Rebirthday 2013
Wow, has it really been over a year since I wrote anything here? That sucks. I’ve been thinking recently that I really should start blogging again but my job kinda nixes writing anything publicly about technical matters; I’ve been waiting for something good to come along that was worth writing about and which wasn’t going to get me in trouble. I think I finally found something 
Spoiler alert: This post is going to be very personal and not at all technical. I may actually open up comments for the first time in *forever* when I’m done though, so stay tuned.
Yesterday was my Rebirthday – the second anniversary of the day I that I finally made up my mind to transition permanently. I really don’t feel like the same person who made that decision; my world has changed so much since that day and I really do feel like I’ve become an entirely new person. I’m actually quite proud of this shiny new me and it feels like a story that I need to tell – this celebration seems like a good reason to do that, and hopefully it’ll spur me into writing more about transexualism and all it involves. Perhaps someone, somewhere will find something positive in my experience that makes their own journey a little easier, and if not then I guess all you cisgendered folks will just learn a little more about what us trans folks go through on our journeys of self-discovery.
The scene: it’s May 21st 2011, and my wife and I are about to get on a plane to Las Vegas. We’ve bought ourselves tickets to go and see Kylie Minogue at Caesar’s Palace on the last night of her US tour, so a long weekend of fun awaits us. This time things are different though – I’m dressed as a woman, and I’m about to go through my first female TSA patdown.
I had been flirting with changing my gender for about a year and a half, essentially waking up every day and deciding what gender to present for that day. Since I was self-employed I had a lot of flexibility; if I had important meetings that day I would usually present male (so as not to freak anyone out), but otherwise I’d probably present as a woman. I’d go back and forth as necessity dictated, terrified that the sky would fall down on me if I made the wrong choice – dressing as a woman had certainly led to some unexpected encounters (my landlord was a little surprised when he stopped by one day) but I had never had a problem. It had taken me the better part of a decade to sufficiently come to terms with my own gender that I could leave the house dressed as a woman, and I’d found a certain level of comfort in doing so.
That day was different though. I don’t like going through TSA at the best of times (it’s *far* too invasive for my taste) and this time I had no fallback plan – I had decided to present as a woman for the entire trip and had no male clothes with me at all. I was *way* out of my comfort zone, utterly terrified, and yet oddly comforted at the same time – I was, after all, just being myself. I had familiarised myself with the appropriate TSA regulations, I had a lawyer from ACLU on speed-dial in case anything did go wrong, and I was all set for a trip to Vegas.
I have never been so scared in all my life as I was going through that security checkpoint. I kept running through nightmare scenarios in my head, playing out how things could go, trying to plan for every possible eventuality. And then it was over in the blink of an eye, completely uneventful. Nothing happened, and before I knew it we were on the plane and headed to Vegas (still shaking from fear, but otherwise unharmed).
The trip itself was amazing. We got our makeup professionally done before the concert, I got to wear one of my favourite party dresses, Kylie was her usual dazzling self, and the concert was everything we hoped it would be. We gambled, we drank, we partied, and I did it all in dresses and skirts and high heels and makeup and all the trimmings (as Vegas demands!). The trip home was marginally less scary (I’d done it once so it wasn’t as terrifying) and before I knew it it was all over.
It was a day or two after the trip that it really sank in what had happened. I had gone through one of the most terrifying things I could possibly imagine, and not only had TSA been no big deal but I’d ended up *really* glad I had chosen that path for that trip – being myself for those few days had been completely comforting and enjoyable. I’d had a *fabulous* time, and there had been no negative repercussions whatsoever. I quickly realised three things:
1: Whenever I felt like I had a choice, I was choosing to be a woman.
2: Whenever I felt like I *had* to be male it upset me immensely – I truly hated it.
3: If I could cope with TSA as a woman, I could cope with anything.
