Month: June 2015

Government Networks Are too Old to Secure

The quest for answers regarding the recent breach that put every federal employee’s personal information at risk has begun. As with most government investigations into government screw ups this one is taking the form of public questionings of mid-level federal employees. Buried within the extensive waste of time that was the most recent public hearing were a few nuggets of pure gold. For starters the Office of Personnel Management (OPM) Director, Katherine Archuleta, let some information slip that should be very concerning to everybody:

During testimony today in a grueling two-hour hearing before the House Oversight and Government Reform Committee, Office of Personnel Management (OPM) Director Katherine Archuleta claimed that she had recognized huge problems with the agency’s computer security when she assumed her post 18 months ago. But when pressed on why systems had not been protected with encryption, she said, “It is not feasible to implement on networks that are too old.” She added that the agency is now working to encrypt data within its networks.

Apparently government networks are too old to secure. The only conclusion one could draw from this is that involved the government networks are running on unsupported software. Perhaps most of the computers in its networks are still running Windows XP or something older. Perhaps the hardware they’re using is so ancient that it cannot actually encrypt and decrypt data without a noticeable performance hit. What is clear is that somebody really screwed up. Whether it was network administrators failing to update software and hardware or bean counters failing to set aside funding for modernization the network that holds the personal information for every federal employee was not properly maintained. And this is the same organization that has a great deal of personal information about every American citizen. The federal government has your name, address, phone number, Social Security Number, date of birth, and more sitting in its janky-ass network. Think about that for a moment while you contemplate the importance of privacy from the government.

But old networks aren’t the only problem with the government’s networks:

But even if the systems had been encrypted, it would have likely not mattered. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.

Gaining valid user credentials shouldn’t allow one to obtain personal information on every government employee. This admission indicates that every user on the network must either have administrative rights or the data isn’t protected in any way against unauthorized access from internal users. Any network administrator worth a damn knows that you only give users the privileges they require. Developers of systems that handle sensitive personal information should know that any access to said information would require approval from one or more higher ups. If I’m a user and want to access somebody’s Social Security Number there should be some kind of overseer that must approve the request.

Many network administrators haven’t implemented multifactor authentication but this omission is inexcusable for a network that contained so much personal information. Relying on user names and passwords to protect massive databases of personal information is gross negligence. With options such as YubiKey, RSA Secure ID, and Google Authenticator there is no excuse for not implementing multifactor authentication on networks with so much sensitive information.

Well all know governments love oversight and this is no exception. The systems in question were inspected by a government overseer, were deemed to not be properly secure, and nothing was done about it:

He referred to OPM’s own inspector general reports and hammered Seymour in particular for the eleven major systems out of 47 that had not been properly certified as secure—which were not contractor systems but systems operated by OPM’s own IT department. “They were in your office, which is a horrible example to be setting,” Chaffetz told Seymour. In total, 65 percent of OPM’s data was stored on those uncertified systems.

Chaffetz pointed out in his opening statement that for the past eight years, according to OPM’s own Inspector General reports, “OPM’s data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information.”

Here we see one of the biggest failures with government oversight, the lack of enforcement. When an inspector deems systems to be unfit those systems should be made fit. If they’re not made fit people charged with maintaining them should be replaced. There is no point in oversight without follow through.

When people claim they have nothing to hide from the government they seldom stop to consider who can gain access to its data. It’s not just the law enforcers. Due to general incompetence when it comes to security it’s potentially anybody with valid user credentials. And valid user credentials are obtainable by exploiting the weakest link in any computer network, the user. According to Dr. Andy Ozment the credentials were likely obtained through social engineering, which is something most people can fall prey to. Because of the lack of multifactor authentication that means anybody who can social engineer user credentials from a government employee potentially has access to all of the data collected by the government on yourself. Is that something you’re honestly OK with? Do you really want a government this incompetent at protecting the personal data of its own employees holding a lot of personal data about you?

Lazy Libertarians

This weekend several of my friends and I had the privilege of running the CryptoParty for B-Sides MSP. It wasn’t the first CryptoParty I’ve either hosted or helped host but all of the previous ones were for various libertarian groups. I cannot properly express the difference between being a part of a CryptoParty with security professionals versus libertarians. Unlike the libertarian CryptoParties I’ve been involved with, none of the people at B-Sides MSP went on a tirade about how the otherwise entirely incompetent government can magically crack all crypto instantly.

Libertarians like to consider themselves the paragons of personal responsibility. However, time and again, I see that a lot of libertarians putting more effort into making excuses for their laziness than doing anything productive. Using secure communication tools is one of these areas where supposedly responsible libertarians like to be entirely irresponsible. This is kind of ironic because libertarians tend to be the ones bitching about government surveillance the loudest.

