How I became part of an invisible hacking revolution.
By Eh’den Biber
Remark – In contrary to my other writings (e.g. “making privacy great again”), this is going to be an evolving story. It means that I will be continuously updating it. Also, I plan to record it as a podcast so you could listen to it rather than read it.
2017-05-14 – V01 – Long Drive + The Revolution
2017-05-15 – V02 – Stealing Fire + The Guinee Pig
2017-05-15 – V03 – Ecstasis + Lost in the Rain + The Sacred Four
2017-05-21 – V04 – Frederick + Mad Intelligence
Prologue – Long drive
13 years ago, when my youngest son Rephael was three and half years old, my ex-wife and I arrived to a Belgian hospital to hear the diagnostic of his condition. After months of observations and tests the result came in, and even though I remember everything that was said, looking back I realise that at that time I had no ability to grasp their meaning: “Your son has severe autism. It will never go away, it will not improve. You will never be able to communicate with him, you will never be able to send him to a normal school. Your son will never be able to be independent, your son will need to be in a mental institute when he will grow up.”
Blackphone as an allegory to why the bad guys are winning, a step-by-step guide to unlocking your device, and to whom you should say “you’re welcome!”.
By Eh’den Biber
First of all, my apologies for the delay in writing. It was totally unintended, but life, as you all know, have a comic view of our perception that we are in control of it. We are funny.
So, back to the Blackphone. I must admit that I’m surprised with what I learned. It’s so true that until we experience something as a personal experience knowing about facts that are related to that experience are meaningless. A total colour-blindness, non-ability to grasp the vast spectrum of radiation most of us can do naturally.
But before we begin with the boot story, let me just highlight a surprising point – if you wanted a proof that no one cares about security, INCLUDING security people, take a look at the vast security reviews that were performed so far on the phone. I know, nothing out there.
The Awareness lessons Matt Damon Had Taught Me.
By Eh’den Biber
(This is part 3 in a series of articles I’m publishing about my investigation into the security of the Silent Circle Blackphone 2. I case you missed them, I invite you to read part 1 and part 2)…
Now that I have received the Blackphone 2 I was facing a dilemma – what would be the best way to investigate it? To answer that, I decided to ask myself what would Matt Demon do if he was me.
(to those who miss, here is part 1…)
Everyone wants to be secure, or so it seems, and that what makes the whole story of Silent Circle so sad. A group of extremely talented people (Phil Zimmerman (PGP), Jon Callas (Apple, OpenPGP), Mike Kershaw (Kismet) etc.) gathered and created Silent Circle… and developed phone that will be secure and focus on your privacy. The first phone, the Blackphone 1 was too slow and too restrictive, so Blackphone 2 came along and provided a much-needed boost in terms of usability and performance to clients who want to have a phone that gives them android experience. Blackberry did the same when they decided to ditch their own OS and move to the android domain, and … both seems to have failed to gain substantial market share. But don’t blame the players, blame the game – we live in a world where people talk about privacy like Trump is talking about America – endless use of slogans which are driven by personal motives.
Ever since my last post I’ve been more silent than usual. The reason for it was a phone called Blackphone 2 or BP2 , a “Private by Design” product of a company called Silent Circle.
What made me extremely interested in the product was the fact that in January Silent Circle started to brick phones which were not authorised for sale by them. You can read about it here.
I decided to go out and buy two units and see what they did it, and how can you bypass it.
There was one tiny problem – I’m not a mobile phone security expert, and while I can tell you as a security oriented end user that Android security sucks I couldn’t really pinpoint the elements which made it so bad. Sure, there is so many videos and guides out there that teaches you the ins-and-outs of an android system, and also discuss the security aspects of it but I decided to choose a different path. As you know (from my previous posts) I’m extremely interested in the subject of awareness, and my view is that the best path for learning is failure in a secure environment that allows you to fail. I did, for almost a month. My secure environment is my beautiful wife who allowed me to bring the phones to the bedroom, suffered heroically the sounds that came from my computer and the phone throughout many nights, and completely supported me. Most other partners would have been voting to brexit me out from the bedroom to the living room until my insanity will pass.
It’s been a fascinating journey, and a painful one. I had days with zero progress, days with total setback, and days that I just wanted to smash the darn devices on the wall and get my life back. I didn’t. It reminded me how hard it is to learn something totally new, and how easy it is to make mistakes that are driven by a lack of understanding, and how easy it is to be afraid to admit it and get yourself into even bigger trouble. While it would have made much more sense to read a book or go via a training I wanted to see life is indeed so counter intuitive to our human logic.
See you soon…in part 2
If you have good knowledge about android application security, please contact me. I still have some unanswered questions 😉