84 stories
·
2 followers

Leaked Documents Show What Phones Secretive Tech ‘Graykey’ Can Unlock

1 Share

The Graykey, a phone unlocking and forensics tool that is used by law enforcement around the world, is only able to retrieve partial data from all modern iPhones that run iOS 18 or iOS 18.0.1, which are two recently released versions of Apple’s mobile operating system, according to documents describing the tool’s capabilities in granular detail obtained by 404 Media. The documents do not appear to contain information about what Graykey can access from the public release of iOS 18.1, which was released on October 28.

The leak is unprecedented for Grayshift, the highly secretive company which made the Graykey before being acquired by Magnet Forensics, another digital forensics company. Although one of its main competitors Cellebrite has faced similar leaks before, this is the first time that anyone has published which phones the Graykey is able, or unable, to access. 

The documents, which also break down the Graykey’s capabilities against Android devices, provide never-before-seen insight into the current cat-and-mouse game between forensics and exploit development companies like Magnet and phone manufacturers Apple and Google. 

With iOS 18.0, released to the public on September 16, Graykey has “partial” access to data from the iPhone 12 right up to the latest iPhone 16 series. The same is true for those iPhones running iOS 18.0.1, which was released on October 3, according to the document. 

The document does not list what exact types of data are included in a “partial” retrieval and Magnet declined to comment on what data is included in one. In 2018, Forbes reported that a partial extraction can only draw out unencrypted files and some metadata, including file sizes and folder structures.

Still, the new document indicates Graykey is not able to obtain all of the data from modern iPhones. 

A screenshot of one of the documents showing Graykey capabilities against iPhones running iOS 18.0 and 18.0.1.

Graykey has much less capability with iPhones running beta builds, with the document saying “None” for various betas of 18.1 across all modern iPhone iterations. It is not clear if this is because at the time of the document’s creation Magnet researchers had not invested time into developing attacks against 18.1, or if 18.1 presented a significant security upgrade.

Apple has not released official figures for how many iPhones are running iOS 18 or 18.1. In an interview with CNBC in October, Apple CEO Tim Cook said that users had been adopting 18.1 at “twice the rate” they had with 17.1. 

The Graykey’s capabilities against Android devices are more mixed, likely due to the high level of variance between different Android devices which are made by a wide spread of companies. With Google’s own Pixel range of phones, the Graykey is able to only extract partial data on the most recent Pixel devices, including the Pixel 9 released in August, according to the document. This is specifically when the phone is in an After First Unlock (AFU) state, which is when somebody, which in many cases could be the phone’s owner, has unlocked the device at least once since it was powered on. That document shows capabilities up until October.

404 Media spoke to Andrew Garrett, CEO of digital forensics company Garrett Discovery, whose company often works on court cases that use evidence taken from mobile phones. “Garrett Discovery experts work on more than 500 criminal defense cases each year and this list is consistent with the capabilities and reporting from the GrayKey software,” Garrett said in an email.

404 Media also showed the iPhone document to a forensics industry source who has previously used Graykey. They said the document looked similar to what they have seen before, although they could not verify its current capabilities.

The documents make multiple references to version numbers of “AppLogic,” which is a term used by Magnet. In one job listing available online, Magnet writes that “the GrayKey AppLogic Team is growing! With this growth, we are looking for an individual that can help us integrate across more of the Magnet Forensics product lines.” Magnet’s website also links to documentation about AppLogic that is behind a login wall.

404 Media also cross-referenced capabilities listed in the documents with snippets of information available online. For example, the Department of Homeland Security tested Graykey in 2022 and found it could extract full data from an iPhone 11 running iOS 15.1. The document also says this. Magnet has also regularly announced it has been able to access previous iOS versions over the years, including 16 and 17.

A screenshot of one of the documents showing Graykey capabilities against iPhones running versions of iOS 17.

Earlier this year, 404 Media reported on a similar leak from Magnet competitor Cellebrite. Those documents showed that Cellebrite was unable to retrieve data from a sizable chunk of modern iPhones as of April 2024. Shortly after, a user on a privacy-focused forum posted another updated set of apparent Cellebrite documents, which showed that the company had caught up somewhat and was able to retrieve data from devices running iOS 17.5 and iOS 17.5.1.

