When I was last in Rio de Janeiro, Brazil I had two cell phones. One I kept with me during the day and in safe areas. The other was a cheap old one with no data and no logs that I could use at night and in areas where I was uncertain about losing control of portable electronic devices that I carried. This was normal practice in Rio. Californians may find themselves facing a similar situation for different reasons.

The recent California Supreme Court decision on cell phone searches means a law enforcement officer can review all information on an electronic device as part of an arrest, including call logs and messages. It is now argued that warrantless search has been legalized in California — a cell phone can be searched without the need for criminal charges filed or to prove relevance to an arrest.

The California Supreme Court, in People v. [Gregory] Diaz, 51 Cal.4th 84 (2011), held that the information in these [portable electronic] devices may be subject to search incident to an arrest without a warrant or other judicial supervision.

An arrestee already could be searched by law enforcement under circumstances of officer safety and to protect evidence against destruction. However, contents of memory and disk, such as with cell phones, generally were not included in the search.

Prior to the California Supreme Court decision a warrantless search of electronics during an arrest was widely believed to be prohibited by state constitutional privacy protections in the public access “Shield Law” and in conflict with penal code 1524. Also, other state supreme courts (Ohio) have ruled specifically that cell phone searches require a warrant while Federal law enforcement agencies follow a protocol that require a warrant for cell phone searches.

Senate Bill 914 subsequently was introduced (updated July 1, 2011) in an attempt by the state legislature to clarify that portable electronic devices only can be accessed with a warrant, except in circumstances of an immediate threat to public safety or to an arresting officer.

It is the intent of the Legislature in enacting Section 1542.5 of the Penal Code to reject as a matter of California statutory law the rule under the Fourth Amendment to the United States Constitution announced by the California Supreme Court in People v. Diaz. The Legislature finds that once in the exclusive control of the police, cellular telephones do not ordinarily pose a threat to officer safety. The Legislature declares that concerns about destruction of evidence on a cellular telephone can ordinarily be addressed through simple evidence preservation methods and prompt application to a magistrate for a search warrant and, therefore, do not justify a blanket exception to the warrant requirement. Moreover, good forensic evidence practice supports the use of search warrants to obtain information contained in a cellular telephone seized incident to arrest. Except as otherwise stated in this section, it is not the intent of the Legislature to curtail law enforcement reliance on standard established exceptions to the warrant requirement.

SB 914 last week passed the Assembly Public Safety Committee with a 5-0 vote.

A PDF is available from thinkst with details on how to shoulder surf the iPad.

It points out that the keypad buttons glow when selected, defeating the mask of the password field. They have released an application to drive the risk home — a camera records the keys that glow.

Even better, they have referenced the movie Sneakers to point out that this is a simple and known threat. Kudos to them for not claiming any sophistication in their threat. It’s a simple and well-known attack and that is what makes it so annoyingly dangerous to use the Apple product.

This image about how to type a PIN should look very familiar.

Back to the PDF, this section caught my eye

We have long realised the danger of having passwords stolen through shoulder surfing attacks which is why it is truly rare to find an application that fails to mask the password on screen.
[…]

We take the fact that password masking is so ubiquitous as the obvious acknowledgement of shoulder surfing as a viable attack method.

Few people probably realize how lucky we are to have those passwords masked. When I worked on television and mobile authentication user interface security for many millions of devices one of my toughest jobs was to convince the developers and product managers to hide passwords. They did not want to do it and they had some good reasons to resist.

I would always hear the argument that making it easier to see the password when typing on a small screen, a small keypad, a keypad on a big screen, using a joystick, etc. meant fewer support/helpdesk tickets. The cost was palpable.

Take one mobile interface, for example. I argued that the character entered should immediately be masked, just like the typical computer interface. The product manager responded with some user behavior data linked to cost — showing the character entered until the next character was entered reduced helpdesk calls related to password more than 30%, with a cost per call said to be $10-15. That adds up quickly for tens of thousands of devices.

We ended up masking the character as soon as the next character was entered or after 1 second, which ever came first. That reduced the chance of exposure from shoulder surfing while still allowing us to force complex passwords. The only way I was going to get to constant masking was to reduce complexity (e.g. no uppercase, no symbols). Trade-offs and calculations of masking were hard, to say the least.