I finally realised that the only impediment to permanently changing my gender was my own fear, and I also realised that that fear was completely unfounded. I had made my mind up – I was going to stay a woman for the rest of my days, and that I really was able to deal with the world as a woman. A month later I had one of my first surgeries to make that life a little easier, and a month after that I started hormones. My life had finally begun.
Two years on, I fell like that scared little girl is finally (mostly) gone. Estrogen has changed both my brain and my body in so many ways, both expected and unexpected (that’s another post entirely) but almost all good; transition has had very few downsides for me. The worst is that I now get PMS (as my wife calls it) – I’m on a 3-month Estrogen cycle and for the last month of that (when my levels are starting to drop) I get super bitchy, easily upset, and generally a little unstable. Most women are like this for a week every month; I’m like it for a month every 3 months. It occurs to me that when that’s the worst thing I can point to about my life it’s really been a good move for me – it’s really not much of a downside.
On the other hand, I’ve found a level of inner peace and self-acceptance that I never even knew existed. I understand myself, I understand other people, and the world is just so much easier to live in nowadays – I’ve made some *amazing* friends (something I was never really able to do as a man) and I can look myself in the mirror every day and truthfully say that *I like my life* – that’s a really big deal when you’ve spent 33 years in deep depression. Most of the people I see on a daily basis never knew Chris and completely accept me as Kristin; looking back it feels like I never really was Chris, I was just Kristin pretending to be a boy and doing a lousy job of it. I sleep at night. I don’t get random fits of anger and frustration and hatred at the entire world for making me the way I am – I’ve found myself, and I’m finally happy.
One sad part about all of this is my family. I’ve really enjoyed re-meeting people and getting to know them all over again, and I’ve not had the chance to do that with my family yet – and I probably never will with my parents. I’ll never forget when I came out to them and my father asked if it meant I was “going to start sniffing bicycle saddles”, as if transexualism was synonymous with the most deviant sexual fetishism that humankind can conjure; likewise I’ll never forget when my mother (after encouraging me to wear what I wanted when I was visiting) scolded me for going to get something from my car while wearing a skirt, because “What if the neighbours see?”. They instilled in me a shame and self-loathing that took me a very long time to get over and made me alienate much of the rest of my family along the way (after equating them with the same viewpoint); after they found out the truth and I found out that most of them are actually wonderful, caring people who really don’t see a problem I’ve been trying to rebuild some bridges. It’s hard to keep in touch when you’re a continent away but Facebook helps a lot, and I’m looking forward to getting an opportunity to see them again soon. I miss having parents but it’s taken me a long, long time to get over the way they made me feel about myself, and I don’t know that I can cope yet with re-introducing that into my life. Some day, perhaps, but not today.
It’s hard to think of a “best thing” that’s come out of this for me – there are so many. I love finally being able to dress the way I want to, I love wearing makeup (I like to think I’m pretty good with it by now), I love understanding myself and being able to have true, close friends. I love being able to interact with the world in a way that actually makes sense to me, and have the world interact with me in similar fashion; I love seeing the effect that my vanishing depression has had on my wife as her constant worrying about me lifts and eases. I love my life, I love my friends, and while (of course) there’s still things I would change, I’ve finally found a place in this world that I’m happy with.
So hi. I’m Kristin, a 2-year-old woman. Would you like to be friends?
Shmoocon 2012
In the absence of an “official” download link for these so far (although I’m sure they’ll be up on the Shmoocon page soon enough), my slides from Shmoocon this year. Seems it got a little press coverage and a whole bunch of attention on Twitter, so I figured I should get these out ASAP.
Hopefully video will be up soon but if anyone has questions about the talk in the meantime please ping me (ideally on twitter) and I’ll update the FAQ as and when I can.
FAQ:
What hardware / software were you using?
I used a Vivopay 4500 contactless card reader, an MSE-750 magstripe reader/writer, a Square dongle for my cellphone (on Android, not iPhone), and some code I wrote based on 3ricj‘s PwnPass code (no longer publicly available, afaik).
How did you get magstripe data from a contactless read?