In other words, although tools like Graykey or Cellebrite may not be able to retrieve any data from phones running operating system versions released a month or two earlier, historically they have eventually caught up and managed to get partial information from the phones.

That dynamic encapsulates the ongoing tension between forensic companies and mobile manufacturers. In 2018, Forbes first reported the existence of Graykey, which sent shockwaves through the forensic and law enforcement communities. At the time iPhones were broadly perceived as being exceptionally difficult to access, in part because two years earlier Apple refused to build a capability for the FBI to access the iPhone of the San Bernardino shooter. The Department of Justice dropped its lawsuit against Apple when Azimuth Security, a little-known but highly important government contractor, hacked the device for U.S. authorities.

The same year as Graykey’s public reveal, Apple experimented with a feature called USB Restricted Mode, which disabled the Lightning port if the iPhone hadn’t been unlocked or connected to a computer after a certain period of time. “You cannot use it to sync or to connect to accessories. It is basically just a charging port at this point,” Braden Thomas, a former Apple security engineer who went on to work for Grayshift, explained in a customer-only message in 2018.

A screenshot of one of the documents showing Graykey capabilities against Google Pixel phones.

That caused some issues, but judging by the leaked Graykey and Cellebrite documents, the forensic companies found new solutions. Then earlier this month 404 Media reported that Apple quietly introduced code which was rebooting iPhones running iOS 18 and higher if they had not been unlocked for a certain period of time. The impact was that police were finding themselves locked out of devices they had seized for forensic examination. 

This is the status quo where the encryption debate has somewhat settled for the time being: forensics companies find exploits, Apple or Google fixes them or introduces new mitigations, and then the cycle continues. Arguably, that’s one reason large scale legal fights, like what happened in the aftermath of the San Bernardino attack, haven’t happened to the same extent again. 

Apple acknowledged a request for comment but stopped replying to emails seeking a statement. Google declined to comment. Rick Andrade, a spokesperson for Magnet Forensics, declined to comment. 

By 2020, Grayshift had launched a “mobile” version of its unlocking tool. In 2021, the company introduced support for cracking Android devices.

404 Media has uploaded versions of the documents here and here.



Read the whole story
cgranade
22 hours ago
reply
Share this story
Delete

AI-Powered Buzzfeed Ads Suggest You Buy Hat of Man Who Died by Suicide

1 Share

In 2016, back when it still had a robust newsroom staffed with journalists, Buzzfeed published a feature article about empty nose syndrome, a rare condition that makes people feel like they are suffocating despite having a clear airway. The article opens with the heart-wrenching of Brett Helling, who suffered from empty nose syndrome and eventually died by suicide because of his condition. The article includes a photograph of Helling and his toddler nephew smiling at the camera. 

Finding the story in 2024, a 404 Media reader saw that the photograph of Helling and his nephew now included a button that said “Shop This Image,” which invited him to buy dark beanies like the one Helling is wearing in the photograph. “BUY NOW” buttons under Helling’s photograph invited Buzzfeed readers to buy a “Katy Pom Pom Beanie” for $29.99 from Forever New or a similar black beanie for $59.99 from The Iconic. 

This new type of ad unit is provided by Trendii, a company that uses AI to identify objects in images, match them with products for sale from participating retailers, and link readers to those products in the hope of generating sales. It’s common for websites to make money via affiliate links, where sites link to online retailers when they write about specific products, which rewards them with revenue when readers click or buy products they found via those links. Trendii, which takes a cut of that revenue as well, offers retailers and publishers like Buzzfeed a similar arrangement, but monetizes images instead of links in the text of the article. 

This seems inoffensive and even synergistic on a celebrity news site like dmarge.com, where articles about what movie stars like Ryan Gosling are wearing feature images with the Shop This Image button that links to black Allbirds t-shirts. However, user comments on Buzzfeed over the last year indicate that the Shop This Image button has appeared over images of gruesome crimes, graphic medical conditions, and obliterated neighborhoods and displaced people in Gaza. 

