July 2015 – Page 3 – A Geek With Guns

Rand Paul Wants To Bring Back Religious Profiling

Here’s a reminder, for those who need it, that Rand Paul is not a libertarian nor an advocate of liberty. After the shooting in Chattanooga the presidential wannabe took some time out of his busy schedule to urge for the reimplementation of a program that almost exclusively profiles Muslims entering the country:

Yet, Paul commented to Breitbart:

I’m going to have our subcommittee and maybe committee in Homeland Security look into whether or not we could reinstitute this NSEERS [National Security Entry Exit Registration System] program.

So what did this program do? It not only singled out Muslims entering the country for extra interrogation at the airport (which is stupid because if they pose a threat then why grant them a visa at all?), it required Muslim foreign boys and men over 16 years already in the country to personally appear before Uncle Sam’s functionaries and register. Explains the Migration Policy Institute:

Registration includes a meeting with an immigration official where the interviewees are fingerprinted (both digitally and with ink), photographed, and asked a series of questions under oath. In addition to the initial registration, foreign visitors must also appear at a U.S. immigration office within 10 days of the one-year anniversary date of initial registration. All of these foreign visitors are required to complete a departure check only at a designated departure port (of which there are approximately 100 nationwide) on the same day that they intend to leave the country. Willful refusal to register is a criminal violation; overstaying a visa is a civil violation.

Expecting terrorists to voluntarily stroll to an immigration office to be fingerprinted and IDed is absurd, of course. So the entirely predictable upshot of the program was that although it managed to obtain not a single terrorism-related conviction, it did ruin plenty of lives of peaceful Muslims caught in its dragnet. Consider the case of Abdulameer Yousef Habeeb, a refugee from Iraq. As per the ACLU:

he was lawfully admitted to the United States after suffering imprisonment and torture by Saddam Hussein’s regime. Habeeb was on a train from Seattle to Washington, D.C., to start a new life when Border Patrol agents singled him out for questioning without any individualized suspicion. As a refugee, Habeeb was not required to register with NSEERS, but when he showed the border agents his refugee documentation, the agents insisted—incorrectly—that he was in violation of NSEERS’ registration requirements. Detained for a week, Habeeb lost his job. Habeeb was terrified of being returned to Iraq, yet the government stubbornly continued deportation proceedings for six weeks. Ultimately, after the ACLU filed suit, Habeeb won an apology from the government stating: “[T]he United States of America acknowledges that, by not registering under NSEERS, you did nothing wrong [and] regrets the mistake.”

Paul maintains that immigration is not a right; it’s a privilege. But the Constitution guarantees immigrants in the country the same due process and other basic rights as citizens because it understands that a Leviathan that is authorized to abuse the rights of one set of people is not likely to respect those of others for very long.

I checked the link that explains what NSEERS is and it clearly noted that, “Except for North Korea, nearly all of the countries designated in Special Registration are predominantly Arab and Muslim.” In other words this program places special restrictions on people from specific countries that grants Border Patrol agents the right to harass them without cause. Even somebody who advocates for controlled immigration should acknowledge that placing additional restrictions on specific people is not an acceptable way of handling immigration. It’s necessarily collectivist in nature, which should be the first clue that it’s a bad program, since it focuses on where a person is from and not the person themselves.

Unlike his father, who was a true advocate for liberty, Rand Paul isn’t even pretending to be an advocate for liberty anymore. He just wants to be president and will say anything that he thinks will gain him the nomination. If he gets elected there is absolutely no reason to believe he won’t continue this trend of kowtowing to neocons as he will likely want a second term.