The contactless reader spits out magstripe-formatted data as its intended mode of operation. I get valid Track1 / Track2 info (lacking only the name, which is usually “Valued Cardmember” or some such), which I just copy and paste to T1 / T2 on the MSR. There’s really not much to it – and yes, I’m processing credit card transactions without knowing the cardholder’s name.
Can you use the resultant card data online?
I get a valid cardnumber and expiry date (both usually the same as printed on the face of the card) and a single-use CVV value. If you can find somewhere online that’ll let you process a transaction with nothing but a card number and expiry date then yes you could, but otherwise you’re restricted to writing a magstripe and using that.
This is old news – XYZ did this years ago
I’m certainly not the first person to demo RFID vulnerabilities in payment cards. I haven’t heard of a full end-to-end demo before (RFID -> magstripe -> Square -> Profit!) but that doesn’t mean it’s not been done; I won’t be the last either as long as the industry keeps denying the problems. Now that it’s been irrefutably proven live on-stage that contactless fraud is possible I’m hoping that some of these issues can be addressed; if not don’t expect me to be the last person to talk about it either.
So what’s the deal with the CVV?
Credit cards have 3 CVV codes, one printed on the back of the card, a second encoded onto the magstripe, and a third from the RFID which changes with each read. Square (as well as some other combinations of PoS terminal + backend processor) is unable to tell the difference between an RFID transaction and a magstripe transaction, so as long as the CVV is valid (i.e. it’s being played back in-sequence with no repeats) the transaction goes through.
Gay Marriage and Gender Transition
I haven’t posted here in a while since most of what I’ve been working on must stay secret for the moment, however I tweeted a couple of things today that I think really deserve a fuller explanation. This post is deeply personal and not at all security-related so if you’re only here for the infosec stop reading now; if you’re still here let’s start with what I tweeted and go from there.
1/2 I now meet all requirements to change my legal gender in the state/country where I live (California, USA) and the country I’m from (UK).
2/2 If I did so, none of the three would allow my happy seven-year-old marriage to continue. I am required to divorce my wife first #crying
Where to start?
I started getting curious about the first point coming back from a doctors visit today. I had just ticked “F” on a form for the first time and was idly wondering when I could change my drivers license. As it turns out it takes a doctor to attest that both my “gender identification” and my “demeanour” are female; that gets me a court order (the same court order as my name change if desired) and everything goes from there. My green card is slightly different, in this case I must get my doctor to attest that I have “undergone clinical treatment” to become female; I actually now have several doctors who could complete this for me despite the short list of accepted specialties. The UK requires me to live as female for 2 years before I “qualify”, however they would likely defer to my US transition and grant it based on that alone.
This came as a real surprise to me. The idea of changing all my legal documents really snuck up on me – I remember reading about it all a while ago and thinking that it was a while before I’d have to worry about it; as it turns out “a while” has passed. This would have made me ecstatically happy if it weren’t for the second part of this.
In the UK there is one additional requirement before they will recognise my gender transition: I must provide the “gender recognition panel” with a copy of my divorce decree. You read that right, I am compelled to divorce my wife of almost 7 years before I can change the “M” to an “F” on my passport. California isn’t even that explicit – proposition 8 simply says “Only marriage between a man and a woman is valid or recognized in California”. If I change my drivers license then it’s simply *poof*, my marriage isn’t valid any more. Federally I’m no better off; if I chose to drive across the country my marriage would go from valid to invalid several times along the journey – I guess the same thing happens at high speed when I get on a plane, and I don’t even want to know what the consequences are to any contracts that my wife and I sign given the complexities of where companies are “based” nowadays.
Nobody should ever have to feel like this. I’m upset that the government is forcing me to choose between my gender identity and my marriage; the “Defense Of Marriage Act” is a joke. I’m ashamed of my country, both the one I’m originally from and the one where I currently live – and I’m especially ashamed of California for passing Proposition 8. I’m angry that this is all driven by people’s hatred of each other; some crazy religious folks decided that the brightly-dressed people at Pride shouldn’t be treated the same as everyone else and suddenly my marriage is invalidated against my (and my wife’s) wishes. I’m confused as to how the world could have gotten so broken without anyone noticing, and I’m so very, very sad for everyone else who’s caught up in this ridiculousness.
