A Geek With Guns

Discount security adviser to the proles.

Be Careful When Taking Your Computer In For Servicing

without comments

How many of you have taken your computer in to be repaired? How many of you erased all of your data before taking it in? I’m often amazed by the number of people who take their computer in for servicing without either replacing the hard drive or wiping the hard drive in the computer. Whenever I take any electronic device in for servicing I wipe all of the data off of it and only install an operating system with a default user account the repairer can use to log in with. When I get the device back I wipe it again and then restore my data from a backup.

Why am I so paranoid? Because you never know who might be a paid Federal Bureau of Investigations (FBI) snitch:

The doctor’s attorney says the FBI essentially used the employee to perform warrantless searches on electronics that passed through the massive maintenance facility outside Louisville, Ky., where technicians known as Geek Squad agents work on devices from across the country.

Since 2009, “the FBI was dealing with a paid agent inside the Geek Squad who was used for the specific purpose of searching clients’ computers for child pornography and other contraband or evidence of crimes,” defense attorney James Riddet claimed in a court filing last month.

Riddet represents Dr. Mark Albert Rettenmaier, a gynecological oncologist who practiced at Hoag Hospital until his indictment in November 2014 on two felony counts of possession of child pornography. Rettenmaier, who is free on bond, has taken a leave from seeing patients, Riddet said.

Because the case in this story involved child pornography I’m sure somebody will accuse me of trying to protect people who possess child pornography. But data is data when it comes to security. The methods you can use to protect your confidential communications, adult pornography, medical information, financial records, and any other data can also be used to protect illicit, dangerous, and downright distasteful data. Never let somebody make you feel guilty for helping good people protect themselves because the information you’re providing them can also be used by bad people.

Due to the number of laws on the books, the average working professional commits three felonies a day. In all likelihood some data on your device could be used to charge you with a crime. Since the FBI is using computer technicians as paid informants you should practice some healthy paranoia when handing your devices over to them. The technician who works on your computer could also have a side job of feeding the FBI evidence of crimes.

But those aren’t the only threats you have to worry about when taking your electronic devices in for servicing. I mentioned that I also wipe the device when I get it back from the service center. This is because the technician who worked on my device may have also installed malware on the system:

Harwell had been a Macintosh specialist with a Los Angeles-area home computer repair company called Rezitech. That’s how he allegedly had the opportunity to install the spy software, called Camcapture, on computers.

While working on repair assignments, the 20-year-old technician secretly set up a complex system that could notify him whenever it was ready to snap a shot using the computer’s webcam, according to Sergeant Andrew Goodrich, a spokesman with the Fullerton Police Department in California. “It would let his server know that the victim’s machine was on. The server would then notify his smartphone… and then the images were recorded on his home computer,” he said.

When your device is in the hands of an unknown third party there is no telling what they may do with it. But if the data isn’t there then they can’t snoop through it and if you wipe the device when you get it back any installed malware will be wiped as well.

Be careful when you’re handing your device over to a service center. Make sure the device has been wiped before it goes in and gets wiped when it comes back.

Written by Christopher Burg

May 27th, 2016 at 11:00 am

Employers Having A Difficult Time Finding Employees Who Can Pass A Drug Test

with 3 comments

The war on drugs has permeated our entire society. Police have been militarized and given almost limitless power, entire industries have developed around detecting illicit drugs, and employers have become snoops that test employees for illicit drug use. The last one really baffles me.

Outside of being coerced at the point of the State’s gun, why would an employer waste their time and the time of their employees testing them for drug use? If an employee is performing their job satisfactorily an employer shouldn’t care what that employee puts into their body. If an employee isn’t performing their job satisfactorily then the employer will likely terminate them regardless of the reason. But employers have allowed themselves to become snoops for the State and is do doing have handicapped themselves:

SAVANNAH, Ga. — A few years back, the heavy-equipment manufacturer JCB held a job fair in the glass foyer of its sprawling headquarters near here, but when a throng of prospective employees learned the next step would be drug testing, an alarming thing happened: About half of them left.

That story still circulates within the business community of this historic port city. But the problem has gotten worse.