It was during the CryptoParty at B-Sides MSP that I made a decision. From now on I’m going to call out lazy libertarians. Whenever I host or otherwise participate in a CryptoParty for libertarians and one of them goes off about the incompetent government suddenly being incredibly competent I’m just going to tell them to shut the fuck up so the adults can continue talking. If you are a libertarian and you sincerely oppose government surveillance then prove your sincerity by utilizing the really awesome and very effective tools we have available to secure our communications. Use Pretty Good Privacy (PGP) to encrypt your e-mails, call people with Red Phone or Signal, send text messages with TextSecure or Signal, and encrypt your computer and mobile device’s storage. Unless you’re doing these things I can’t take any claims you make about hating government surveillance seriously. If you want to be lazy and make up conspiracy theories that’s your thing but I am going to call your ass out for it.

Actual security professionals, some of whom knew a hell of a lot more about cryptography than me (not that that’s very hard), took these tools seriously and so should as well. The only people claiming that the government can break all cryptography instantly are conspiracy theorists who know absolutely dick about cryptography and people wanting to justify their laziness. Don’t be either of those. Instead embrace the personal responsibility libertarians like to tout and take measures to make government surveillance more expensive.

When is Discussing Cryptography a Jailable Offense

A 17 year-old is facing 15 years in a cage because he discussed cryptography. Specifically he discussed how members of the Islamic State could utilize cryptography to further their goals:

A 17-year-old Virginia teen faces up to 15 years in prison for blog and Twitter posts about encryption and Bitcoin that were geared at assisting ISIL, which the US has designated as a terror organization.

The teen, Ali Shukri Amin, who contributed to the Coin Brief news site, pleaded guilty (PDF) Thursday to a federal charge of providing material support to the Islamic State in Iraq and the Levant.

Dana Boente, the US Attorney for the Eastern District of Virginia, said the youth’s guilty plea “demonstrates that those who use social media as a tool to provide support and resources to ISIL will be identified and prosecuted with no less vigilance than those who travel to take up arms with ISIL.”

According to the defendant’s signed “Admission of Facts” filed Thursday, Amin started the @amreekiwitness Twitter handle last June and acquired some 4,000 followers and tweeted about 7,000 times. (The Twitter handle has been suspended.) Last July, the teen tweeted a link on how jihadists could use Bitcoin “to fund their efforts.”

According to Amin’s court admission (PDF):

The article explained what Bitcoins were, how the Bitcoin system worked and suggested using Dark Wallet, a new Bitcoin wallet, which keeps the user of Bitcoins anonymous. The article included statements on how to set up an anonymous donations system to send money, using Bitcoin, to the mujahedeen.

Some may point out that this is obviously bad because it supports the “enemies of America.” But it brings up a very important question. Where is the line drawn between aiding an enemy and simply discussing cryptography? I write a lot of posts about how encryption can be used to defend against the state. That information could very well be read by members of the Islamic State and used to secure their communications against American surveillance. Have I aided the enemy? Has every cryptographer who has written about defending against government surveillance aided the enemy?

Lines get blurry when governments perform widespread surveillance like that being done by the National Security Agency (NSA). Regular people who simply want to protect their privacy, which is supposedly protected by the Constitution in this country, and military enemies of the government suddenly find themselves using the same tools and following the same privacy guides. What works, at least in regards to secure communications and anonymization, for people wanting privacy and military enemies is the same. Therefore a guide aimed at telling people how to encrypt their e-mail so it can’t be read by the NSA also tells an agent of the Islamic State how to do the same.

Where is the line drawn? Is it the language used? If you specifically mention members of the Islamic State as the intended audience are you then guilty? If that’s the case wouldn’t the obvious solution be writing generic guides that explain the same things? Wouldn’t that mean the information written by Ali Shukri Amin would have been perfectly fine if he simply didn’t tailor it for members of the Islamic State?

As the state’s use of widespread surveillance is utilized to enforce more laws the desire of regular people to secure their communications will increase (because, after all, we’re all breaking the law even if we don’t intent to or know we are doing it). They will use the same tools and guides as members of the Islamic State could use. Will every cryptographer face the same fate as Ali Shukri Amin?

Brilliant Troll is Brilliant

I love a good gag. You should think the prevalence of trolls on the Internet would result in an endless stream of hilarious gags but, sadly, it doesn’t. It seems a large number of Internet trolls prefer to just be assholes. Thankfully there are still some old school trolls out there in meatspace performing some amazing pranks:

This guy is a legend. Just a God and hero among men. Mark Gubin is an artist and photographer in Milwaukee and decades ago he realized that his studio was along the flight path to the local airport. He had the brilliant idea to paint on the roof of his studio in giant letters “Welcome To Cleveland.” Why? To mess with people mostly.