Somewhere, deep underneath it all, I’m still ecstatically happy that I’ve reached this milestone. It’s been a long time coming and I’m *really* looking forward to being my sparkly-pretty shiny new self for Blackhat and Defcon this year; on a wider perspective I see gay marriage legalising in New York and it gives me hope for humanity after all.
Isn’t it time we fixed this?
Samsung Vibrant Engineering Menu
I’ve got one major complaint about my Samsung Vibrant that I’ve not yet found a solution for – the headphones are way too quiet. When I tried to watch Avatar on a flight home a few days ago I couldn’t hear a single word that was said despite full volume on two completely different headsets. I gave up pretty quickly, it really wasn’t worth the effort.
When I got home a quick bit of googling led me to this post about a volume fix for the i7500. My Vibrant is an i9000 but the code to access the engineering menu (*#197328640# in Dialer) worked just the same – I’m assuming it’s standard across all recent Samsungs, not just the Galaxy S series.
There’s all manner of goodies in there; I’ve yet to find a fix for my volume issue despite all manner of apparently volume-related controls. I did find some other great stuff though, a quick summary:
Menu 1,8,7,2,2,1 should be “WCDMA ALL” – choosing this will disable 2G network access entirely. I’ve verified that it does indeed disable 2G but I’ve not verified how much of the phone still works afterwards – be careful with this one! Menu 1,8,7,2,1 to reset back to 2G and 3G combined, should be “Automatic”.
Menu 1,8,3,1 displays the current ciphering status, i.e. whether or not your current call is currently encrypted.
Menu 1,8,8 is called “Auto Answer”. While this looks like fun I couldn’t get it to work; I expect you can do the same with an Android application anyway.
Menu 1,8,7,7 is “IMSI replacement”. The IMSI is the equivalent of a username in GSM, so replacing it is a potentially bad thing to do. I didn’t mess with this since I didn’t have a BTS to hand at the time; next time I bring one online I’ll check it out.
Menu 6,2,3 is “PCM Logging”, I’m assuming that PCM means “Pulse Code Modulation“, i.e. the audio path. I managed to enable this one but couldn’t find any recordings, I’m guessing it’s either going to a “special” directory that I don’t have (and therefore it’s failing) or it’s going down a debug port.
Speaking of debug ports, menu 6,4 is “Diag Config” with various settings for debug logs via USB, UART, or IPC, with interesting settings like “Ramdump On/Off”.
For the GSM hackers: menu 1,4 gives your closest 6 UMTS PSCs and RSCPs or your closest 6 2G ARFCNs (with signal strength) while menu 1,1 gives you the current Band, MCC/MNC, RSSI, CellID and LAC.
Menu 1,8,2 is worth it’s own mention – apparently “FAKE SECURITY” is “Not support” (screenshot )
Offtopic: If you want to disable 2G on your Motorola Droid you can do so by first accessing the Programming Menu: ##PROGRAM in Dialer and hit send, the password is 000000. Select “08 Test Mode”, click Enabled, Next, Next, and set “Network Mode” to EvDo only. I’ve actually verified that this does break the phone though (cannot send SMS or make calls) so you might not want to do that. ultramegaman says that the “SPC password” doesn’t work on the Motorola Milestone – I’m shocked that someone, somewhere thought that “000000″ wasn’t secure.