All over the country, employers say they see a disturbing downside of tighter labor markets as they try to rebuild from the worst recession since the Depression: They are struggling to find workers who can pass a pre-employment drug test.

That hurdle partly stems from the growing ubiquity of drug testing, at corporations with big human resources departments, in industries like trucking where testing is mandated by federal law for safety reasons, and increasingly at smaller companies.

I’ve heard a lot of people who work in human resource departments at software development firms joke about how their companies would lose all of their employees if they actually started doing drug testing. It’s good evidence that users of illicit drugs aren’t incapable of performing reliably. This is especially true when many drugs that are declared illegal aren’t actually that harmful. Cannabis, for example, is an example of a drug that’s still illegal in many states but doesn’t actually cause a great deal of harm. In fact it can improve an individual’s performance at work by helping them coax with anxiety or stress.

The lesson from this story is that you should not volunteer to enforce the State’s policies. Even though the State has declared a massive list of chemicals illegal that doesn’t mean you, as an employer, should volunteer to test your employees. You gain no advantage from it (when’s the last time you heard of the State giving a sizable reward to an employer for drug testing their employees) and actually put yourself at a severe disadvantage by limiting your pool of potential employees.

Written by Christopher Burg

May 27th, 2016 at 10:30 am

If It Isn’t Broken, Don’t Fix It

without comments

When it comes to effective technology the federal government has a dismal record. Recently news organizations have been flipping out over a report that noted that the federal government is still utilizing 8″ floppy disks for its nuclear weapons program:

The U.S. Defense Department is still using — after several decades — 8-inch floppy disks in a computer system that coordinates the operational functions of the nation’s nuclear forces, a jaw-dropping new report reveals.

The Defense Department’s 1970s-era IBM Series/1 Computer and long-outdated floppy disks handle functions related to intercontinental ballistic missiles, nuclear bombers and tanker support aircraft, according to the new Government Accountability Office report.

The department’s outdated “Strategic Automated Command and Control System” is one of the 10 oldest information technology investments or systems detailed in the sobering GAO report, which calls for a number of federal agencies “to address aging legacy systems.”

I’m not sure why that report is “jaw-droping.” There is wisdom in updating systems incrementally as key components become obsolete. There is also wisdom in not fixing something that isn’t broken.

This reminds me of the number of businesses and banks that still rely on software written in COBOL. A lot of people find it odd that these organizations haven’t upgraded their systems to the latest and greatest. But replacing a working system that has been debugged and fine tuned for decades is an expensive prospect. All of the work that was done over those decades is effectively thrown out. Whatever new system is developed to replace the old system will have to go through a painful period of fine tuning and debugging. Considering that and considering the current systems still fulfill their purposes, why would an organization sink a ton of money into replacing them?

The nuclear program strikes me as the same thing. While 8″ floppy disks and IBM Series/1 computers are ancient, they seem to be fulfilling their purpose. More importantly, those systems have gone through decades of fine tuning and debugging, which means they’re probably more reliable than any replacement system would be (and reliability is pretty important when you’re talking about weapons that can wipe out entire cities).

Sometimes old isn’t automatically bad, even when you’re talking about technology.

Written by Christopher Burg

May 27th, 2016 at 10:00 am

Posted in Technology

Tagged with

The FBI Cares More About Maintaining Browser Exploits Than Fighting Child Pornography

without comments

Creating and distributing child pornography are two things that most people seem to agree should be ruthlessly pursued by law enforcers. Law enforcers, on the other hand, don’t agree. The Federal Bureau of Investigations (FBI) would rather toss out a child pornography case than reveal one stupid browser exploit:

A judge has thrown out evidence obtained by the FBI via hacking, after the agency refused to provide the full code it used in the hack.

The decision is a symptom of the FBI using investigative techniques that are usually reserved for intelligence agencies, such as the NSA. When those same techniques are used in criminal cases, they have to stack up against the rights of defendants and are subject to court processes.

The evidence that was thrown out includes child pornography allegedly found on devices belonging to Jay Michaud, a Vancouver public schools worker.

