Month: June 2013

Revealing the State’s War on Privacy

Bradley Manning collected a great deal of classified government information and released it to Wikileaks. In so doing he effectively stripped some of the state’s privacy and is now standing trial for his actions (although his trial is almost certainly for show not to determine guilt). As I said, I support Manning’s actions because the state is waging a war against our privacy. As time goes on we’re learning more and more about how extensive this war really is. Yesterday it was revealed that the National Security Agency (NSA), on of the most vicious combatants in this war, has been collecting the phone records of millions of Americans:

The National Security Agency is currently collecting the telephone records of millions of US customers of Verizon, one of America’s largest telecoms providers, under a top secret court order issued in April.

The order, a copy of which has been obtained by the Guardian, requires Verizon on an “ongoing, daily basis” to give the NSA information on all telephone calls in its systems, both within the US and between the US and other countries.

The document shows for the first time that under the Obama administration the communication records of millions of US citizens are being collected indiscriminately and in bulk – regardless of whether they are suspected of any wrongdoing.

Although we’ve known that the NSA has been spying on our phone calls for some time but the release of this court order gives us a better idea of how extensive its spying is. Once again I’ll iterate that a government that doesn’t trust the general population enough to respect their privacy should not be given the privilege of privacy itself. So long as the state continues to violate our privacy it is right to violate its privacy. I will also point out that extensive spying operations such as this are prime examples of why all communications should be encrypted, which is why I started the Encrypt Everything series. Increasing the number of people who use cryptographic tools to prevent prying eyes from seeing their communications will render large scale spying operations, such as those being performed by the state, far less effective.

Judge Rules Decryption Keys are Protected by the Fifth Amendment

Last month a federal magistrate in Wisconsin refused to order a suspect to decrypt his hard drive stating that such an order would violate the suspect’s Fifth Amendment rights. This week a federal judge ruled that such an order was, in fact, a violation of the Fifth Amendment:

A federal judge in Wisconsin today granted an emergency motion filed by Feldman’s attorney for additional time to establish that her client’s Fifth Amendment right to self-incrimination would be violated.

U.S. District Judge Rudolph Randa lifted the threat of contempt of court and jail time, at least temporarily, and asked for additional briefs from Feldman’s attorney and Justice Department prosecutors. A hearing is likely to take place this fall.

What makes this case particularly interesting is that the suspect, Jeffrey Feldman, is accused of possessing child pornography. Possession of child pornography is one of those crimes that instigates such a strong emotional response in people that they demand due process being tossed out the window and any suspects be immediately burned at the stake. There are a lot of arguments being made trying to argue that ordering a suspect to decrypt his hard drive isn’t a violation of the Fifth Amendment because the crime, in this case, is so heinous. Such an attitude, in my opinion, is extremely short sighted because it sets a precedence that allows the state to justify ordering anybody accused of any crime to decrypt their hard drive or be found in contempt of court (for which the punishment is being locked in a cage until you comply, effectively indefinite detention without due process).

At some point I predict that determining whether or not the Fifth Amendment protects suspects from court orders demanding their decryption keys will reach the Supreme Court. Regardless of whether or not that happens one thing is for certain, encrypting your hard drive is the best way to protect yourself against snooping state agents who come into possession of your devices.

The Distraction of the Week

Bitter over at Shall Not Be Questioned notes that the critters in Congress are talking about bringing up gun control measures again.

At this point I’m thoroughly convinced that gun control is serving as nothing more than a distraction. With the recent military sex abuse scandal, Internal Revenue Service (IRS) scandal, trial of Bradley Manning, , talks of arming potential al-Qaeda operatives in Syria, reveal that four American citizens have been assassinated with drones, Supreme Court decision dictating that Deoxyribonucleic acid (DNA) samples can be taken from anybody being arrested, and various other scandals the federal government is currently involved in it seems as though Congress, the executive branch, and the judicial branch are desperate to get the spotlight off of their misdeeds. Gun rights are an emotional issue here in the United States and emotional issues serve as the best distractions.

My guess is Congress is hoping people will get riled up about gun control and ignore all the other shit that is currently going on in Washington DC. On the upside, if my theory is correct, they are unlikely to pass any gun control legislation because that would mean an end to the distraction. With the way things are going in the City of the Damned all three branches of the federal government needs to extend the distraction as long as possible. I wouldn’t be surprised if the new call for gun control either results in no further action or results in debates that conclude when the various ongoing scandals finally drop out of the news.

