Month: March 2015

Today’s Browser Vulnerability is Brought to You By the State and the Letters F, R, E, A, and K

People often mock libertarians by claiming they blame everything on the state. But the recently revealed Factoring Attack on RSA-EXPORT Keys (FREAK) that leaves Android and Apple users vulnerable was actually the fault of the state. How so? Because of its futile attempts in the 1990s to control the export of strong encryption technology:

The weak 512-bit keys are a vestige of the 1990s, when the Clinton administration required weak keys to be used in any software or hardware that was exported out of the US. To satisfy the requirement, many manufacturers designed products that offered commercial-grade keys when used in the US and export-grade keys when used elsewhere. Many engineers abandoned the regimen once the export restrictions were dropped, but somehow the ciphers have managed to live on a select but significant number of end-user devices and servers. A list of vulnerable websites is here. Matthew Green, an encryption expert at Johns Hopkins University, told Ars the vulnerable devices included virtually all Android devices, as well as iPhones and Macs.

This is yet another example of how state regulations make us all vulnerable. In the state’s lust to control everything it often puts regulations in place that prevent its subject from utilizing the best available defensive technologies. From restrictions on encryption technology to body armor the state’s vested interest in spying on your and killing you far outweighs whatever concerns it may have about your safety.

We’re in the midst of a second crypto war but the state isn’t using its failed regulatory red tape this time. Instead it is trying to convince companies to implement back doors, actively exploiting encryption technology without disclosing the vulnerabilities to developers, and surveilling whatever data connections it can get its taps into. Even though the strategy has change the end goal remains the same; leave the people vulnerable to malicious actors so the state can ensure its capability to spy on us and kill us remain intact.

Google Backs Away from Encrypting Android 5.0 Device By Default

When Snowden leaked the National Security Agency’s (NSA) dirty laundry a lot of companies’ faces were red. The leaks showed that they were either complacent in the NSA’s surveillance apparatus or helpless to stop the agency from exploiting their systems. In an attempt to rebuild customer confidence many technology companies scrambled to improve the security on their devices. Apple, being the manufacturer of very popular handsets, announced several major security improvements in iOS 8, including disabling its ability to bypass a user’s set passcode. Much to the approval of Android users Google announced that Android 5.0, also known as Lollipop, would ship with device encryption enabled by default.

But some bad news appeared yesterday. Google has backed down from enabling encryption by default in Lollipop:

Last year, Google made headlines when it revealed that its next version of Android would require full-disk encryption on all new phones. Older versions of Android had supported optional disk encryption, but Android 5.0 Lollipop would make it a standard feature.

But we’re starting to see new Lollipop phones from Google’s partners, and they aren’t encrypted by default, contradicting Google’s previous statements. At some point between the original announcement in September of 2014 and the publication of the Android 5.0 hardware requirements in January of 2015, Google apparently decided to relax the requirement, pushing it off to some future version of Android. Here’s the timeline of events.

This, in my seldom humble opinion, is a very bad idea. The justification appears to be performance related. Namely the performance of many Android devices without hardware cryptography acceleration support tend to take a huge performance dive when device encryption is enabled.

If a user wants to disable device encryption that’s their choice but I firmly believe that this option should be enabled by default even if performance noticeably suffers on some devices. We’ve seen too many stories where abusive spouse, police officers, and federal agents have retrieved data from unencrypted devices without the consent of the owner or, in the case of law enforcement, warrants. With the amount of personal data people store on their mobile devices it’s far too risky to leave that data unprotected from prying eyes. Especially when we live in a surveillance state.

Cody Wilson Puts Out Bounty for Carbon Fiber 3D Printer

Cody Wilson has done a great job demonstrating the futility of gun control though his efforts of creating functional firearms with 3D printers. But 3D printing a firearm with plastic has major limitations. Fortunately a company has released a 3D printer that uses carbon fiber. Unfortunately they won’t sell to Cody because they know he wants to use it to print a firearm and the company apparently isn’t cool with that. But once you release your technology to the public it cannot be control and Cody is determined to get his mitts on one of these 3D prints. So determined in fact that he’s offering a sizable bounty for one:

Defense Distributed founder Cody Wilson says he pre-ordered the Mark One about a year ago for $8,000, but was told last Friday in a phone call with a MarkForged salesman that the company refuses to sell him one, citing terms of service that disallow private citizens from using the machine to make firearms. So instead, Wilson is offering what he describes as a “bounty” to anyone who can get him MarkForged’s new carbon fiber printer.

“Anyone who’s got access to one, any reseller, any individual or business or entity that can deliver it to me, I will give them fifteen grand,” says Wilson, who has also released a YouTube video advertising his offer. “I’m going to get this printer. I’m going to make a gun with it. And I’m going to make sure everyone knows it was made with a MarkForged printer.”