Finally, I started reverse-engineering the applet that displays that menu. I haven’t gotten much further than running apktool and dedexer across it thus far but already the failure is pretty epic. This is the top-level manifest file for the apk, i.e. the starting point for everything that the .apk does (if you see a blank page view source or try another browser – Firefox works, Chrome doesn’t) and scroll down a couple pages. Pretty soon you’ll see:
<action android:name="android.provider.Telephony.SECRET_CODE"/>
<data android:scheme="android_secret_code" android:host="197328640"/>
which is, of course, the “secret code” that gets you into the engineering menu. That’s not all though, there’s pages and pages of them – 41 secret codes in all by my count. I’ve no idea what they all do (although many seem to be replicas of each other) but there’s certainly some fun to be had poking around it all.
$50 goes to the first person to tell me how to make my headphones louder – I just don’t have the time to sit down and tweak every control and then reboot to see if it works. $100 goes to the first person that gives me a desktop widget to switch between 2G, 3G, or auto – there’s other things I should probably be working on before reverse-engineering Android apps If it turns out that either one gets done by me (presumably because I find some spare time) then the EFF can have the winnings…
Practical Cellphone Spying
Slides (OpenOffice) from my Defcon talk – hopefully video will be coming soon as well.
A few notes about the demo and results.
Firstly, power output. I was transmitting a total of 25 milliwatts – for a point of comparison that’s about as much power as a typical LED while a small flashlight consumes over a hundred times more. My antennas have 13dBi forward gain, giving me an EIRP of half a watt. That’s really not much power at all; I’ve heard from several people that the signal couldn’t be picked up at the back of the room. This was deliberate – I kept the effective range as small as possible to limit the chance of catching a cellphone whose owner hadn’t been informed about the demo. I suspect that many, many more handsets would have connected if I’d used even marginally more power.
During the talk at least 30 handsets connected to my tower; there were probably many more than this but the logs were all destroyed on-stage (I broke the USB key into several pieces – last I heard Agent X had the remains). Logged data included IMSI, IMEI, all numbers that were dialed, and of course audio recordings of all calls made (a total of 17 calls were connected during the talk). I don’t know how many calls were attempted; it’s possible that many more people may have heard the warning and hung up before Asterisk tried to connect the call. I’ve not heard from anyone that they saw any kind of warning on their handsets despite the lack of encryption on my network.
A couple of defenses: AT&T apparently have a service offering voice & SMS encryption, I can’t find much more info on it and it’s reportedly only available to business and government users. I’d very much like to see it deployed more widely; it’s a good approach to the security problems in GSM (assuming it works as stated). Blackberry is another good option – they add a second layer of crypto for data (not sure if it adds anything for voice) and I’ve been told they have a setting to disable 2G. This is a Very Good Thing; I’d love to see someone add this setting to Android as well if it’s at all possible. In the medium to long term GSM simply needs to be turned off; it’d be more work to fix it than it would be to upgrade (given that 3G/3.5G/3.9G/4G are all available, are being deployed now, and offer far superior security).
Some points about the legal shenanigans that surrounded this talk. I never heard first-hand that AT&T were planning to sue; the rumour certainly came to me from a credible source (meaning I had to take it seriously) but I’m very glad it turned out to be incorrect. I’d like to thank the FCC for taking the time to talk to me on such short notice; while it certainly would have been nice if they had expressed any kind of opinion about the demo I at least appreciated the opportunity to hear their concerns about the talk and explain the mitigations that had been put in place. Talking to the feds in advance of such a big event is always a great option, and I was glad to have the opportunity to do so here.
Finally, I’d like to say a really big thankyou to the EFF; without their assistance the talk would not have gone ahead (the demo certainly wouldn’t have). If you want to see more work like mine at more venues like Defcon, go ahead and donate. They’re worth it
//edit: I also owe a big thankyou to the Goons (many of whom aren’t actually listed on that page). They did an absolutely superb job with helping me lug all my gear around, find places to set up and people to assist, and generally making everything go. Ply them with alcohol at every possible opportunity – they put in an amazing amount of effort at Defcon and really don’t get to enjoy the show much. Thanks, guys
Extreme-Range RFID
Now that I’ve given the first of my Vegas talks I wanted to post everything online for anyone who couldn’t attend in person.