The sign is decades old, and is having new life today after being passed around Twitter. For years the sign has caused passengers on planes to freak out about going to the wrong place. There apparently was a Denver to Cleveland flight that stopped over in Milwaukee and the sign caused all sorts of confusion from passengers who thought the plane must have skipped the layover.

You, good sir, are a true hero.

A New Low for Gun Control Advocacy

The gun control battle was put to bed some time ago. Time and again the end of the world scenarios gun control advocates predicated failed to come to fruition. In fact violent crime rates have continued to decline even as gun restrictions have been loosened. Even though one could argue that the declining violent crime rate is unrelated to the loosening of gun restrictions the claim that gun restrictions reduce violent crime has been proven false.

Maybe it’s because they never learned critical thinking in school or it may be related to the fact that there’s a lot of money in shilling for gun control thanks to big money tyrants like Michael Bloomberg but gun control advocates can’t admit that their claims are wrong. So what’s a gun control advocate to do? Make shit up, obviously! And not just a handful of minor fabrications. The time has come for some new level bullshit. Now to prove gun control works real states must be compared to entirely fictitious states:

The state in question is Connecticut. In 1995, Connecticut tightened its laws for handgun purchases. It raised the age requirement from 18 to 21, thus cutting off part of an age group that’s statistically prone to violence. It also required purchasers to apply for a permit at their local police station, which would perform a more extensive background check. Finally, the permits would not be approved without proof of attendance of an eight-hour safety course.

So, there was a clear before-and-after the implementation of these laws to track gun-related homicides. The question is how to find an appropriate population to serve as a control for Connecticut.

Quite cleverly, the authors created one. Rather than looking for a single state that matches Connecticut’s demographics, they performed a statistical analysis that created a synthetic state that tracked Connecticut’s pattern of firearm homicides before the law’s passage. This state was composed of a weighted rate from a number of different states. So, for example, neighboring Rhode Island accounts for about 70 percent of the synthetic state’s composition, Maryland another 15 percent. Then the authors created a similar synthetic state that tracked Connecticut’s non-firearm homicides.

(Because the study period overlapped the 2001 terrorist attacks on the World Trade Center, where a number of Connecticut residents worked, that year was dropped from the non-firearm analysis.)

The synthetic state analysis also took into account a large number of factors that tend to influence rates of homicide, such as the percentage of the population at or below the poverty line, the percent between 15 and 24 years of age, and the number of police per unit of population.

For homicides from all causes other than guns, the synthetic state tracked Connecticut both before and after the passage of the 1995 gun control law. A few years after the implementation of implementation of the law in late 1995, however, firearm homicide rates diverged, with Connecticut’s continuing to drop along a previous trend, while the synthetic states (like the national average) saw this rate stabilize.

This is a level of fail that’s almost impressive. Gun control shills are so desperate that they’re now claiming gun control works because statistical studies of make-believe states say so. I could also prove whatever point I wanted if I based my claims on the results of a statistical study of a state I made up.

Go home gun control shills, you’re drunk.

Apparently Selling the Same Thing for More isn’t a Viable Business Strategy

I have a fairly sizable firearm collection. In addition to a plethora of other firearm models my collection includes a few AR-15s and 1911s. None of those AR-15s or 1911s are Colts though. With so many manufacturers building AR-15s and 1911s I never understood paying such a premium for a Colt. As it turns out I wasn’t the only one. Apparently charging twice as much for the same thing isn’t a viable business strategy:

Gun maker Colt Defense LLC plans to file for chapter 11 bankruptcy-court protection by Monday, according to people familiar with the matter, amid business-execution issues and a heavy debt burden.

The company has secured financing from its existing senior lenders to continue operating while in bankruptcy and expects to remain in business after the restructuring, the people said.

Colt fell into the same rut as many other well-known manufacturers. Instead of continuing to innovate Colt tried to skate by on its name. The last new firearm Colt announced, the 901, was still little more than an AR-15 that could be converted from 5.56x45mm to 7.62x51mm. Colt’s strategy wouldn’t have been so bad if it hadn’t felt that its name justified such a hefty price tag.

It’ll be interesting to see whether or not it came claw its way out of this mess.

