Month: August 2013

Bitmessage

Since I just spent a post bitching about the ineffectiveness of e-mail I think it’s time to discuss alternatives. In my pursuit to find methods of secure communications I’ve stumbled across an interesting piece of software called Bitmessage. Bitmessage caught my attention because it attempts to fulfill several goals I have when looking for an e-mail replacement. First, it’s decentralized. There are no central servers running the Bitmessage network. Instead the Bitmessage network is similar to Bitcoin in that messages are broadcast (in an encrypted form) throughout the entire network.

The second feature that interests me is Bitmessage’s pseudo-anonymity.Bitmessage, like Bitcoin, is based off of public-key cryptography. Users create a keypair and the public key is hashed, which gives you an identifier that others can use to communicate with you. All message sent to you are encrypted with your public key so only you, the holder of the private key, can decrypt and read them.

That leads me to the third feature of Bitmessage that interests me, an attempt to use strong cryptography. All messages in the Bitmessage network are encrypted using public-key cryptography. That makes snooping on communiques extremely difficult. One of the weaknesses I’ve noted in most potential e-mail replacements is a tendency to send communiques in plain text. Most instant messenger servers, for example, send all message in plain text so anybody can easily listen in.

Bitmessage isn’t perfect by a long shot. The software is obviously in an alpha stage. I could only find a pre-built Windows client on Bitmessage’s website and an unofficial pre-built OS X client after some digging. Installing Bitmessage is probably more work than most people want to go through. Another problem with Bitmessage is that no independent security audit has been performed on the network or the client (although a request for such an audit is on the front page of Bitmessage’s wiki). Without a security audit there is no way to know how secure Bitmessage really is. But these are problems that plague every new piece of software. One should approach Bitmessage as a proof of concept that promises to deliver great things in the future.

If you’re interested in testing Bitmessage with me my address is BM-2D95ncE8da721wVxQzcA3QEhjrg2MGFjka.

E-Mail Servers: The Bane of My Existence

E-mail is a really shitty means of communication. The amount of spam versus the amount of legitimate mails is skewed heavily towards the useless advertisers and phishers, the underlying software to run an e-mail server is complex, and there is no way to implement complete security and anonymity. Why am I complaining about this? Because I spent all night upgrading my e-mail server.

There’s no point to this post, I just wanted to bitch and moan.

NSA Planning to Lay Off 90 Percent of Its System Administrators

In a mad panic to ensure another whistle blower doesn’t follow in the footsteps of Edward Snowden the National Security Agency (NSA) is planning to eliminate 90 percent of its system administrators:

(Reuters) – The National Security Agency, hit by disclosures of classified data by former contractor Edward Snowden, said Thursday it intends to eliminate about 90 percent of its system administrators to reduce the number of people with access to secret information.

Keith Alexander, the director of the NSA, the U.S. spy agency charged with monitoring foreign electronic communications, told a cybersecurity conference in New York City that automating much of the work would improve security.

“What we’re in the process of doing – not fast enough – is reducing our system administrators by about 90 percent,” he said.

Although Keith Alexander is selling this move as a security enhancement it’s really nothing more than shuffling around potential weaknesses in the NSA’s networks. In order to replace so many system administrators their jobs will have to be automated, which will require developers to create new administrative tools. Instead of worrying about a system administrator leaking information to the public the NSA will now have to worry about a back door being created in its new automation tools. As the Underhanded C Contest has demonstrated numerous times, hiding malicious code is surprisingly easy. Replacing human administrators with automated systems will also give attackers a new source of potential exploits.

Prototype Automatic Gauss Gun Developed

Although I love firearms I must admit that I’m beginning to find old fashioned chemical propulsion to be rather boring. Thankfully the hacker community has been working on this issue by developing exciting new electromagnetic propulsion systems. Meet the fully automatic Gauss gun:

While it may only be able to shoot a few cans right now, we certainly wouldn’t want to be in front of [Jason]‘s fully automatic Gauss gun capable of firing 15 steel bolts from its magazine in less than two seconds.

The bolts are fired from the gun with a linear motor. [Jason] is using eight coils along the length of his barrel, each one controlled by an IGBT. These are powered by two 22 Volt 3600mAh LiPo battery packs.