Monday Metal: Bay Of Pigs By Civil War

What do you get when a bunch of Sabaton’s musicians are unable to cope with the band’s extensive touring and decided to form their own band? Civil War. Civil War is another awesome power metal band that derives most of its lyrics from history. Their latest album is pretty bad ass and I think Bay of Pigs is probably the best song on it:

TSA: We’re Not Happy Until You’re Not Happy

When the Department of Homeland Security (DHS) recently performed an internal investigation of the Transportation Security Administration’s (TSA) security procedures it discovered a 95 percent failure rate. Were the TSA a private security provider you would probably have seen some serious housecleaning to rid itself of individuals who obviously don’t know what they’re doing. But the TSA is a government agency, which means you and I are punished for its failures. In response to the 95 percent failure rate the TSA is demanding more tax victim money and planning to make air travelers wait even longer to get through security:

The Transportation Security Administration has a new strategy for improving its woeful performance in catching airport security threats — and it will likely mean longer lines and more government bucks.

A month after the TSA was embarrassed by its almost-total failure in a covert security audit, Homeland Security Secretary Jeh Johnson has ordered the agency to pursue an improvement plan that will require more hand-wanding of passengers, more use of bomb-sniffing dogs and more random testing of luggage and travelers for traces of explosives. It will also consider reducing travelers’ chances of being sent through the expedited PreCheck lines at airports.

Let us not forget the TSA motto: we’re not happy until you’re not happy. This “improvement plan” should tell you everything you need to know about government agencies. If you look at the list of “improvements” you’ll see the word “more” in front of everything. The TSA’s response to its 95 percent failure rate is literally trying more of the same thing only harder.

Use WPA-AES To Secure Your Wireless Network

Wired Equivalent Privacy (WEP) was the first standard implemented for securing wireless networks. As the weakness of the RC4 algorithm, which WEP relied on, became better known Wi-Fi Protected Access (WPA) was created as a successor. WPA has two modes: Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES).

TKIP was a bandage created for devices that could implement AES. It used WEP but with four rotating keys that raised the challenge of attacking the network significantly. But it was never meant to be a long-term replacement. Nowadays everything has support for AES, which was a good enough reason to move away from TKIP. In addition to that the weaknesses in RC4 are now bad enough where breaking TKIP is easy:

Almost a third of the world’s encrypted Web connections can be cracked using an exploit that’s growing increasingly practical, computer scientists warned Wednesday. They said the attack technique on a cryptographic cipher known as RC4 can also be used to break into wireless networks protected by the Wi-Fi Protected Access Temporal Key Integrity Protocol.

Researchers have long known statistical biases in RC4 make it possible for attackers to predict some of the pseudo-random bytes the cipher uses to encode messages. In 2013, a team of scientists devised an attack exploiting the weakness that required about 2,000 hours to correctly guess the characters contained in a typical authentication cookie. Using refinements, a separate team of researchers is now able to carry out the same feat in about 75 hours with a 94 percent accuracy. A similar attack against WPA-TKIP networks takes about an hour to succeed. The researchers said the only reliable countermeasure is to stop using RC4 altogether.

A wireless network secured with TKIP can now be broken in an hour. If you haven’t already setup your access point to exclusively use AES it’s time to do so. If you’re administering a web server and haven’t already disabled RC4 you’ve failed. But there’s no reason you can’t redeem yourself by disabling it now.

I spend a lot of time advocating for people to encrypt their data. One caveat I try to point out but sometimes forget is that all encryption isn’t made the same. Some encryption algorithms and implementations are far better than others. Even poor encryption is better than no encryption but usually not by a lot. Effective encryption is what you need if you want to keep your data private.

Focusing On Softer Targets

In regards to the Office of Personnel Management (OPM) breach I noted that the federal government’s networks are only as secure as the weakest link. While it’s likely federal agencies such as the Department of Defense (DoD) and National Security Agency (NSA) have much more secure networks than the OPM or Internal Revenue Service (IRS) the fact that all these federal agencies share data amongst each other means an attack only needs to breach the weakest network. Apparently that’s what China has been doing:

WASHINGTON — After years of cyberattacks on the networks of high-profile government targets like the Pentagon, Chinese hackers appear to have turned their attention to far more obscure federal agencies.

Law enforcement and cybersecurity analysts in March detected intrusions on the computer networks of the Government Printing Office and the Government Accountability Office, senior American officials said this week.