Encrypt Everything: Installing Gpg4win for Windows

Last week I wrote a walk through explaining how to use OpenPGP to encrypt your e-mail on OS X. Today I’m going to write a walk through explaining how to install GNU Privacy Guard in Windows. GNU Privacy Guard is a collection of OpenPGP tools. GPGTools, which was covered in last week’s OS X tutorial, is actually built on GNU Privacy Guard. After installing GNU Privacy Guard in Windows you will be able to generate OpenPGP key pairs, import public OpenPGP keys, and encrypt and decrypt messages using OpenPGP. Furthermore, installing GNU Privacy Guard is needed for sending and receiving OpenPGP encrypted e-mails, which will be covered in a future tutorial.

The first thing you need to do is download Gpg4win from here. As of this writing version 2.1.1 is the latest and the version used to create this guide. Previous versions of Gpg4win may not work with this guide.

Now that you have Gpg4win downloaded it’s time to begin installing it. Installing Gpg4win is pretty straight forward. Just click the Next button five times and the Install button. After clicking the Install button you’ll get a progress bar informing you of what packages are being installed. Once everything is installed click the Next button again. Now you’ll be informed that Gpg4win needs a list of root certificates. Check the box labeled Root certificates defined or skip configuration and click the Next button again followed by the Finish button. Gpg4win is now installed.

Now you will need to generate your key pair. There are two ways you can do this. The first method is using Kleopatra, a graphical interface installed with the Gpg4win package and the second method is to use the command line tools. I will walk you through using the command line tools because Kleopatra only allows you to generate 3072 bit keys while the command line allows you to generate 4096 bit keys. Don’t worry, using the command line isn’t hard.

To create your key pair open the Command Prompt and issue the following command:

gpg --gen-key

You should get the following output:

gpg (GnuPG) 2.0.20; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?

Since you will want the ability to sign and encrypt e-mails using OpenPGP select 1. Now you will be asked to enter a key length:

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

Type 4096 and hit enter. You will now be asked to enter an expiration date:

Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)

I tend not to set expiration dates for OpenPGP keys because issuing new keys periodically is an inconvenience for the people I e-mail regularly. When you want your key pair to expire or not is entirely up to you so enter whatever you want. If you go with the default (no expiration date) you will be asked to verify that you don’t want to key pair to expire:

Key does not expire at all
Is this correct? (y/N)

Enter y if you don’t want an expiration date and N if you’ve changed your mind. It’s now time to enter your personal information. For this example I will enter my name in the Real name field, openpgptest@christopherburg.com in the Email address field, and leave the Comment field blank:

GnuPG needs to construct a user ID to identify your key.

Real name: Christopher Burg
Email address: openpgptest@christopherburg.com
Comment:

You will not be given one more chance to change things:

You selected this USER-ID:
"Christopher Burg "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

Selecting O will result in a dialog box appearing asking you to enter a passphrase. This passphrase will be used to encrypt your private key. Whenever you want to use your private key you’ll need to enter your passphrase first in order to decrypt it:

Enter a strong passphrase[1] and click enter, which will result in you being asked to re-enter the passphrase:

That’s it, you now have an OpenPGP key pair that can be used to sign and encrypt e-mails. I will cover sending encrypted e-mails in a future tutorial because the method I use in Windows, Thunderbird with Enigmail, is the same method I use in Linux. Therefore, to make less work for myself, I will first write a tutorial explaining how to install GNU Privacy Guard in Linux before writing a tutorial on using Thunderbird and Enigmail.

[1] For example, the passphrase “passphrase” is very poor. It’s not only short, but it’s also easily guessed and commonly found in dictionary files. The passphrase “This is a random phrase that says nothing but probably isn’t easily guessed nor commonly found in most dictionary files.” is notably better since it’s not easily guessable or a commonly used phrase (although, now that it’s publicly published to the Internet, it’s worthless so don’t use it). Mixing in numbers and special characters will improve the passphrase even more.

Edit: 2013-06-13: 22:26: Corrected the command –key-get to be –gen-key. Thanks Luca for pointing it out.

The Implications of Hardware Attacks on Phones

A story has been circulating amongst the various Apple blogs regarding an iOS hardware exploit:

Careful what you put between your iPhone and a power outlet: That helpful stranger’s charger may be injecting your device with more than mere electrons.

At the upcoming Black Hat security conference in late July, three researchers at the Georgia Institute of Technology plan to show off a proof-of-concept charger that they say can be used to invisibly install malware on a device running the latest version of Apple’s iOS.

Though the researchers aren’t yet sharing the details of their work, a description of their talk posted to the conference website describes the results of the experiment as “alarming. Despite the plethora of defense mechanisms in iOS, we successfully injected arbitrary software into current-generation Apple devices running the latest operating system (OS) software,” their talk summary reads. “All users are affected, as our approach requires neither a jailbroken device nor user interaction.”

Surprisingly most of the Apple blogs I’ve read have written this exploit off as a minor issue. I’m not sure if the people writing off this exploit are just zealous Apple fans who refuse to acknowledge any flaw in their favorite company’s products or if they lack imagination but the severity of this flaw, if it works as advertised, shouldn’t be understated.