Herein lies the problem for those who want to control technology. Once you sell your technology to somebody they can easily turn around and sell it. If they stand to make a nice profit they will likely be willing to sell. $7,000 is a tidy profit and I’m guessing Cody isn’t going to have any problem acquiring the printer.

Signal for iOS Now Supports Secure Text Messaging

One of the things I try to do is find tools that enable secure communications without requiring a degree in computer science to learn. OK, few of the tools I’ve seen require a computer science degree but most people are notoriously lazy so any barrier to entry is too much. I’ve been using and recommending Wickr for a few months now because of its relative ease of use. It’s a good tool but there are two major flaws in my opinion. First, it’s not open source. Second, it requires a separate user name and password, which is a surprisingly high barrier to entry for some (I’m talking about people with little security knowledge).

For a while Android users have enjoyed Red Phone for secure phone calls and TextSecure for secure text messages. Some time ago an app called Signal was released that gave iOS users the ability to call Red Phone users but there was no app that was compatible with TextSecure. Since some of the people I talk to use Android and others use iOS I really needed a solution that was cross platform. Fortunately the developers of Signal, Red Phone, and TextSecure just released an update to Signal that enables secure text messaging.

It’s a very slick application. First of all it, along with every other project developed by Open Whisper Systems, is open source. While being open source isn’t a magic bullet it certainly does make verifying the code easier (and by easier I mean possible). The other thing I like is that it uses your phone number to register your app with Open Whisper System’s servers. That means people can see if you have the app installed by looking up your number, which is magically pulled from your contacts list, in the app. If it’s installed on your end the app will let them send you text messages or call you. There are no user names or passwords to fiddle with so the barrier to entry is about as low as you can go.

Signal isn’t a magic bullet (no secure communication tools are). For example, since it’s tied to your phone number it doesn’t preserve your anonymity. Wickr, by allowing you to use a separate user name, does a better job in that department although it’s still not as good as it could be since it doesn’t attempt to anonymize traffic through something like Tor. Messages also aren’t set to self-destruct in a set amount of time like Wickr’s messages do. But it certainly fulfills some of my requirements when talking with people who aren’t technically knowledgeable or are just plain lazy.

South Carolina Republicans Demand Oath of Purity

Although I hate both the Democrats and Republicans equally I have to say that the Republicans certainly give me more material to work with. The Democrats tend to keep their stupidity aimed at policy whereas the Republicans spread their stupidity out to include their policies and the things many of their members say. Case in point, the Republicans like to make public statements about their social conservatism. In the Republican Party in one South Carolina county took such statements to the next level when demanded its members take a pledge of purity. This pledge included some real gems:

“You must oppose abortion, in any circumstances.

“You must uphold the right to have guns, all kinds of guns.

“You must endorse the idea of a balanced state and federal budget, whatever it takes, even if your primary responsibility is to be sure the county budget is balanced.

“You must be faithful to your spouse. Your spouse cannot be a person of the same gender, and you are not allowed to favor any government action that would allow for civil unions of people of the same sex.

“You must have:

“A compassionate and moral approach to Teen Pregnancy;

“A commitment to Peace Through Strength in Foreign Policy; and

“A high regard for Unites States Sovereignty.”

Now I question a the sincerity of many of these points. For example, I doubt they mean members must uphold the right to have all kinds of guns. In my experience Republicans, while claiming to support gun rights, tend to get very squeamish around things such as grenade launchers.

The statement about spouses really takes the cake though. Republicans, at least the ones I know, seem to have a problem with faithfulness. I know several local Republicans that ended up having affairs at the last Republican National Convention and a few even ended up getting divorced. From what I’ve been told this is a common problem within the party. The fact that members of the party must also pledge against supporting any government action that would allow for same-sex marriages is laughable. Republicans always claim to be the party of small government. Getting the government entirely out of the marriage game would greatly reduce the size and power of government but would necessarily allow for same-sex marriages. Catch-22, Republicans.

I also enjoy the quip about a peace through strength foreign policy. Do you know what that makes me think of? Kane:

peace-through-power

Granted, unlike Republicans, Kane was actually competent at fulfilling his goals. But it’s nice to see the Republican Party’s rhetoric reflects that of the supreme bad guy of the original Command and Conquer series.

Besides being incredibly pathetic this pledge also demonstrates why the Republican Party is having such a tough time getting new suckers members under the age of 500 billion years old. My generation cares far less about social issues than the one before it and it’s likely the generation after mind is going to care even less. So as long as the Republican Party continues pushing social issues it will find itself becoming more and more irrelevant in this country’s politics.