It’s a smart move. Just as much valuable information can be gleamed from lesser known agencies as more famous agencies. The fact is federal agencies have so much data on both individuals and government operations that they’re all prime targets. Herein again lies the fallacy of the “nothing to hide” crowd. They believe the only eyes that will be looking at the data the federal government has collected on them is the federal government. Truth be told other eyes such as foreign governments and malicious hackers will also be looking at their data.

The reason it’s important to keep as much data away from the federal government as possible is not just because of what the federal government will do with it but also because of the likelihood it will lose control of that data in the future.

When The Only Thing You Have Is Legislation Every Problem Looks Like It Can Be Solved By Passing A Law

Politicians are trying to infringe on both the rights of self-defense and free speech in their latest attempt at the impossible. With the 3D printing revolution taking place many politicians see the writing on the wall and realize their power to regulate manufacturing is waning. Hoping to head this technology off at the pass they’re trying to find a justification that people will fall for to pass regulations against 3D printing. Their betting everything on the populace finding the prospect of 3D printed firearms scary enough that they’ll support laws restricting what individuals can print on their 3D printers. But the rhetoric is especially amusing:

The notion of a 3-D printable gun has become the perfect flashpoint in a new conflict between digital arms control and free speech. Should Americans be allowed to say and share whatever they want online, even if that “speech” is a blueprint for a gun? The State Department has now answered that question with a resounding “no.”

That isn’t even the correct question. What everybody should be asking is if it’s even possible to enforce a law restricting what individuals can do with their 3D printers. The answer is no. Computer technology is far too pervasive to control anymore. Information can be shared amongst individuals around the world almost instantly. Anonymity tools allow individuals to share information without being identifiable. And even if people in the United States comply with a law against sharing 3D printer designs for firearms the rest of the world isn’t bound by such nonsense.

Censorship is dead and the Internet killed it. Any restriction against the sharing of ideas is unenforceable and therefore shouldn’t even be a consideration for politicians.

You Can’t Rely On Others For Your Defense

I shift around a lot of electrons talking about self-defense. When it comes to self-defense the thing that should always be kept in mind is that you can only rely on yourself. Sure, somebody may come to your aid but you can’t rely on the assumption that somebody will because very often nobody will:

What happened to Kevin Joseph Sutherland was horrific beyond imagining. On July 4, in front of about 10 witnesses on the Washington, D.C., Metro, an assailant punched him, stomped on him, kicked him in the head, and stabbed him at least 30 times. No one attempted to stop Sutherland’s killer.

What happened to me in November was vastly different, and I do not intend to equate the two events. Like Sutherland, I was attacked on a Saturday afternoon on the D.C. Metro. And as in Sutherland’s case, despite my screams and pleas, almost none of my fellow passengers on the crowded train car did anything to help.

This is why I keep myself in relatively good shape, carry a firearm, and train in martial arts (in that order of precedence) and urge you to do so as well. It’s harder to kill somebody in even decent shape than somebody who isn’t at all in shape and physical fitness improves your ability to run away, which should always been your first instinct when you feel like a situation is about to go bad. A firearm gives you the best odds against an aggressor and takes physical disparity out of the equation. Martial arts give you an option for dealing with an aggressor even in situations where you’re unarmed.

Both stories mentioned in the link article involved a person being attacked while multiple witnesses did nothing. One could blame the witnesses for not involving themselves, and a writer for the Federalist did exactly that, but it’s also unreasonable to expect somebody to risk their life to aid a complete stranger. That doesn’t make somebody a “beta male,” as the Federalist writer claims, it simply means they’re individuals who performed a risk-benefit calculations and concluded involving themselves was riskier than the potential benefit. That’s a very logical conclusion. Involving yourself in a physical confrontation is always risky. You don’t know if the situation is a gang of violent individuals beating a random innocent person to death or a inter-gang war playing itself out. It’s also impossible to know if the attackers are carrying armaments in addition to whatever is currently in their hands or if they have more friends nearby. Generally speaking the safe option for a person witnessing a physical confrontation is to do everything in their power to not involve themselves. That doesn’t necessarily mean it’s the moral choice but it is a logical choice.