Here’s a video of the weapon firing:

Obviously the weapon isn’t very deadly at this point in time but it’s a prototype developed by a hobbyist in his spare time. As technology tends to do, this design will continue to advance until it becomes a viable weapon platform. These are the things I get excited about in the firearm industry these days, new prototypes that make actual advances.

3D Printed Rifle Successfully Fires 14th Round

Prepare for more pants shitting hysteria from the idea because another 3D printed firearm, this time a rifle, has managed to fire more than one round without harming its operator:

Just the opposite: Designers have moved beyond handguns to produce rifles with 3D printers. The world’s first 3D-printed rifle, named “The Grizzly” after Canadian-built tanks that were used in World War II, was fired in June, but the first shot fractured the barrel receiver.

The creator, a Canadian man who goes simply by “Matthew,” refined his design and posted a video Friday on YouTube of the Grizzly 2.0 successfully firing 3 rounds of Winchester bullets. The video description says the Grizzly 2.0 fired 14 rounds before it cracked. The new rifle was also safe enough for Matthew to fire it by hand rather than by the string system used in the first test.

Here’s the video:

Before the media begins its fear mongering by telling everybody that this gun can get through airport security and will be used to hijack planes let’s stop and think logically for a minute. Although it has successfully fired 14 rounds without maiming its operator, the Grizzly is still a plastic gun, which means the extent of its life is going to be relatively short. Like the Liberator handgun, the Grizzle rifle is cumbersome to reload. The barrel has to be twisted and removed, the spent cartridge must be pushed out with a rod, a new round must be placed in the barrel, and the barrel must be inserted and twisted back onto the rifle. In other words it’s very slow to operate. With that said, the design is almost certain to advance quickly. We’re in the infancy of 3D printed firearms and it’s an exciting time to be involved in the shooting community.

Playing the Bankers’s Game

It is becoming more difficult to see the line that divides legitimate bankers from loan sharks. Between one-sided mortgage terms and interest rates on credit cards that would make a loan shark blush it’s pretty obvious that the banks have simply because another apparatus to separate people form their money. Ironically bankers don’t like it when somebody plays their game against them:

The idea of beating the banks at their own game may seem like a rich joke, but Dmitry Agarkov, a 42-year-old Russian man, may have managed it. Unhappy with the terms of an unsolicited credit card offer he received from online bank Tinkoff Credit Systems, Agarkov scanned the document, wrote in his own terms and sent it through. The bank approved the contract without reading the amended fine print, unwittingly agreeing to a 0 percent interest rate, unlimited credit and no fees, as well as a stipulation that the bank pay steep fines for changing or canceling the contract.

Agarkov used the card for two years, but the bank ultimately canceled it and sued Agarkov for $1,363. The bank said he owed them charges, interest and late-payment fees. A court ruled that, because of the no-fee, no-interest stipulation Agarkov had written in, he owed only his unpaid $575 balance. Now Agarkov is suing the bank for $727,000 for not honoring the contract’s terms, and the bank is hollering fraud. “They signed the documents without looking. They said what usually their borrowers say in court: ‘We have not read it,’” Agarkov’s lawyer said. The shoe’s on the other foot now, eh?

Mr. Agarkov, I salute you.

Lavabit Shutdown and Silent Circle Shutters Its E-Mail Service

Lavabit, the e-mail host that gained recent popularity by being the go to host for Edward Snowden, has been forced to shutdown. By the looks of it the order to shutdown came from the glorious defender of freedom known as the United States government:

My Fellow Users,

I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on–the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

Sincerely,
Ladar Levison
Owner and Operator, Lavabit LLC

Defending the constitution is expensive! Help us by donating to the Lavabit Legal Defense Fund here.

Since Mr. Levison wrote that he’s unable, for legal reasons, to discuss why he’s being forced to shutdown it’s likely that he either received a national security letter or the National Security Agency (NSA) demanded he created a backdoor in his service less he be harassed with legal charges for cause harm to national security.

As a preemptive move to avoid suffering the same fate, Silent Circle, another organization that attempts to provide means of secure communications, has shuttered its e-mail service:

However, we have reconsidered this position. We’ve been thinking about this for some time, whether it was a good idea at all. Yesterday, another secure email provider, Lavabit, shut down their system less they “be complicit in crimes against the American people.” We see the writing on the wall, and we have decided that it is best for us to shut down Silent Mail. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.

