American Freedom

I really do enjoy the people who continue to say that United States isn’t a police state. You have to admire somebody who can perform such blatant acts of cognitive dissonance without instantly suffering from a mental breakdown. After all, nothing says not a police state like having a quarter of your population arrested:

We’ve heard a lot of talk lately about mass incarceration, the stop-and-frisk policies in New York, reforming the drug laws, and mandatory minimum sentencing. There’s also been discussion about over-criminalization — that we have too many laws, too broadly enforced — from groups as ideologically diverse as the Heritage Foundation, the ACLU, the Cato Institute, and the National Association of Criminal Defense Lawyers.

But here’s a related statistic that’s pretty mind blowing in and of itself: According to the FBI, in 2011 there were 3991.1 arrests for every 100,000 people living in America. That means over the course of a single year, one in 25 Americans was arrested.

While that statistic doesn’t tell the whole story, as each arrest of the same person is counted separately in the raw numbers, it does tell a frightening one nonetheless. The fact that there have been, on average, 399.1 arrests for every 100,000 people is insane. If such a statistic doesn’t prove that this country has too many laws on the books I don’t know what can.

How the Tables Have Turned

I wasn’t alive for the height of the Cold War but I remember my teachers constantly pounding into my head that the Soviet Union was a land where the government spied on everybody and any dissenter was whisked away to a labor camp. America was the land people defected to in order to flee the Soviet Union. The tables have turned. Edward Snowden revealed that the National Security Agency (NSA) has been spying on every American for years and, in so doing, was forced to flee to Russia in order to seek asylum from the United States government, which was hunting him down like a rabid dog. Now, as a form of punishment for housing Snowden, Obama is calling off his meeting with Putin:

US President Barack Obama has cancelled a meeting with Russian President Vladimir Putin after Russia’s decision to grant asylum to intelligence leaker Edward Snowden, the White House said.

But Mr Obama will still attend the G20 economic talks in St Petersburg.

A White House aide said Mr Snowden’s asylum had deepened the pre-existing tension between the two counties.

The former intelligence contractor has admitted leaking information about US surveillance programmes to the media.

The decision to cancel the talks, announced during a trip by the president to Los Angeles, comes the morning after Mr Obama said he was “disappointed” with Russia’s decision to offer Mr Snowden asylum for a year.

If you ask me it sounds like Obama is rewarding Putin. Seriously, who wants to be stuck in an boring political meeting? Nothing exciting happens during those meetings. Two politicians, who are overly concerned with how they appear to the general public, make continuous bland statements that lack any real content just so they can appear on camera.

But it’s interesting to see how different things are today. Americans, fearing the wrath of the United States government, are forced to flee to Russia. The Cold War may restart because of the United States and its determination to have an all pervasive surveillance state without any dissenters.

The Liberator Pistol

On Thursday some of us Defcon attendees went to Sunset Park for the Toxic BBQ (the food wasn’t toxic but the 100 degree weather was pretty brutal to this Minnesotan). During the BBQ I met Dallas, a speaker at Defcon who invited us to attend his Skytalk at 0900 the next morning. His talk was about this little guy (pardon the shitty photography, I’m not a photographer and the lighting in the hallway wasn’t ideal):

If you don’t recognize it it’s the 3D printed Liberator Pistol. While I’ve read and written about the Liberator many times on this blog, this was the first time I was able to look at and touch one. It’s a rather crude weapon, which I expected since it’s a prototype, but a novel idea. If you look at the picture you’ll see the main pistol, which was printed in black polylactide (PLA), and the internal parts, which were printed in green PLA. The green parts were printed smaller than the design requires so assembling the parts wouldn’t allow one to have an operating weapon (this was done because security at the Rio was apparently uncomfortable with the idea of bringing in a working pistol).