But that logical choice also means you have to be prepared to fend for yourself.

For $549 You Can’t Own A Gun Detection System That Can’t Detect Guns

I’m not sure what to think about this one. GunDetect is being marketed as a camera that can detect when somebody is carrying a gun. Based on what has been published so far I’m not sure if this is meant to be a legitimate product or a really clever troll.

The first problem regarding GunDetect is technical. Namely what the device isn’t capable of doing:

There’s a question as to how effective this will be as a first line of defense, though. The makers say that their system is accurate “90% of the time” in instances where a gun is clearly visible. That sounds good, but that leaves a lot of room for misses. What happens if nogoodniks are smart enough to conceal their weapons? Also, night vision support isn’t in these existing models — for now, you can forget about spotting thieves in the middle of the night. The technology could easily be useful as an extra layer of gun safety or security, but it won’t replace a good home security system or vigilant parenting.

There’s only 90% chance that the device will successfully detect and gun and then only if the gun is being carried openly and there’s enough light. In other words this device is pretty much worthless at determining whether the person who broke into your home at oh dark thirty is armed or not. But the problems with this product don’t stop there. If you want access to this remarkably limited device you’ll have to spend some major dough. Since it’s 2015 this product has a Kickstarter page. On it you’ll notice two models being offered:

GunDetect comes in two versions, both of which are based on the latest computer-vision algorithms and optical sensing hardware. The difference is the location for the massive amount of number-crunching required to reliably detect a gun in an image.

GunDetect Premium is our main product and does all its vision processing locally using a powerful computing system that does not need to send any video data to the Internet – giving you the peace of mind knowing your private video never leaves the premises.

GunDetect Cloud has less local processing and uses our Internet servers to help crunch encrypted video data – potentially taking longer to detect a gun than GunDetect Premium.

Getting a GunDetect Premium requires throwing $549.00 at the Kickstarter. GunDetect Cloud starts at $349.00 but that only includes a one-year subscription to the service. What a bunch of stingy bastards! The Premium line seems like the only sane way to go since it doesn’t require working Internet service to function, doesn’t upload a constant video feed of your home to a third-party server, and doesn’t involve a yearly $100.00 (I shit you not, the reward tier for an additional year is $100.00) subscription. But for that price you could invest in an actual gun that would at least give you a means of defending yourself against an armed invader.

I don’t think technology able to detect whether is somebody armed is necessarily a bad thing. It could serve as an additional layer of defense for a home or office. However such a device can only be considered effective if it can detect both open and concealed weapons as well as function independently of an external server and not be dependent on environmental factors such as light availability. A weapon detection system that can’t detect conceal weapons is pretty worthless. If somebody is carrying a weapon I can see that already, I don’t need an expensive camera to confirm what my eyes are showing me. Any system that depends on an external server is rendered worthless if the Internet goes out, which can happy for any number of reasons including a burglar cutting your Internet line or the power going out. And what good is a weapon detection system that is unable to detect whether the person who kicked in my door in the middle of the night is armed? That’s the situation where I would most want to know whether somebody is armed or not.

Nothing about this product impresses me. It has technical weaknesses that make it ineffective at detecting weapons, the subscription service for the Cloud model is expensive, the price of the standalone Premium model is very expensive, and the Cloud model creates some serious privacy concerns. Judging by the number of backers so far I’m not the only one who sees this product as a nonstarter. If this is meant to be a legitimate product it would behoove the developers to return to the drawing board and sort these problems out before begging the Internet for money. If this is meant to be a clever troll I must tip my hat to them.

Federal Government Demonstrates How Not To Do HTTPS

I admit that setting up Hypertext Transfer Protocol Secure (HTTPS) isn’t as easy as it should be. But there’s no reason why something a massive as the federal government, especially when you consider the fact that it can steal as much money as it wants, can’t properly setup HTTPS. But it can’t.

