to buy a prepaid cellphone for cash. That way there is no way to tie one's identity to the phone. Or so we thought. Researchers have found just using location information available at the cell towers is enough to identify you. http://phys.org/news/2013-03-easy-identity-cell.html In other words, you can't hide any more, especially if they want to find you. --Tony > Date: Friday, May 24, 2013 > From: doug humphrey=20 > Subject: Re: [IP] Cell phone tracking—an example > Turning off GPS does not stop cell phone tracking, unless you are talking > about shooting down the satellites :-) > Your phone communicates to cell phone towers (antennas on towers to be > technical) and since multiple of them can see your phone signal at once, > they triangulate on your location and know where you are. yes, if your > phone as GPS turned on and can just tell them the GPS location fix, then > it is more accurate, but for a long time phones had no GPS capability and > cell phone location worked just fine. > If the phone is powered up, then its location is known. period. and > remember, just because you "turned it off" does not always mean that it is > turned off. if the radios in the phone are powered, then it is likely > "ping ponging" with the cell towers and they know where you are. has > nothing to do with making a call or use the phone in any way. > doug >> Begin forwarded message: >> >> From: Dan Gillmor <dan@gillmor.com> >> Subject: Re: [IP] Cell phone tracking—an example >> Date: May 24, 2013 3:01:16 PM EDT >> >> Given the vanishingly small likelihood that companies or governments will >> do anything about this, I'm interested in what countermeasures we can take >> individually. The obvious one is to turn off GPS except on rare occasions. >> >> I'll be discussing all this in an upcoming book, and in my Guardian column >> soon. So I'd welcome ideas. >> >> Dan
Please report problems with the web pages to the maintainer