The two presenters, Dallas and Sean Wayne, did a marvelous job of presenting the weapon. They covered the legal matters involved with manufacturing a Liberator (namely you must include at least 3.7 oz. of ferrous metal in the design and you cannot transfer it), the capabilities of the pistol, their adventure with getting the pistol through airport security (as checked baggage, which is what you must always do to legally fly with a firearm), and why the Liberator, at least as it currently stands, is impractical.

The Liberator isn’t the most capable weapon. Considering the entire weapon, with the exception of the firing pin and the legally mandated chunk of metal, is made of plastic the weapon has some notable weaknesses. During the presentation we were told that 10 firing is the generally accepted maximum a Liberator can handle. Since the pistol brought by the presenters was printed on a MakerBot with PLA, instead of something like acrylonitrile butadiene styrene (ABS), it wasn’t safe to fire (PLA is brittle and the pistol at the presentation would have exploded if one tried to fire it). Furthermore, the pistol has an issue with leaking gas from the trigger cutout, which is likely to burn the person shooting it. Once again, being a prototype, none of these issues surprised me.

I found their experience trying to travel with the pistol interesting. Because they didn’t want to chance being locked in a cage the pistol was transported just like any other firearm, by declaring and checking it. What was interesting was that the employees at the airline were rather baffled by the plastic pistol (in my experience airline employees are often baffled by any firearm) and ended up calling over a Transportation Security Administration (TSA) agent. Unlike the entirely clueless airline employee, the TSA agent recognized it as a pistol and allow the declaration and checking to commence as usual. This may be one of the few times an agent of the TSA performed a competent job. It’s also nice to know that flying with a Liberator is treated no differently than flying with any other firearm.

The Liberator is a cool concept but, as it currently stands, is impractical. Reloading it is a ponderous task because you must remove the barrel, and the gun can’t survive many firings. As a member of the audience pointed out, one would have better luck going to the hardware store, buying a few dollars worth of metal parts, and slapping together a zip gun that would almost certainly be more reliable than the Liberator.

Of all the presentations I attended this was one of the most interesting (in part because I’m a gun nut but also because I love the concept of 3D printers). I’ve wanted to look at and touch a Liberator since it was first unveiled by Cody Wilson. Now that I have seen one I can say that my initial impressions were correct. It’s a really cool idea that will only get better in time. According to Sean and Dallas, the Defcad community is has already released a fourth major version of the Liberator design. With such rapid improvements it’s likely that we’ll see a reliable single-shot 3D printed pistol in no time. Once that’s been accomplished it’ll be time to move on to a semi-automatic 3D printed pistol.

Prosperity

News outlets have been abuzz with good news about the job market here in the United States. During the second quarter the job market added 183,000 jobs:

Economists predict that employers added 183,000 jobs — a figure that would show that businesses are growing more confident despite weak economic growth. More jobs would boost consumers’ ability to spend, allowing for stronger growth in the second half of the year.

The unemployment rate is expected to have dipped last month to 7.5 percent from 7.6 percent. The Labor Department will release the report at 8:30 am EDT Friday.

The depressions is over, everybody can go home! Well, not quite. As it turns out the jobs added to the market aren’t full time positions. A majority of jobs are part time:

The 162,000 jobs the economy added in July were a disappointment. The quality of the jobs was even worse.

A disproportionate number of the added jobs were part-time or low-paying — or both.

Part-time work accounted for more than 65 percent of the positions employers added in July. Low-paying retailers, restaurants and bars supplied more than half July’s job gain.

“You’re getting jobs added, but they might not be the best-quality job,” says John Canally, an economist with LPL Financial in Boston.

So far this year, low-paying industries have provided 61 percent of the nation’s job growth, even though these industries represent just 39 percent of overall U.S. jobs, according to Labor Department numbers analyzed by Moody’s Analytics. Mid-paying industries have contributed just 22 percent of this year’s job gain.

In other words, the jobs being added aren’t jobs people can survive off of. This is one of the many problems with labor statistics in the United States. The numbers reported fail to tell the actual story. While an estimated 182,000 jobs were added to the economy makes everybody feel happy the truth is that most of those jobs are crap. In other words the labor market hasn’t actually improved any notable amount, it’s merely sucking in a different way.