“I've gotta say the ‘Shop This Image’ ad feature really feels gross when reading articles like this,” one commenter wrote on a Buzzfeed article titled “17 Creepy, Disturbing, And Terrifying Things I Learned About This Month That I Really, Really, Really, Really Cannot Keep To Myself.” “This man is killing his neighbors by slowly poisoning them with opioids, this is where you can get his outfit. This woman had both her arms and legs amputated from a dog lick, find out how you too can rock this look.” The commenter is referring to two real incidents and images in the article, one about a man in Florida who was poisoning his neighbors, and the other about a woman who lost her hands and legs to an infection from a dog

A comment on a Buzzfeed story about how different celebrities were talking about Palestine indicates that the “Shop This Image” button appeared on an image of Palestinian children surrounded by bombed out buildings in Gaza.

When reached for comment, Buzzfeed said that the Shop This Image ads come from Buzzfeed Australia, which was licensed to Val Morgan Digital Group in 2023 (it is common for US publication to license their brands to other business entities in Australia that operate independently), and that the ads are no longer running on the empty nose syndrome story “for obvious reasons.” Buzzfeed also said that the ads should be geofenced so that only readers in Australia should see them. The 404 Media who initially tipped us about the ads is located in Australia, and we were not able to view them on Buzzfeed’s site from the U.S..

Val Morgan Digital did not respond to a request for comment.

Trendii acknowledged my request for comment but did not provide one in time for publication. 

It’s not clear how Buzzfeed and Trendii are deciding what images to implement the Shop This Image button on, and the button does not appear for all users. For example, a roundup of book reviews from 2021 appears to include the button on images of book covers featuring human figures only. 

The Shop This Image button also appeared in a listicle published on Buzzfeed last month titled “I've Read A Lot Of ‘Dark Facts’ In My Day, But I Can Wholeheartedly Say These 17 Are Some Of The Most F*cked-Up I've Come Across.” The first item on the list about syphilis includes a medical illustration showing its most severe symptoms, including "grotesque tumor-like growths." Buzzfeed readers have to click on the image, which is initially blurred out and shows a warning that it is graphic, before they can see it. The same image included a Shop This Image button which suggested users buy MAC’s Locked Kiss lipstick for $63.25, as well as other lipsticks which appear to match the shade of the lips in the illustration. 

The same article also includes an item about the 1986 Challenger space shuttle disaster, alongside an image of all the astronauts who died on board. That image suggested readers buy a blue puffer jacket or hoodie that matches the shade of the astronauts’ blue uniforms. 

Two other sets of images in the article about The Great Molasses Flood, where 21 people died, and a 1937 gas line explosion that killed almost 300 people in a Texas school, suggest that readers buy black and white items of clothing, seemingly because they’re attached to black and white archival photographs. 

Trendii, which is based in Australia, says it offers “AI powered contextual advertising that instantly matches products to image and video content.” 

On its website, Trendii says its “AI instantly identifies products in image and video content, across various categories, including - clothing, accessories, footwear, furniture, and home decor. It detects different colours, styles, patterns, and categories, matching brand’s [sic] products to the most relevant and inspiring content. This intelligent matching capability empowers seamless contextual discovery, propelling audiences from exploration to purchase.”

However, as you can tell from the examples above, Trendii is not linking readers to the actual products that are in the images, if the images are showing products at all. It is just matching the objects that are in the image as best it can to products from retailers that choose to promote their products with Trendii. When the Shop This Image button appears on a photograph in a story about Kanye West, readers are not being offered what he’s actually wearing in the photograph, but a pair of Tommy John shorts that sort of look like what he’s wearing in the photograph. 

According to Trendii’s site, the company also offers the Shop This Image button on Vogue, Marie Claire, GQ, Elle. and Popsugar. Its CEO Aaron Wolf recently said in a podcast interview that he imagines that in the future a Shop This Image-type feature will be part of all media we consume.

“I think the way the world looks over the next three to five years is essentially every television becomes a marketplace,” Wolf said. “We’re all connected to all the brands, it’s all instantaneous and automatic everywhere. All the shows are basically storefronts, shopping malls, whatever you want to call it, and everyone is able to buy whatever they see, wherever they see it.”