Monday Metal: The Toreador March by Christopher Lee

Unless you’ve been living under a rock you’ve heard about the passing of metal legend Christopher Lee. In addition to being a fencer, actor, and basically everything else that’s awesome Christopher Lee was also the oldest performer in metal. To celebrate his career this week’s Monday Metal will be a song from his final EP, The Toreador March:

Making It Doubleplus Illegal

Everything can be solved by a prohibition. At least that’s what the statists believe. Back in the day the movie Die Hard had everybody convinced that a Glock handgun was made of plastic and porcelain and could therefore get past metal detectors. Although this was entirely fabricated the politicians latched onto it and pass the Undetectable Firearms Act, which requires the inclusion of at least 3.7 ounces of steel in any firearm so it can be detected by metal detectors. With the advent of 3D printed firearms many politicians again have their panties in a bunch. Several of them have taken action and introduced a bill that would require metal be included in any firearm design:

Plastic guns can be even more dangerous than traditional firearms because they’re harder to detect, says Rep. Steve Israel (D-N.Y.).

The Undetectable Firearms Modernization Act, backed by Israel and several other Democrats, would prohibit the manufacture of entirely plastic guns. The legislation would require a major component of every gun to contain enough traces of metal to be detected.

Israel plans to unveil the legislation Tuesday during a press conference at LaGuardia Airport in New York City, where he will draw a connection between his bill and recent high-profile airport security lapses.

“If detectable weapons can make it through security checkpoints, how can we expect to catch wrongdoers carrying undetectable plastic firearms?” Israel told The Hill. “What could be worse than a gun that can be used on an airplane, but cannot be detected on the security line because it’s plastic?”

“It’s time to modernize our airport security so the American people can count on it,” he added.

So entirely plastic guns will now be doubleplus illegal! That will obviously solve the problem!

The number of laws on the books is now so extensive that even the politicians don’t know them all. Manufacturing entirely plastic guns has been illegal for a long time. In addition to the fact this bill is entirely redundant we also have the fact that 3D printed firearms still fire regular cartridges, which are made of metal. A plastic firearm with no ammunition is a worthless weapon. There is also the problem of who is administering airport security:

The Transportation Security Administration (TSA) failed a recent sting operation in which undercover agents sneaked fake explosives and weapons through airport security in 67 out of 70 tests, or about 95 percent of the time.

According to Israel (the politician, not the country) TSA’s 95 percent failure rating is one reason to pass this bill to make what is already illegal illegaler. I’m not sure how that makes sense since TSA hasn’t been missing plastic guns but actual metal guns. Something tells me Israel isn’t the sharpest tool in the congressional toolbox (but he is a tool).

It would be improper of me to not point out the most obvious flaw in Israel’s clever plan. Anybody who is willing to sneak a weapon onto a plane to kill people is not going to comply with a law that requires them to include metal in their 3D printed firearm. This law is therefore pointless on two levels.

Anything the Private Sector can Screw Up the Government can Screw Up Better

There have been numerous major data breaches in recent times that have compromised a lot of credit card numbers. The reaction from those breeches ranged from anger to outright demands that the government get involved to ensure another one never happens. As if trying teach that last crowd a valuable lesson fate has shown us once again that anything the private sector can screw up the government can screw up better (which is impressive because the private sector and really fuck some shit up):

A giant hack of millions of government personnel files is being treated as the work of foreign spies who could use the information to fake their way into more-secure computers and plunder U.S. secrets.

Millions of personnel files, including Social Security numbers, were acquired by an unknown attacker. This makes the compromise of credit card numbers look like amateur hour by comparison! But it gets better!

Federal employees were told in a video Friday to change all their passwords, put fraud alerts on their credit reports and watch for attempts by foreign intelligence services to exploit them. That message came from Dan Payne, a senior counterintelligence official for the Director of National Intelligence.

Emphasis mine. How in the hell is a regular low-level federal employee supposed to watch for attempts by foreign intelligence agencies trying to exploit them? Does the United States government honestly think other intelligence agencies are so inept as to have a guy with a strong foreign accent call up federal employees and say, “Hello, I’m a Nigerian prince…”? The average person has no idea how to defend themselves against a specialized spook (if they did spooks wouldn’t be very effective at their job).

Both the breach and the response are ridiculous. However this points to something more concerning. If the government can’t keep its personnel files safe or detect a major breach for months (the story notes the breach occurred in December but wasn’t discovered until this month) then why should we have any confidence in its ability to keep our personal information secure? Everything from tax records to our phone calls (thanks National Security Agency) are being held by the federal government and could be up for grabs by any competent attacker. Imagine the wealth of information that could be acquired if an attacker managed to breach one of the NSA’s databases. This is another reason why allowing the government to store personal information is so dangerous.