Why did the FBI even bring the case Michaud if it wasn’t willing to reveal the exploit that the defense was guaranteed to demand technical information about?

This isn’t the first case the FBI has allowed to be thrown out due to the agency’s desperate desire to keep an exploit secret. In allowing these cases to be thrown out the FBI has told the country that it isn’t serious about pursuing these crimes and that it would rather all of us remain at the mercy of malicious hackers than reveal the exploits it, and almost certain they, rely on.

I guess the only crimes the FBI actually cares to fight are the ones it creates.

Written by Christopher Burg

May 26th, 2016 at 10:00 am

You Have A Right To Be Paranoid

with 4 comments

A man in Minneapolis stands accused of raping a woman. According to the accusation he used the ploy of asking for directions to approach the woman:

The victim told police she was out for a walk that night when she saw Wilkes’ car go around the block several times. He eventually stopped and got out of his car. Assuming he was lost, the victim asked if he needed help. She said Wilkes then told her he was trying to get to 29th and Franklin.

After the victim gave Wilkes directions, she turned around and continued walking. Wilkes then grabbed her throat from behind and began choking her, saying he had a gun.

There are a lot of common ploys criminals will use to get within close range of an intended victim. Asking for directions, to borrow a cell phone, a couple of bucks to buy a bus ticket to get back home, for help in an emergency situation, and so on. These ploys all serve to drop the intended victims guard so they can be approached more easily.

During a discussion about this story I mentioned to a friend that my standard response to these types of situations is to take a defensive stance, slide my hands into my pocket (usually onto a conceal weapon), and pretend that I don’t speak English (in my experience this tends to reduce the amount of time an individual will invest in trying to interact with me). My friend told me that that sounds paranoid, which brings me to the point of this post. Our society places a stigma on perceived paranoia. People who carry a firearm, for example, are often derogatorily called paranoid. But as the old saying goes, just because you’re paranoid doesn’t mean that they’re not out to get you.

If you live in a stable area, your chances of being in a violent encounter are pretty slim. A pretty slim chance is much different than zero chance though. Most of us recognized this fact and take certain precautions such as installing locks on the exterior doors of our home and avoiding neighbors that we perceive to be bad. But that recognition seems to stop where society’s perception of paranoid begins. This is ridiculous in my opinion.

First of all, only you have the unique knowledge of your life experiences to know what level of defensive measures are appropriate for you. Nobody else has spent their entire life being you so relying on them to decide what level of defense is appropriate for you is an exercise in outsourcing to a less qualified entity.

I have decided that carrying a gun and training to defend myself are appropriate defensive measures based on the knowledge I’ve gained over my lifetime. This isn’t because I believe I have a high level of encountering a violent situation. It’s because the detriments of doing so are minuscule while the potential consequences of not doing so are very high.

Let’s analyze the costs and benefits of the situation of a stranger asking for directions. When somebody initiates contact I take a defensive stance, which is to say that I make it as obvious as possible that I am aware of the person and that I am maintaining awareness of my surroundings. I also maintain a neutral expression on my face and straighten my posture, which serves the purpose of making me look more intimidating without making me look aggressive. What have any of these responses cost me? At most they have cost appearance. I come off as cold and less than friendly instead of warm and friendly. Since I don’t know who this stranger is nor am I likely to ever meet them again the cost of appearance is minuscule to me.

Another thing I do is slide my hands into my pockets. This action deprives the approaching person of some information. If my hands are visible the approaching person can identify whether or not I have a potential weapon at the ready. By concealing my hands the approaching person is forced to guess whether or not I have a concealed weapon in one of my pockets. Since I also regularly carry a firearm putting my hands in my pockets often results in me having immediate access to a weapon. What does this action cost me? Again, it potentially costs me appearance in the eyes of a stranger, which I don’t place much value.

If the person asks for directions and goes about their way I’ve still lost nothing of value to me. On the other hand, if the person meant me ill my positioning may be enough to convince them to find a different target. Predatory criminals tend to prefer easy targets. Making yourself appear to be a difficult target is often enough to convince them to go elsewhere. If my posturing wasn’t enough to dissuade them then I’m in a better position to defend myself when they attack.