Read the whole story
cgranade
1 day ago
reply
Share this story
Delete

Split tunneling using Wireguard and namespaces

1 Share
Read the whole story
cgranade
3 days ago
reply
Share this story
Delete

Trump Lays Out Plan to Harm Trans Community

1 Share
 

President elect Donald Trump has released a video in which he cribs plans from the Heritage Foundation evil manifesto, Project 2025, to explain how he’d like to destroy the trans community.

  

by Alyssa Steinsiek

I regret to inform you all that Donald Trump has said something horrific and uninformed. Already. Again. I guess we’re gonna have to get used to that opener, because we’re staring down the barrel of a very difficult four years with this chump in the Oval Office.

In a video that has been widely shared on Twitter, probably originally posted to Truth Social but I’m not giving them my phone number to find out, Trump has outlined his plan to stop “the chemical, physical and emotional mutilation of our youth.” First, he says on day one of his presidency he will “revoke Joe Biden’s cruel policies on so-called gender-affirming care.”

It’s important to know that Biden’s most significant overture in support of trans people and GAC was a 2022 executive order that called upon “the U.S. Department of Education and the Department of Health and Human Services to increase access to GAC and develop ways to counter state efforts aimed at limiting such treatments for transgender minors,” as well as an attempted amendment to the Affordable Care Act earlier this year intended to guarantee trans Americans’ right to access GAC. Sad to say, that hasn’t gone over as smoothly as we might have hoped. Overall, Biden and his administration have been vocally supportive of the trans community without making substantial material improvements upon trans Americans’ lives. An unqualified hero to trans Americans, he is not.

Trump also claims that GAC includes “giving kids puberty blockers, mutating their physical appearance, and ultimately performing surgery on minor children.” He follows up with a classic Jay Leno style, “Can you believe this?”

It’s a fair question because no, I can’t, actually. Yes, puberty blockers are a typical component of GAC for trans youth, and for cisgender children experiencing precocious puberty. They are perfectly safe. And while transitional surgery for trans youth is an accepted part of GAC, per WPATH standards, it is exceedingly rare. There are no documented cases of transitional surgery being performed on trans youth aged 12 and under, and an incidence rate of 2.1 per 100,000 teens between ages 15 and 17.

That means gender-affirming surgery for trans youth is dramatically less common than teens who undergo cosmetic surgeries like rhinoplasty.

Next, Trump says he will issue an executive order to every federal agency under his power “to cease all programs that promote the concept of sex and gender transition at any age,” and then “ask congress to permanently stop federal taxpayer dollars from being used to promote or pay for these procedures, and pass a law prohibiting child sexual mutilation in all fifty states.”

He says, too, that any medical providers who promote GAC “will no longer meet federal health and safety standards for Medicaid and Medicare,” and that he will grant detransitioners the right to litigate against doctors and hospitals that treated them according to existing standards for GAC in the past.

He suggests that, via the Department of Education, teachers and other school officials could be charged with violating the civil rights of children for affirming their gender identity, and that academic institutions could have their federal funding withheld as well.

Perhaps most egregiously, Trump says he will “ask congress to pass a bill establishing that the only genders recognized by the United States government are male and female, and that they are assigned at birth.”

I won’t lie to you… this is deeply scary stuff. It’s unclear how much of this Trump can actually expect to enforce, and much of it will be tied up in countless lawsuits from organizations like the ACLU that fight tirelessly to protect the victims of wrongfully empowered bigots. The fact that he’s suggesting any of it to begin with, however, is terrifying. It’s evidence that Trump intends to follow the Heritage Foundation’s blueprint for dragging America back into the dark ages, Project 2025, which he has publicly endorsed more than once.

There’s no positive spin I can put on this sort of evil planning that will assuage your fears. What I can tell you is that I am scared, too. You are not alone in being afraid of the ways in which Trump’s second term will inevitably harm us. You are not wrong for feeling paralyzed, or furious, or sad. What you’re feeling right now is exactly what more than one million trans Americans are feeling, and there is undeniable unity in that shared experience.