I guess the depression is still on.

Duplicating “Do Not Duplicate” Keys

Security is a heck of a lot of fun. Whenever you believe you have made a better mouse trap somebody finds an exploit in it. Since all security mechanisms can be bypassed, and will be bypassed, the field is constantly changing. One of the things that society needs to learn is that printing words on surfaces doesn’t equate to security. For example, many “high security” locks will have keys that say “Do Not Duplicate” on them. It’s a pointless thing to print because duplicating keys isn’t rocket science:

When lock maker Schlage imprinted the words “do not duplicate” across the top of the keys for their high-security Primus locks, they meant to create another barrier to reproducing a piece of metal that’s already beyond the abilities of the average hardware store keymaker. One group of hackers, of course, took it instead as a direct challenge.

At the Def Con hacker conference Saturday, MIT students David Lawrence and Eric Van Albert plan to release a piece of code that will allow anyone to create a 3D-printable software model of any Primus key, despite the company’s attempts to prevent the duplication of those carefully-controlled shapes. With just a flatbed scanner and their software tool, they were able to produce precise models that they uploaded to the 3D-printing services Shapeways and i.Materialise, who mailed them working copies of the keys in materials ranging from nylon to titanium.

“In the past if you wanted a Primus key, you had to go through Schlage. Now you just need the information contained in the key, and somewhere to 3D-print it,” says 21-year old Van Albert. “You can take a high security ‘non-duplicatable’ key and basically take it to a virtual hardware store to get it copied,” adds 20-year-old Lawrence.

This is just an evolution in key manufacturing. Before duplication using 3D printers was a thing we used files. If you didn’t have a key to a lock you could always impressions one:

The lesson to take away from this story is that printing “Do Not Duplicate” on a key doesn’t equate to security. While a locksmith may abide by that text for professional reasons nobody else is likely to do so.

What We Know About the Attack on Freedom Hosting

If you’ve been following this blog for any length of time you know that I’m a huge fan of location hidden services. While a huge chunk of the security community was busy at Defcon the feds made their move against the largest hidden service provider, Freedom Hosting. Most media outlets have simply indicated that the Federal Bureau of Investigations (FBI) made a major strike against the world’s “largest child pornography dealer”:

US authorities are seeking the extradition of a 28-year-old Irishman described in the High Court by an FBI special agent as “the largest facilitator of child porn on the planet.”

Eric Eoin Marques appeared before Mr Justice Paul Gilligan on foot of an extradition request by the FBI, which alleges he is involved in the distribution of online child pornography.

The High Court yesterday put Mr Marques back in custody until next Thursday.

Fortunately we no longer have to rely exclusively on major media outlets for our news. Over at Bitcoin Talk infested999 posted a far better summary of what went down. Mr. Marques is the owner of Freedom Hosting, which is a hosting service for Tor location hidden services. Unsurprisingly, distributors of child pornography have moved their operations to location hidden services and, also unsurprisingly, the FBI moved against the only entity it could identify, the owner of the hosting service. Since the nature of location hidden services prevent client and server identification it’s difficult to determine who owns and operates a hidden website and who visits it. This is where the more interesting part of the story comes into play. Not only did the FBI seize Freedom Hosting, it also loaded malicious JavaScript onto the sites in an attempt to locate visiting clients:

Attackers exploited a recently patched vulnerability in the Firefox browser to uncloak users of the Tor anonymity service, and the attack code is now publicly circulating online. While the exploit was most likely designed to identify people alleged to have frequented a child porn forum recently targeted by the FBI, anonymity advocates say the code could be used against almost any Tor user.