Slides are here (OpenOffice format)
Whitepaper is here (PDF)
ID-Me
217 feet is the range I set; I believe that’s a world record (beating both the 69 feet from Flexilis at Defcon 13 and the 65 meters claimed by ThingMagic in a Google Tech Talk). My equipment is capable of far more but I hit the limit of my range; a chainlink fence a few hundred yards away was reflecting the RF power, meaning that more power led to greater interference and hence lower range. That 217 feet used just 10W of RF power; my current amp is rated at 70W and will probably deliver a hundred watts if it’s cranked right up – it should be plenty capable of 500+ feet reads.
I’m keen to demo this in-person while in Vegas; the demos at the talk are always constrained by the room (again, reflections from the chairs, the people, and the back wall of the room) so if someone can come up with a suitable place to test I’m happy to demo multi-hundred-feet reads. I suspect that the top of a building would be ideal; reflections from the ground should be directed outward and not pose a problem (it’s also worth noting that the commercial reader I started with has a lot less problem with reflections, however it’s not legal to just amplify the signal directly for reasons I discuss in the talk).
If anyone has ideas on how to set this up please get in touch; if all else fails I’ll try to get the folks from Guinness World Records to officially certify the read range, and/or set up a demo for press back in California at a later date.
Additionally I’m going to run an RFID read range competition at Defcon next year (details to come at Defcon). I had a huge amount of fun playing with this stuff, I learned a lot, and can think of about a thousand ways to improve on my own record. Think you can do better? Do it – and bring the results to Defcon next year!
Defcon update
Unfortunately, I’ve heard that AT&T may be considering suing me to stop my talk. I can’t understand why this would be the case, and I hope that if it’s true, they will contact me first to discuss their concerns.
Let me clarify some things about my talk. First, I’m not doing anything to AT&T’s or any other network. I’m just going to do a demonstration of my attack. It will not affect the 911 service. Nor will it interfere with anyone’s ability to call 911 unless you’re both in (or near) the demonstration room and also have a GSM phone. The demo will not affect people on Sprint or Verizon or any CDMA network. If you’re nowhere near the Riviera you won’t be affected.
So if you’re in the room, need to dial 911 and you have a GSM phone you can just raise your hand and shout. In the extremely unlikely situation that someone near the room with a GSM phone connects to my demo network and also needs to dial 911, I am taking the extra precaution of ensuring that that person will be connected to someone local who can call for or send help.
I wanted to be clear that the EFF haven’t just given me carte blanche here. I doubt they’ll ever say “Intercepting cellphone calls is perfectly fine as long as you do X Y and Z” – what I’ve done with their help is try to work out a way to minimize any legal risk associated with the demo, and to do it safely, so that I can show people an important problem with GSM. I wouldn’t say I have EFF’s “stamp of approval” on the demo, but they’ve certainly offered plenty of helpful advice and I’ve been trying to take all of it.
The EFF have also asked not to be involved in the data destruction. I’m open to suggestions for a trusted third-party to either destroy the logs generated during my demonstration or verify that they’re wiped.
Hopefully that’ll explain my talk to anyone with safety concerns and head off any unnecessary and unfortunate legal actions. I’m open to talking further with AT&T or anyone about this. Here’s hoping for no major hiccups…
Privacy concerns at Defcon
I’m planning to give a pretty spectacular demonstration of cellphone insecurity at Defcon, where I will intercept the cellular phone calls of the audience without any action required on their part. As you can imagine, intercepting cellphone calls is a Very Big Deal so I wanted to announce at least some of the plan to reassure everyone of their privacy.
First and foremost – I’m not just making this stuff up. I know when to get advice from a good lawyer, and in this case I’m taking the advice of the very best there is: the EFF. They’ve been kind enough to offer their help and I’m taking it – this is what we’ve worked out.