Practice good OPSEC. Keep yourself safe however you have to, and look out for the people around you as best you can. Contribute to this fight however you are able, and support the members of our communities who are combatting this fascism openly, publicly, in the streets every single day.

That’s how we get through this.


Alyssa Steinsiek is a professional writer who spends too much time playing video games!

 

Read the whole story
cgranade
7 days ago
reply
Share this story
Delete

finally picked Lorelei and the Laser Eyes back up and god what a game for art ho...

1 Share

finally picked Lorelei and the Laser Eyes back up and god what a game for art house film perverts who are also puzzle perverts and metanarrative perverts. really as long as you don't hate one of those things then you can probably get away with being only two of the three types of pervert and have a great time. there is a point where you find a bunch of synopses of fictional films by this sicko director and i was yelling about every single one of them because they're all awesome with increasingly threatening auras (complimentary). i am only like 20% in but i think it's important for sickos to know about this game

but i'm playing that one with a friend who's busy going to the da art house cinema tonight 🙄 so in the meantime i have just downloaded Pentiment, which i have heard is awesome in totally different ways. wow gaming

Read the whole story
cgranade
8 days ago
reply
Share this story
Delete

How to Change Your Legal Name and Gender 101

1 Share
 

A guide on how to change your name and you gender markers on documents across the United States.

  

by Mira Lazine

In light of Donald Trump’s electoral victory on November 5, many are left fearful of what’s to come next, including many more transgender people.

Assigned Media recommends that our transgender readers seek out these changes as soon as possible, and we’d like to help. While we are unable to provide a step-by-step guide for every state, we can direct readers to important resources within their state, and help them figure out a rough guide for the process.

Sex Changes

With legal sex changes, there are four major things that American trans people need to heed - their driver’s license/state ID, passport, social security, and birth certificate. For information on how to navigate these processes in your state, the organization Advocates for Trans Equality has a state-by-state breakdown of how to get these changes, including for all U.S. territories and Washington, D.C.

Additionally, if you’re looking to break down exact policies and requirements to compare between states, check out the Movement Advancement Project’s page for more information.

Driver’s License/State ID

Requirements for changes to your driver’s license or state ID will vary depending on what state you’re in. 

In some states, such as Minnesota, you’re able to go to the DMV with an existing ID and request a form to change the sex marker, with the updated ID being sent within 3-4 weeks. 

However, other states require signed statements from doctors, court orders from judges (which often require said proof from doctors), or even some surgeries to grant these changes. Some, such as Texas, completely ban gender changes entirely - in these cases, you may want to either contact a trans legal organization for more information, or even to flee the state entirely.

In all cases, once you change your gender on your driver’s license/state ID, you can currently keep it that way were you to move to a separate state. However, be aware of legal battles in trans-antagonistic states, such as Texas, which are currently seeking to retcon gender changes to your state ID.

There will likely be a fee for getting an updated photo ID, which will vary depending on your state. Contact your local DMV for more information on what fees may be required, though note that they typically hover between $40-70, and don’t often exceed $100.

Passport

Changing the gender on your passport has been simplified in recent years. While you used to need signed records from a doctor, as of 2022 you only need to fill out an application (in-person) at your local Passport Acceptance Facility.

Advocates for Trans Equality has a helpful webpage summarizing the exact steps to get your passport changed. To summarize, you’ll first head to the State Department website or call the National Passport Information Center at 1-877-487-2778 to figure out where your local Passport Acceptance Facility is.

Next, you’ll fill out and print the Passport Application Form (Form DS-11) and fill it out with your desired gender identity. There is a male, female, and X option available. After that, you’ll take the form to your local facility and provide proof of citizenship - i.e. a previous passport, birth certificate, or naturalization form; a form of ID such as a driver’s licenses or any of the previous documents; a 2 inch by 2 inch color photograph of yourself; and money for fees, which vary (typically between $100-200) in price, but can be determined on the State Department website. You’ll ideally want your driver’s license to be updated to your current gender identity.