A piece of malicious JavaScript was found embedded in webpages delivered by Freedom Hosting, a provider of “hidden services” that are available only to people surfing anonymously through Tor. The attack code exploited a memory-management vulnerability, forcing Firefox to send a unique identifier to a third-party server using a public IP address that can be linked back to the person’s ISP. The exploit contained several hallmarks of professional malware development, including “heap spraying” techniques to bypass Windows security protections and the loading of executable code that prompted compromised machines to send the identifying information to a server located in Virginia, according to an analysis by researcher Vlad Tsrklevich.

According to the Tor mailing list the vulnerability used was specific to older versions of Firefox (the Tor Browser Bundle is based on Firefox 17) and users of the latest version of the Tor Browser Bundle weren’t affected. Likewise, at some point in the Tor Browser Bundle’s history the developers decided to enable JavaScript by default. Previously JavaScript was disabled by default. This recent exploit demonstrates why it’s important to have the latest version of your browser software and why JavaScript is, in general, a dangerous thing.

The exploit has been confirmed to phone home to an Internet Protocol (IP) address owned by the National Security Agency (NSA), adding further credence to the belief that the malicious JavaScript was inserted by an agency of the United States government to unveil Tor users.

From a technical standpoint this is an intriguing case. The FBI are beginning to adapt to hidden services. It has found a weak point, known providers of location hidden service hosting, and is using exploits to an attempt to locate anonymous users. It will be interesting to see what comes of this case.

I’m Back

Defcon has concluded and I’m back in the Twin Cities. I plan to write a post detailing some of the cooler things I saw at the conference later but for now I’m just going to say I had a great time. Things may be a little slower around here than usual as I recover from my absence (557 unread e-mails, yay) but new material will be posted at regular intervals again.

Considerations Regarding Encryption: Cost to Benefit Analysis

Since I began advocating crypto-anarchy I’ve met a surprising amount of resistance from an unexpected group. Many of my fellows in the liberty movement have taken a defeatist approach to technology. Now that they know that the National Security Agency (NSA) is scooping up every data packet it can get its grubby hands on, an almost Luddite-esque sect has developed in the liberty movement. They believe that the Internet, and all forms of electronic communications, should be avoided because they feel that no force on Earth can stand up to the power of the federal government (an ironic attitude from a movement that advocates standing up to the federal government). These people have become critical of advocating cryptographic and anonymizing tools to protect against unwanted spying.

One of the criticisms they often raise is that the NSA can simply decrypt whatever data it captures. This belief partially stems from the belief that the state is omnipotent and partially from misunderstanding the purpose of encryption. In this post I plan to briefly address the latter (I believe I’ve sufficiently addressed the former in my extensive posting history).

Encryption isn’t a magic bullet that will prevent unauthorized individuals from reading your data for all eternity. It is a tool that stands to greatly delay an unauthorized individual from reading your data. Anything that has been encrypted can be decrypted. If that wasn’t he case then encryption would be useless as it would prevent unauthorized and authorized individuals from reading the data. There are numerous ways to decrypt encrypted data.

The first, and most obvious, method is getting a copy of the decryption key. In order to allow authorized individuals to read encrypted data there has to be a way to legitimately decrypt it. This is done by giving authorized individuals decryption keys. Decryption keys can take many forms including a pre-shared key that is known to both you and other authorized individuals and asymmetric keypairs, one of which is secret and (ideally) known only to you and another which is public.

The second method is brute force. A brute force attack, in regards to cryptography, involves trying every possible decryption key. While this method will eventually decrypt encrypted data, it’s very time consuming if proper cryptographic algorithms and practices are used. Depending on the amount of computational power available, decrypting the data via brute force may take years, decades, or (possibly) centuries. In other words, brute force attacks are expensive.

The third method is to exploit the encryption algorithm itself. This method is cheaper than brute force but it depends on finding an exploitable vulnerability in the algorithm used to encrypt the data. Depending on the algorithm used, this method can decrypt encrypted data very quickly or it can be impossible (at least for the time being).