1. If you’re in an area where your cellphone calls might be intercepted, there will be prominent warning signs about the demo including the time and date as well as a URL for more info. This will be the only time when unknown handsets will be allowed to connect; at all other times only pre-registered handsets will be granted access. You will be clearly warned that by using your cellphone during the demo you are consenting to the interception, and that you should turn your cellphone off during that time if you do not consent. A recorded message with essentially the same info will also be played whenever a call is made from the demo network.
2. The demo itself will be performed from a machine with no hard drive, only a USB key for local storage. At the end of the demo this USB key (including all logs, recordings, and other data) will be handed over to the EFF for destruction. No logs, recordings or other data will be exported from the machine except as necessary to connect calls during operation.
3. Transmit power will be kept to a maximum of 250mW (for comparison, a handset is typically 2W) and will comply with all relevant FCC regulations to operate in the band.
4. At all times, for all connected handsets, a best-effort will be made to connect calls successfully to their destination. It is unlikely that any 911 service can be provided, however a best effort will be made to connect any emergency calls to a suitable local destination.
Also, to be clear, my demonstration should not affect handsets on Verizon or Sprint in any way. The technology I’m working with is GSM and these are not GSM networks; if your handset is not capable of GSM (it must have a SIM card) then it will not possible for your calls to be intercepted by my equipment. That said, I invite all of my attendees to bring a GSM cellphone with them and participate – the more the merrier!
Illegally detained by Costco
I’ve never been a fan of “bag-checkers” at store exits – I value the rights that the 4th amendment gives me and I object to waiting in line to be searched like a criminal. So, when leaving the Costco in Mountain View today I ignored the queue for the search squad and walked straight out the door, with my usual “no thanks” as I left. It’s the same approach I’ve adopted at all stores that try to execute searches; it usually serves me well.
In this case though, I was set upon by 3 employees (eventually including the manager, a chap named German) who grabbed hold of my cart and refused to let me leave until they had seen not only my receipt and the contents of my cart, but also wanted to see inside my handbag (which was in the cart). Nuh-uh, no way, not gonna happen – I was told that it was store policy to “check receipts to ensure that I hadn’t been charged twice for anything” and everyone insisted that it had nothing to do with theft prevention. This despite the manager stating clearly that if he had noticed a DVD in my purse while “checking my receipt” he would have assumed it was stolen and acted accordingly.
After 20 minutes of arguing back and forth with them (during which time I wasn’t allowed to leave, just stand out the front of the store), I eventually gave up and tried to show him my receipt (since he claimed to no longer care about the contents of my bag); he then tried to argue that he didn’t care about my receipt either and that I had been free to leave the whole time. I didn’t need to be told twice so I started walking towards my car; I got as far as unloading the cart into my trunk before the police showed up.
I don’t know if it’s just Mountain View PD or all cops, but this guy really wasn’t happy when I declined to show him my ID or give him my name. I tried to explain that I had declined the search initially but later had offered both the receipts and the trolley contents, and the whole time I had just been trying to leave – by this time the manager and I were both rather riled up, and leaving seemed the most sensible way to defuse things. Again though, the manager claimed he had never detained me and that I had been free to leave the whole time, despite the security guard grabbing my cart (as provable by the security cameras outside the store, if you believe it’s possible to ever get hold of the footage). The cop had spent the walk over to my car being talked at by the store manager and was further irritated by my refusal to show ID, so started raising his voice as well – I got to listen to two more lectures (one from the cop and another from the manager) about “store policies”, despite my repeatedly stated wish to just leave with the goods I paid for. The manager kept saying I was free to leave, I kept saying that I wanted to leave, and the cop kept demanding that I stay put and listen to it all over again.
So here it is. According to the store manager, “company policy” states that you are required to show your receipt upon leaving the store. I’m no lawyer but the law here is pretty clear – Stores are not allowed to search you or your personal belongings when you leave – they are also not allowed to detain you for refusing the search. In my case they only grabbed the trolley, not me – the latter would probably constitute assault if you really wanted to press the issue. If you value your civil rights I recommend taking a large bag with you if you’re forced to shop at Costco. Place your goods in the bag at the till and just walk out the door – they are not allowed to look in your bag unless you let them, and they’re not allowed to detain you if you choose not to let them look. You’re also not required to show ID if they call the cops – police cannot compel you to show ID unless they have probable cause to believe a crime was committed, and refusing a search doesn’t give them the probable cause they need.