Note that the color photograph can be obtained at your local UPS Store, Walmart, CVS, Walgreens, or other similar store that has a photograph center. For a small fee, they’ll take the photo and print it out for you. Alternatively, you can also take it at most Passport Acceptance Facilities for about a $15 fee, though you can opt to do it yourself. However, taking it yourself increases the risk that it’ll be rejected, as the requirements for it are stringent.

Your updated passport will be sent to you via mail, and may take several weeks to arrive.

Social Security

To change your social security information, the process is extremely simple, and is currently the same for everyone across the country regardless of what state you were born in. Note that they currently only have options for ‘male’ and ‘female’. 

All you need to do is head to the Social Security website, answer a few questions regarding your state of residence and demographics, and they’ll direct you to where you need to make an appointment. Note that if you’re a Firefox user, the website may not work, so another browser is needed.

They’ll typically only request one form of identification to prove it’s you, however you may want to bring more if you have them available in case the clerk gives you trouble. You’ll want this form of ID to have your gender identity, not assigned sex at birth. These can be your driver’s license, state ID, passport, health insurance or Medicaid card, a signed medical record from within the last two years containing your name and date of birth, military ID card, or certificate of U.S. citizenship.

Note that updating your social security card is entirely free. It will be sent to you via mail and may take several weeks to arrive.

Birth Certificate

Changing your birth certificate is generally the hardest process of these four, as it varies substantially based on what state you were born in. Note that to change your birth certificate, you have to interact with the state you were born in, and not that which you currently reside in.

Also note that many states do not allow you to update the sex on your birth certificate. For information on what states do allow this, check the Advocates for Trans Equality website.

Some states simply require a signed document from your doctor signifying that you’ve transitioned, while others may require a court order to change your birth certificate. Some, such as Florida, do not allow you to change the sex on your birth certificate at all. In cases such as this, you will want to reach out to a trans legal organization for more information on how to proceed with other gender changes for identity documents.

Most states will require some type of fee to update your birth certificate. In most cases, this hovers between $20-50. The birth certificate will be sent to you via mail, and may take several weeks to arrive.

Name Changes

Name changes are much more complicated than gender changes, with exact requirements varying based on your state. All states allow for some type of name change, but not all of them will grant you a name change because you’re transgender - you may want to seek the help of local trans legal organizations for more information. 

We recommend seeking out the Transgender Legal Defense and Education Fund, Transgender Law Center, or any local organizations that service trans people. These can range from informed consent clinics to your local university.

In general, you’ll be required to set up a court appointment with a local judge, where you’ll need to provide proof of identification, other people to testify that you do use your preferred name in your day-to-day life, and potentially additional documents that vary based on your state and county, such as signed documents from your doctor.

Also be aware that many states have habitation requirements for name changes - in some it’s only three months, while others it’s up to a year.

In general, you can expect a fee of up to $400, though you can request a waiver for this fee by providing proof that you are sufficiently low income. You will likely be expected to publicize your name change, such as in the local newspaper or online. In some states, this can also be waived if you can demonstrate that you would be at risk by publicizing said name change. It is recommended to talk to a lawyer for information on what would suffice as proof.

Provided the judge accepts your plea, you’ll be granted a court ordered name change. Get as many of these as you can, as many places require an original document signifying your name change, and do not allow for copies. Note that getting more will require additional funds. 

If you have a criminal record, you’ll want to submit your name change to the Bureau of Apprehension within ten days, and note that if you’re a felon, you can only change your name once.

You’ll then want to reach out to your local DMV, the social security administration, your local passport service facility, financial institutions, postal service, voter registration educational institutions, insurance institutions, and any other relevant bodies that require your legal name with updated information. Processes for how to change your name with each of these vary, so be prepared to call many customer service lines.

If you are an immigrant, make sure you update your local immigration office with your information. If you are assigned male at birth, also be sure to update the selective service registry.

So, that’s our quick and dirty guide to document changes. Have you changed your documents, and did you find it easy or hard? Let us know in the comments below.


Mira Lazine is a freelance journalist covering transgender issues, politics, and science. She can be found on Twitter, Mastodon, and BlueSky, @MiraLazine

 

Read the whole story
cgranade
8 days ago
reply
Share this story
Delete
Next Page of Stories