What many people would considered paranoid has actually costs me very little and could benefit me greatly if the small chance of something bad occurring is realized.

You have every right to be paranoid. Bad things do happen to good people. Don’t let people who lack your lifetime of experiences convince you that they know what defensive measures are appropriate for you better than you do. Instead analyze your defensive needs yourself. You may discover that you can reap some tremendous potential benefits for very little cost.

Written by Christopher Burg

May 25th, 2016 at 11:00 am

Free Speech Is Inconvenient

with one comment

Evelyn Beatrice Hall once said, “I disapprove of what you say, but I will defend to the death your right to say it.” That attitude used to be widely held but the freedom of speech is quickly becoming another casualty to statism. A lot of people are happy to support suppressing the speech of people they disagree with. Fortunately, the freedom of speech hasn’t been slain yet. There are a few holdouts who understand the value of the freedom of speech even if it can be inconvenient:

Rowling gave a brief but exquisite address in which she lauded free speech in the broadest terms, saying, “The tides of populism and nationalism currently sweeping many developed countries have been accompanied by demands that unwelcome and inconvenient voices be removed from public discourse … Intolerance of alternative viewpoints is spreading to places that make me, a moderate and a liberal, most uncomfortable.” Speaking out about an online petition that sought to ban Donald Trump from visiting the UK, she said, “I find almost everything that Mr Trump says objectionable. I consider him offensive and bigoted. But he has my full support to come to my country and be offensive and bigoted there. His freedom to speak protects my freedom to call him a bigot. His freedom guarantees mine.”

The problem with suppressing free speech is the same problem inherent in any political solution: it sounds great while your people are in power but turns out not being so great when your opposition is in power.

Political power in democratic systems tends to change hands frequently. When things turn south the people tend to blame whatever party is in power and punish that party by handing one of its competitors the reigns. Since political power never actually solves the problems facing the people — and in fact is often the cause — entire nations of people end up trapped in a vicious cycle of flip flopping rules.

Consider the situation Rowling discussed. A lot of people in the United Kingdom support black listing Donald Trump from entering. On the one hand I can see their power. Trump is a fascist. But black listing him would set a precedence and that precedence could be used in a very different way at a future time. If the current party in power black listed Trump a future party could use that act as a justification to black list somebody else (for you Bernie Sanders supporters out there, a conservative party could come into power and black list him).

Handing the State more power always carries longterm consequences. If you hand it the power to censor bigots today it could very well use that power to censor political dissidents who are fighting bigotry in the future. The freedom of speech, like all freedoms, should be absolute.

Written by Christopher Burg

May 25th, 2016 at 10:30 am

FBI Director Concerned That Videos Of Police Beating People May Dissuade Police From Beating People

with one comment

James Comey, the current director of the Federal Bureau of Investigations (FBI), has a lot of concerns on his plate. One of his biggest concerns is the propagation of effective cryptography, which is making it harder for his agents to snoop through any random schmuck’s data. Another concern of his is the propagation of high quality cameras:

WASHINGTON — The director of the F.B.I. reignited the factious debate over a so-called “Ferguson effect” on Wednesday, saying that he believed less aggressive policing was driving an alarming spike in murders in many cities.

James Comey, the director, said that while he could offer no statistical proof, he believed after speaking with a number of police officials that a “viral video effect” — with officers wary of confronting suspects for fear of ending up on a video — “could well be at the heart” of a spike in violent crime in some cities.

“There’s a perception that police are less likely to do the marginal additional policing that suppresses crime — the getting out of your car at 2 in the morning and saying to a group of guys, ‘Hey, what are you doing here?’” he told reporters.

“Marginal additional policing” is a fancy way of saying harassment. Consider the example he gave. Why should a police officer pull over a car at two in the morning just to ask what the occupants are doing? If the officer didn’t catch them actually doing something illegal he shouldn’t have pulled them over. Period.

But the viral videos that Comey is referring to are videos of police using force. I’m an advocate of recording all police interactions. If you are a party to a police interaction you should record it, even if it’s something as minor as getting pulled over for speeding. You should also record any police interactions you come across. Police are almost never held accountable for wrongdoing in this country but the few times they are usually only happen because there was a video of the misconduct.