The threat models for mobile devices always led to shared spaces, especially transportation that forced closeness. Imagine sitting in the narrow seats of public transportation in Philadelphia or New York. Yes, I’ve even researched the space allocated between passengers. Did you know that San Francisco’s BART has the most space between passengers — anti-shoulder surfing or just wasted space? Airplanes and buses have the additional problem of rows facing the same direction but airplanes are especially bad because of the space between seats that allows for peering eyes to look through…

That is all for mobile devices that people carry with them. Giant televisions and projectors are another story entirely. Imagine inviting all your friends over to watch a movie. Then, just as you are about to start up NetFlix, you get a message from the Playstation network that it needs you to change your password (no fault of your own, it’s because they were hacked). So you sit in a big room with a big screen and slowly use a joystick to enter your password. They keys you select are illuminated on the screen for everyone to stare at and see. Do you ask everyone to come back in five minutes?

I actually wrote a solution to this problem and patented it but I still see consoles (e.g. NetFlix on Playstation) that illuminate your keystrokes and thereby display your actual password to everyone. Perhaps the thinkst story will generate more demand for use of the patented authentication mechanism. In brief, I proposed a token system that had a password for initial registration but a simplified identification system later for unique input devices like joysticks, phone keypads and touchscreens..

Imagine logging into the Playstation network by using a token and the joystick button sequence “XO^X->”, for example. If people can figure it out for easter eggs and cheats, I knew they could use it to login. I mean why not setup your system for login with your RockBand Guitar? The point of the patent was to leverage the universal input capabilities of devices and tie it to a token created on a computer, rather than try to pound everything into being more like a keyboard.

The designers and product managers at Apple probably thought they were doing users a favor by illuminating keys pressed in order to simulate the feedback of a physical keyboard. And then the other product companies while copying (should I say “embracing and extending“?) the Apple touch interface (Android/RIM) unfortunately also copied the illumination aspect of the keypad. It’s good that they masked the password but they should have thought more about the risk. Then again, I wouldn’t consider Apple product design suitable for an environment with any real risk. That’s not really what they’re designed for…

Ever notice that Apple’s iPad marketing campaign has them floating in some kind of utopian emptiness of just one superuser?

No perspective on who might be looking over your shoulder; no uncontrolled environments…you don’t see any messaging about product design from them related to real-world risks, especially not like this:

Full disclosure: I own a Panasonic Toughbook. It’s the best laptop I’ve ever owned. I’ve sold all my Apple products and don’t miss fixing them.

Computerworld, via CSO, is claiming that people searching for porn are “attacking” Microsoft’s platform with “poison”.

Microsoft on Saturday disabled the search tool on its Safety & Security Center after attackers poisoned results with links to pornographic URLs.

[…]

Although search poisoning is not unusual — it’s a well-worn tactic by those hoping to spread malware and dupe users into visiting scamming sites — this is different, said [CEO of Sunbelt Software] Eckelberry.

“This is crafty,” Eckelberry said today in an interview. “This isn’t normal search poisoning. It’s poisoning the results with actual searches. Users were getting back a prior search as a search result.”

Now you know a “crafty” way to “poison” search statistics — search for something.

Nowhere in the story does anyone mention that searches for porn are expected to be a huge percentage of total search results. Meanwhile the recent news from Nepal, which has tried to ban porn, is that search statistics show porn is popular.

Despite the August 2010 Home Ministry ban on pornographic websites in Nepal, the number of Nepali internet users surfing pornographic contents online has not dwindled.

Currently, the number of porn content seekers on Google—the most popular search engine—stands at a staggering growth rate of over 140 percent.

The Microsoft attack is described by CSO like this:

By repeatedly searching for sites using pre-selected phrases — “sex” and “girl,” for example — on the Safety & Security Center, criminals tricked the site into saving those searches, which then popped up near the top of the results of any subsequent searches by others.

Now consider that the Nepal news is written like this:

Google states the searches are often done with titles such as “hot babes”, “beautiful girls”, “cute hotties”, “sexy models wallpapers” and “bollywood babes”. […] Searches for naked and vulgar images have also rocketed to around 90 percent in the last few years.

So was the Microsoft site actually “tricked” or was it reflecting a predictable search statistic as a result of an open policy on results?

Eckelberry does not explain whether the saved searches were linked to actual human searches or falsified (i.e. automated) accounts. The article speculates a Twitter feed may have been related to the surge but it also sounds like a search engine ranked porn pages as popular when a lot of users searched for porn. That means they could have called it a search engine data point on behavior (i.e. Nepal’s news) instead of an attack. The CSO story follows the trend of experts who like to call attacks “sophisticated” or “crafty” without offering any guidance on what that really means relative to daily threats/behavior.