I use HTTPS Everywhere to force as many sites as humanly possible over HTTPS instead of HTTP. Usually this works very well but sometimes a site isn’t properly setup and my user experience goes south. The Senate website is one of the sites that provides a suboptimal user experience. Take a look at these two exceptions I received when trying to access information on the Senate’s website:

The thing to note is that the web server is setup to give each senator their own subdomain. This requires the certificate to contain each individual subdomain. As you can see by the errors I received the certificate doesn’t contain the subdomain for the Committee of the Judiciary or Rand Paul. There are two things to take away from this.

First, the Senate’s web server is setup in a very fragile way. Instead of creating a separate subdomain for each senator it would have been much smarter to create a separate subdirectory for each senator. The only difference that would make for the user is they would have to type https://www.senate.gov/paul instead of https://www.paul.senate.gov. Since no subdomains would be needed the certificate wouldn’t have to contain the name of every senator and Senate committee.

Second, whoever is in charge of maintaining the certificate for the Senate’s web server is incompetent. Since each senator has a separate subdomain the certificate should be renewed after every election with the subdomains of the new senators added and the subdomains of the old senators removed. Likewise, the certificate should be renewed every time a new Senate committee is created or an old one is retired. That would allow users to securely connect to each Senator’s website.

In all likelihood this setup is the result of the server originally being created without any consideration given to security. When security became a concern the system was probably patched in the all too common “good enough for government work” manner instead of being redesigned properly to reflect the new requirements. And since there is almost no accountability for government employees nobody tasked with maintaining the server probably saw fit to periodically verify that the certificate is valid for every available subdomain.

I would argue that this is yet another example of the government’s poor security practice that should have everybody worried about the data it collects.

The “Black” Market Has Your Back

When people hear the term “black” market their thoughts usually jump to human trafficking, violent drug gangs, and other violent endeavors. In reality those aren’t even examples of markets because markets are based on the voluntary exchange of goods and services between individuals. The real “black” market is nothing more than the exchange of goods and services the state has declared illegal. Oftentimes this involves drugs like cannabis and cocaine but other times it involves goods or services that are extremely expensive in “legitimate” markets due to regulations. Healthcare is one of those markets where regulations have made almost everything prohibitively expensive. Fortunately there’s the “black” market ready to provide healthcare goods for far less:

Several months ago, Jackie found that her maintenance inhaler was running low. We had just obtained health insurance through Kentucky’s health care exchange and, while it wasn’t the most expensive plan, it certainly wasn’t cheap. Our monthly bill was high, but we thought the coverage was worth it.

I should mention that Jackie specifically picked a plan with low prescription co-pays.

Imagine our surprise when the total for her inhaler, with insurance applied, turned out to be around $300.

Money was very tight at that time; we just couldn’t afford the inhaler without falling behind on other necessities like utilities and groceries.

It was Jackie’s idea to check on the dark net.

[…]

It hadn’t occurred to me to look for an inhaler on the dark net until Jackie suggested it. She doesn’t really know much about the markets beyond things I’ve told her, but she asked me one night if you could buy inhalers on them. I got online, opened the Tor browser that is the gateway to the darknet, and pretty soon I found exactly the same maintenance inhaler—same brand, completely identical—that we needed to replace. The price was $30 with shipping.

The exact same inhaler for one tenth the price was made possible by the “black” market. And thanks to the greatly reduced price Jackie didn’t have to suffer from foregoing other necessities due to lack of finances. This isn’t an isolated case either. Similar illegal trade exists for other medical necessities such as diabetes test strips.

“Black” markets are necessary in any society that suffers from a government that places regulations on free trade. Regulations always raise the costs of goods and services because they push out small providers place a barrier to entry for new providers. Fortunately there are many people out there willing to ignore the law and provide goods and services to those who want them. Instead of seeing them as dirty criminals we should acknowledge that they’re no different than individuals who provide goods and services in the “legitimate” market. If it wasn’t for them many people would have to make do without basic necessities.