Humans always perform a cost to benefit analysis before taking an action. The state is no different. While the NSA, theoretically, has a tremendous amount of computing power available to it, using that computing power isn’t free. Computing power requires time and electricity. So long as you have computers dedicated to decrypting one set of data you can’t dedicate them to decrypting other sets of data. It’s unlikely that the NSA is using brute force to decrypt every encrypted set of data it has intercepted. Instead, it is likely using brute force only after it has decided to target an individual.

Algorithm exploits are another concern. Many people believe that the NSA has exploits that allow it to decrypt data encrypted by every known algorithm. Those people often believe that the NSA also has backdoor access to every electronic device (which would make the former mostly irrelevant). Such knowledge still requires a cost to benefit analysis. While the cost in time an electricity is very low the cost in revealing that it has an exploit is very high. Let’s say you encrypted your hard drive with AES-256 and the NSA had an exploit that allowed it to decrypt the drive. Now that it has that information it can use it to target you but, in so doing, it would have to reveal how it obtained that information. In other words, it would have to explain to a court that it has an exploit that allows it to decrypt AES-256 (many people may point out that they don’t have to give you a trail if they whisk you off to Guantanamo Bay, to which I would point out that they wouldn’t need evidence of wrongdoing either). After that information was revealed everybody wanting to hide information from the NSA would encrypt their information with a different, hopefully more secure, algorithm. Unless the NSA knows what algorithm its intended targets decided to use and had an exploit for that algorithm it would have effectively tossed away its most effective tool to get one person. The same risk applies to revealing information about backdoors installed in systems. That’s a tremendous cost.

That leaves us with the method of obtaining the decryption key. This is, most likely, the cheapest option for the NSA to use if it wants to target a specific individual. Even if an individual is unwilling to voluntarily provide their decryption key the NSA can always resort to rubber-hose cryptanalysis. Rubber-hose cryptanalysis relies on the use of coercion to get a decryption key from a target. An example of this method being was a woman in Colorado who was held in contempt of court for refusing to decrypt her hard drive. By holding her in contempt until she decrypted her hard drive the state gave her an ultimatum: either rot in prison indefinitely or face the chance of rotting in prison if incriminating evidence is found on the decrypted hard drive. Another way to use rubber-hose cryptanalysis is physical force. If you torture somebody long enough they will almost certainly surrender a decryption key. I will point out that an agency willing to torture an individual to retrieve a decryption key is unlikely to concern itself with retrieving evidence in the first place so the point would be moot.

Looking at the costs associated with the above mentioned decryption methods we can develop a rudimentary cost to benefit analysis. In most cases, for the state, the cheapest option is to simply get the decryption key from the user. Holding somebody in concept of court for refusing to surrender their decryption key has a positive (for the state) side effect: the person is detained until they provide the decryption key. Such a case is win-win for the NSA because keeping you in a cage also takes you out of the picture. Brute force would likely be resorted to if the NSA was interested enough in decrypting the data that it would be willing to take the time and front the electrical cost of throwing a good amount of computing power at the task. In other words, it is unlikely to brute force every encrypted piece of data. Instead, it would likely use brute force only after it has decided to specifically target an individual. The only time the NSA would resort to an algorithm exploit (if it has one), in my opinion, is if the data is needed immediately and the consequences of any delay would be very high.

There are no magic bullets in security. Encrypting your data won’t prevent unauthorized individuals from reading it for all time. But encrypting your data raises the cost of reading it, which will likely deter fishing expeditions (decrypting all data and selecting people to target based on the decrypted information). By encrypting your data you will likely remain under the radar unless the NSA has some other reason to target you. If that is the case it won’t matter if you use modern technology or not. Once you’re a target the NSA can use old fashioned surveillance methods such as bugging your dwelling or dedicating an individual to follow you around. There is no sense in handicapping yourself in order to avoid Big Brother. Big Brother can watch you whether your use a cell phone or only communication with individuals in person. If you use the best tools available you can enjoy almost the same level of security using modern communication technology as you enjoy when having face-to-face discussions.