Could I have handled it more calmly? Yeah, dropping the F-bomb in front of an irritated cop probably wasn’t the best idea. Is it possible the store manager wasn’t actually told that I was prevented from leaving? Maybe – it’s possible he thought I just wanted to hang out for a half-hour arguing with people. Did anyone in this situation (even the cops) have the right to search my bag, stop me from leaving, or produce ID? No, they did not.
Know your rights, people – don’t stand for this crap. Sure it’s only Costco, but it’s conditioning people to just blindly accept the erosion of their civil rights, and that’s simply wrong. The 4th amendment is a beautiful thing – in my opinion it’s worth the half-hour of hassle to defend it.
//edit: jandrick pointed out that on page 29 of the costco membership agreement there’s a pretty-much unconditional consent to search. Well I guess I’m breaking that rule – if it’s enough of a problem then Costco can feel free to revoke my membership for doing so. However, they still can’t detain me unless they actually see me commit a crime, and refusing a search (while a possible breach of the member agreement) is not a crime.
AT&T do it right
In an article at the Wall Street Journal about the iPad ICCID breach, AT&T CEO Randall Stephenson said that they will give a new SIM card to anyone who asks. This is absolutely the right thing to do – kudos is due to both Mr Stephenson and to AT&T for their response here. Thankyou – you just gained a fan.
Here’s the thing. When Adobe or Microsoft or Mozilla or any other software company suffers a security problem, the solution to it is a patch. It may take a while to develop and test that patch, and it may require immense bandwidth to deliver that patch, but the cost to deploy that patch is essentially the same no matter how many people were affected. Develop the patch once and it doesn’t matter whether you deliver it to a hundred people or a million people – the cost is essentially the same.
Compare that to the breach of SIM card information, as was the case with AT&T. A SIM card is hardware – it’s an actual thing, with real tangible costs associated with that. Once AT&T figured out how they were going to “patch” (or in this case, how to allow their subscribers to change their IMSIs – no trivial matter) there’s then a non-zero cost per user. A ball-park guess would be $5 for the SIM itself (the physical chip plus the cost of provisioning it in the backend), plus another $5 to cover packaging materials, postage costs, and the inevitable tech-support calls when things don’t go right at the consumers end. $10 per SIM multiplied by 114000 users and you’re at $1.1M to “patch” this vulnerability – I’d wager that’s more expensive than any patch developed by any software company, ever (although fairly small compared to security breaches).
Did AT&T bring this on themselves by associating the ICCID and IMSI like this in the first place? Yes they did, but then so does every other US cellular operator (although it’s apparently rare in Europe) – AT&T were just unlucky enough to get caught out first. They also did this probably 20 years ago or more, and it might even have been a reasonable decision at the time – I really can’t fault them for designing their network this way, although I would argue that it’s long past time to fix it.
The important point here is that AT&T have set a precedent: if your IMSI is compromised by an attacker, you’re entitled to a new SIM card. Fortunately for AT&T (this time) the SIM card is easy to replace on an iPad, but there’s many other devices that aren’t so easy. iPhones are the obvious first mention, but what about all the embedded systems that use GSM for backhaul? Burglar alarm panels, ebook readers, point-of-sale systems – many of these have deliberately inaccessible SIM cards. If these IMSIs were compromised it could require a service engineer to dismantle each device in person to replace the SIM cards, costing hundreds of dollars per subscriber. That gets expensive really quickly.
So again, thank you AT&T and thank you Mr Randall Stephenson. You’ve set an important precedent here, one that will likely end up costing someone a very large sum of money after the next hardware breach. That said, it’s the right thing for the industry and it’s the right thing for your consumers. Good on you.