If the threat of being recorded on video dissuades police officers from harassing innocent people I would consider that an added bonus. Apparently Comey feels differently.

Written by Christopher Burg

May 25th, 2016 at 10:00 am

Airport Security Isn’t The Only Security The TSA Sucks At

without comments

The Transportation Security Administration (TSA) sucks at providing airport security. But the agency isn’t a one trick pony. Demonstrating its commitment to excellence — at sucking — the TSA is working hard to make its computer security just as good as its airport security:

The report centers on the the way TSA (mis)handles security around the data management system which connects airport screening equipment to centralized servers. It’s called the Security Technology Integrated Program (STIP), and TSA has been screwing it up security-wise since at least 2012.

In essence, TSA employees haven’t been implementing STIP properly — that is, when they’ve been implementing it at all.

STIP manages data from devices we see while going through security lines at airports, namely explosive detection systems, x-ray and imaging machines, and credential authentication.

[…]

In addition to unpatched software and a lack of physical security that allowed non-TSA airport employees access to IT systems, the auditors found overheated server rooms and computers using unsupported systems — and much more.

The observed “lack of an established disaster recovery capability” noted by the OIG is particularly scary. If a data center was taken out by natural disaster, passenger screening and baggage info would be rendered inaccessible.

Not only that, but there was no security incident report process in place, and there was “little employee oversight in maintaining IT systems.” And, auditors were not pleased at all that non-TSA IT contractors maintained full admin control over STIP servers at airports.

At what point do we write the TSA off as a failed experiment? I know, it’s a government agency, it’ll never go away. But the fact that the TSA continues to fail at everything and is allowed to continue existing really demonstrates why the market is superior to the State. Were the TSA forced to compete in a market environment it would have been bankrupted and its assets would have been sold to entrepreneurs who might be able to put them to use.

It’s time to ask the million dollar question. What will happen now? One of the reason government agencies fail to improve their practices is because there’s no motivation to do so. A government agency can’t go bankrupt and very rarely do failures lead to disciplinary action. In the very few cases where disciplinary action does happen it’s usually something trivial such as asking the current head of the agency to retire will full benefits.

Meanwhile air travelers will still be required to submit to the TSA, which not only means going through security theater but now potentially means having their personal information, such as images from the slave scanners, leaked to unauthorized parties.

Mossberg To Courts: Muh Intellectual Property

with one comment

Drop-in triggers are nothing new. There are approximately one bajillion drop-in triggers available for AR pattern rifles and some rifles, like the Tavor, are designed around drop-in trigger packs. The fact that everybody and their grandmother manufacturers drop-in triggers hasn’t stopped Mossberg from suing basically everybody because it believes a patent it purchased some time ago grants it a monopoly on the bloody obvious:

In another instance of the firearms industry feeding on it’s own, it appears that Mossberg is exercising it’s control on the original Chip McCormick patent (US 7,293,385 B2), that it acquired a while ago, and bringing lawsuits against a number of manufacturers of drop in triggers.

Mossberg currently licenses the design to the new CMC company, who has apparently decided to get Mossberg to go after their competition, i.e. anyone making drop in triggers.

This is an example of patent trolling. Mossberg didn’t invent drop-in triggers, it purchased a patent covering their design. It also conveniently waited to file a lawsuit until after numerous manufacturers were making drop-in triggers, which coincidentally allows Mossberg to reap more wealth than it could have if it filed a lawsuit the moment somebody violated the patent. Then there is the fact that the patent is absurd. The idea of packaging up the components of a trigger so it can be easily inserted into a firearm isn’t novel or innovative. It’s bloody obvious.

I can only hope that a court renders this patent invalid and Mossberg is forced to pay the attorney fees for all of the companies it’s trying to exploit.

Written by Christopher Burg

May 24th, 2016 at 10:00 am

Monday Metal: Promised Land By Samael

with one comment

Written by Christopher Burg

May 23rd, 2016 at 10:00 am

Posted in Media

Tagged with