We’ve been debating this for weeks, and had changes planned starting next Monday. We’d considered phasing the service out, continuing service for existing customers, and a variety of other things up until today. It is always better to be safe than sorry, and with your safety we decided that in this case the worst decision is no decision.

Shutting down their e-mail service before receiving a national security letter or being coerced into installing a backdoor for the NSA is a smart move. At least Silent Circle is able to publicly discuss their reason for doing so, unlike Lavabit.

These shutdowns go to show how far this police state of a country has gone. An organization can’t even provide secure e-mail hosting without becoming a target of the state’s aggression. I can only hope Mr. Levison and the people at Silent Circle moves their operations to a country that respects a man’s privacy, such as Iceland, so they can continue offering services their customers want.

Solving One Problem at a Time

I must say, as Bill Gates gets older I find him more and more annoying. The man becomes more of a petty authoritarian ever day. In a recent interview with Bloomberg Business Week he was asked about Google’s plan to launch weather balloons to provide Internet connectivity to developing societies:

One of Google’s (GOOG) convictions is that bringing Internet connectivity to less-developed countries can lead to all sorts of secondary benefits. It has a project to float broadband transmitters on balloons. Can bringing Internet access to parts of the world that don’t have it help solve problems?

His answer?

When you’re dying of malaria, I suppose you’ll look up and see that balloon, and I’m not sure how it’ll help you. When a kid gets diarrhea, no, there’s no website that relieves that. Certainly I’m a huge believer in the digital revolution. And connecting up primary-health-care centers, connecting up schools, those are good things. But no, those are not, for the really low-income countries, unless you directly say we’re going to do something about malaria.

Google started out saying they were going to do a broad set of things. They hired Larry Brilliant, and they got fantastic publicity. And then they shut it all down. Now they’re just doing their core thing. Fine. But the actors who just do their core thing are not going to uplift the poor.

Apparently it’s impossible to solve multiple problems at once. The reason I referred to him as an authoritarian is because of his attitude that things can only be accomplished his way. In his opinion we must cure malaria before any other problems are solved in developing societies. He doesn’t consider the possibility that getting access to the collected knowledge of mankind may allow somebody in one of those developing societies, somebody who is used to solving large problems with few resources, may be able to come up with a more efficient way of solving the malaria problem than vaccinations.

There’s no reason multiple problems can’t be worked on simultaneously. Eradicating malaria and providing Internet connectivity can be done at the same time. In fact achieving one goal may help achieve the other.

As the saying goes, there’s more than one way to skin a cat. Just because the solution you’ve developed may work in the long run doesn’t mean it’s the only, or even best, solution.

Careful What You Plug Your Phone Into

I’ve often said that I would enjoy putting several phone charging stations in an airport or mall that would exploit whatever phone was plugged into them. As it turns out, I’m not the only one with such demented ideas:

This news couldn’t wait for the Black Hat conference happening now in Las Vegas. We reported in June that Georgia Tech researchers had created a charging station that could pwn any iOS device. The full presentation revealed precise details on how they managed it. I’m never plugging my iPhone charger into a USB port in a hotel desk again.

This is a potential vulnerability with any device that is capable of receiving data over it’s power input. Most smartphone, and many dumb phones for that matter, use a Universal Serial Bus (USB) to transfer data and charge the battery. Manufacturers of assume the USB port, being a port that requires physical access, is secure and doesn’t need much in the way of verification of validation (although this attitude is slowly changing) making the transfer of malicious software relatively easy. Just because a port requires physical access doesn’t mean one can’t do away with security measures. It’s trivial to convince most people to plug their phone into a random USB port (just claim that they’re plugging it into a phone charger).

Social engineering, the art of tricking somebody to do something for you, is probably the most effective security bypassing mechanism. You may not have access to a machine you want to exploit but chances are you can convince somebody who does have access to grant you access. For example, gaining access to a phone is often as easy as asking the person with the phone if you can make a phone call. If you make an effective story that appeals to the owner’s emotions chances are high that they’ll hand you the device.

One of the most entertaining rooms at Defcon this year was the Social Engineering Village. Inside they had a phone booth where competitors would call various businesses and try to use social engineering to pump important information out of employees. The tactic worked frighteningly well. During one of the times I popped in the competitor had a man on the phone spilling his guts about the entire network setup for his company. Trickery works.