While the risk of a hacker loading malicious software onto your phone through a physical cable are relatively low the risk of the state doing the same is relatively high. Various police departments have been advertising that they possess devices that can download data off of cell phones. In practice such a device can be used to obtain the contents of a person’s phone upon detainment but that’s about it. But Combining that concept with sneak and peek warrants and now you have an interesting issue. During the execution of a sneak and peek warrant law enforcement officers can enter your home, search it, and not inform you that they’ve performed the deed. It wouldn’t take much to use a hardware device to load surveillance software onto your mobile devices during one of these searches. Once that’s done it’s possible that the phone could be used as a remote monitoring system to capture conversations by turning on the microphone, images of the area you’re in by activating the camera(s), and everything you type via key logging software.

I still question whether this exploit works with every iOS configuration. The exploit could be reliant on either the 30-pin or Lightening connector, it may not operate at all if the device’s contents are encrypted, etc. But the exploit could be effective enough for state agents to load surveillance software onto most iOS devices, which makes it a notable threat that shouldn’t be written off as a minor issue.

On the less frightening side of things it will be interesting to see what the jailbreaking community does with this exploit. It’s possible that the exploit could offer an easy way for iOS users to jailbreak their devices. If that is the case I also expect Apple to fix the problem quickly since they’ve done a remarkable job at fixing holes used by the jailbreaking community.

You Shall Not Help Those in Need

People often argue about the cause of violence in our world. Some people blame guns, others blame a lack of law enforcement powers, and some even blame capitalism. I think one of the biggest causes of violence in our world is the relatively low cost of performing violence, at least in most developed nations. A situation in Canada exemplifies this:

After Briar MacLean stepped up to defend his classmate against a knife-wielding bully, his mother, Leah O’Donnell, was politely informed the school did not “condone heroics.” Instead, Briar should have found a teacher to handle the situation.

Briar MacLean was sitting in class during a study period Tuesday, the teacher was on the other side of the room and, as Grade 7 bullies are wont to do, one kid started harassing another.

“I was in between two desks and he was poking and prodding the guy,” Briar, 13, said at the kitchen table of his Calgary home Friday.

“He put him in a headlock, and I saw that.”

He added he didn’t see the knife, but “I heard the flick, and I heard them say there was a knife.”

The rest was just instinct. Briar stepped up to defend his classmate, pushing the knife-wielding bully away.

Would you be surprised to hear that Mr. MacLean was awarded for his efforts that may have saved the life of a fellow student? Sadly, in our modern society, we are surprised by such things because that’s not usually the case. In fact that wasn’t the case here either:

“I got called to the office and I wasn’t able to leave until the end of the day,” he said.

That’s when Leah O’Donnell, Briar’s mother, received a call from the vice-principal.
Mike Ridewood for National Post

“They phoned me and said, ‘Briar was involved in an incident today,’” she said. “That he decided to ‘play hero’ and jump in.”

Ms. O’Donnell was politely informed the school did not “condone heroics,” she said. Instead, Briar should have found a teacher to handle the situation.

“I asked: ‘In the time it would have taken him to go get a teacher, could that kid’s throat have been slit?’ She said yes, but that’s beside the point. That we ‘don’t condone heroics in this school.’ ”

The most messed up thing about this situation isn’t the fact that a kid did the right thing and stopped a violent thug before he was able to harm somebody, it isn’t even the fact that his good deed was punished, it’s the fact that his good deed being punished isn’t surprising.

As I said, one of the biggest causes of violence in our society is likely the low cost of performing violent act. The cost is artificially low because when somebody does step in to defend a fellow human being they are punished.

When the principal said heroics aren’t condoned she sent a very clear message: violence will be tolerated. A student coming across a violent act is less inclined to involve themselves if they know their involvement will lead to their punishment. Knowing this, violent students will be more likely to commit acts of violence because they know the chances of somebody intervening, at least until their act is completed, is lower. I’ve noted that the state lowers the cost of committing violent acts by putting road blocks between individuals and the ability to defend themselves. Punishing good deeds discourages good deeds and a society lacking good deeds is almost certain to crumble under the weight of violence and thievery.

Bradley Manning’s Trial, The State’s Retaliation in the War on Privacy

Yesterday was the opening day for, what is almost certainly, a show trial. This trial is a retaliatory strike in the state’s war on privacy. Most of you probably know that I’m referring to the trial of Bradley Manning, who stands accused of leaking classified information to WikiLeaks. There has been a great deal of debate amongst those paying attention to the trial regarding the validity of Manning’s actions. One side of the debate believes Manning’s actions qualify as treason while the other side believes Manning did the right thing. I’m in the latter camp. As an anarchist I don’t recognize borders, flags, or anything else related to a state as being valid and therefore I dismiss the charge of treason as a fictitious decree created by the state for the expressed purpose of punishing any dissenters. But even if that weren’t the case I would still support Manning. Why? Because the state initiated a war on privacy and, in so doing, lost its right to privacy.

The United States government has waged a war against our privacy since its inception. Every law it passes requires a violation of our privacy. Once something that was previously legal is declared illegal the power of warrants increase. Warrants are little more than a legal nicety that allows the state to violate the privacy of individuals. With a simple piece of paper in hand agents of the state can enter a home without legal contest and search for any material listed on said piece of paper.

After the prohibition on alcohol was passed warrants could be obtained simply because the state suspected an individual was in possession of or making alcohol. When cannabis was declared illegal the power of warrants increased again in order to empower law enforcement agents to search homes of people suspected of possessing or growing cannabis. Tax regulations grant the state the power to search through financial records looking for violations. Laws prohibiting people from sharing copyrighted works allow state agents to search people’s homes and electronic devices for infringing material. But things have gotten much worse since September 11, 2001.

The attacks on the World Trade Center and Pentagon were the justification used by the state to pass the PATRIOT Act. Amongst other things the PATRIOT Act authorized state agents to setup wiretaps without a warrant, spy on financial records under the claim of stopping the flow of funds to terrorist organizations, and issuing National Security Letters that require service providers to hand over customer data to the state while prohibiting those providers from informing their customers that their information has been demanded. By passing the PATRIOT Act the state effectively said that we the people no longer had the right to privacy. Since then the state has continued to renew expiring provisions of the PATRIOT Act and pushing the Cyber Intelligence Sharing and Protection Act (CISPA) twice. When CISPA failed to pass the first time Mr. Obama issued a series of executive orders that emulated much of what CISPA purported to do.

Make no mistake, the state fired the first shot and, in so doing, forced the people to take defensive actions. I’m a firm believer in proportional responses to aggression. If somebody initiates force against you then you have the right to use proportional retaliatory force in response. When the state violates the people’s privacy I believe violating its privacy is a proportional response.

I don’t care what information is stolen from the state so long as the state wants to keep it secret. As long as it continues its war against our privacy we should respond by violating its privacy. Bradley Manning did the right thing in my opinion. He took the state’s right to privacy away after it took our right to privacy away. It’s unfortunate that he is now, for all intents and purposes, a prisoner of war but I hope his example sets a precedence that leads more state agents to leak classified information.

Magazines for a Good Cause

Magpul is selling special edition magazines to fund its lawsuit against the State of Colorado for its new prohibition against standard capacity magazines:

To raise money for their fight against the new laws in Colorado which are forcing them to leave the state, Magpul is selling a special limited edition PMAG. The magazine is identical to their black GEN M2 PMAG other than a slight change to the ribbing and the addition of the Free Colorado logo and Magpul anniversary logo. They are being sold in packs of five for $64.75.

There are two special edition magazines. One of the magazines is stamped with “Boulder Airlift” while the other is stamped with “Free Colorado.” At the time of this writing the “Boulder Airlift” magazines were out of stock but the “Free Colorado” magazines showed as being in stock and Magpul’s website allowed me to put in an order (although it took several attempts as their website appeared to be getting hammered, which I hope is good news for their magazine sales).

I’m starting to think that Magpul is conspiring to gain my love an affection. First they produce the best magazines I can find for my LR-308, then they keep their word and abandon Colorado after the state’s government passed a prohibition against standard capacity magazines, and now they are raising money for their lawsuit by selling a product I actually want. If Magpul still has some magazines in stock put in an order. The worst that will happen is you’ll received some magazines, the best that will happen is Magpul’s lawsuit will lift Colorado’s prohibition and you’ll have some magazines.

Kokesh Cancels is March on Washington DC

Remember the armed marching on Washington DC being planned by Adam Kokesh? He copped out:

The activist who threatened to lead an armed march on Washington on July 4 has canceled the event but is urging people to converge on the 50 state capitols to protest gun regulations, according to his recent appearance on an Internet talk show.

“Please don’t come to Washington, D.C. Appeal on a state level,” Adam Kokesh, an Iraq war veteran, said in an interview Tuesday on “The Pete Santilli Show.” “We shouldn’t be begging the government to change. We should be hoping they respect our rights.”

I’m sort of shocked. Kokesh left himself an excellent trapdoor by saying the event wouldn’t happen if enough people didn’t sign up. I guess he wasn’t expecting 1,000 people to actually say they were attending. Oh well, it would have been interesting to see what would have happened as the event date approached but now we’ll never know (on the upside we do know that Kokesh isn’t one to deliver on his word).