Month: July 2015

Why Political Fights Never Cease

If you are involved in a political issue or even pay attention to one you know that the battle never ends. Take self-defense, for example. Recently the right of self-defense has been making gains in legislatures of the federal and many state governments. But the fight isn’t even close to ending because opponents to self-defense are finding new political tools to make people defenseless. Seattle is looking to restrict the right to self-defense not by passing a prohibition but by creating a new tax:

City Council President Tim Burgess has proposed a tax on every firearm and round of ammo sold in the city, which would be used to fund gun violence prevention programs.

The tax, which would amount to $25 on each modern firearm and 5 cents on each round of ammunition, is expected to skim as much as a $500,000 per year from the wallets of gun owners, the Seattle Times reports. This figure would be in addition to the various state and local retail taxes that approach 9.6 percent in the city already.

If prohibitions aren’t working just raise the costs until they’re prohibitively expensive for all but the wealthiest! Herein lies the issue with political issues of all sorts. No matter what gains are made your opponents will find a new avenue to attack you. Now that legislation isn’t working to the anti-self-defense crowd’s favor they’re looking at adding taxes to ensure poor people are unable to defend themselves. They are also looking at regulations that requires jumping through hoops to discourage people from obtaining a means to defend themselves.

Politics is disgusting business because governments wield monopoly power and can therefore do whatever they want. With that being the case there is an infinite number of ways to use the government to screw people over. If one arm of the government isn’t beating your opponents for you you just need to pay off another arm. That’s why no fight over a political issue will be done until the state has been abolished in its entirety.

Hacking Team Demonstrates It Doesn’t Know What Words Mean

Hacking Team has finally released a response to the attack it incurred. Much like the company’s internal network security the response it posted should have people concerned. In addition to not following basic security practices, such as not storing login credentials in plaintext files, the company also doesn’t have a strong grasp of the English language:

Before the attack, HackingTeam could control who had access to the technology which was sold exclusively to governments and government agencies.

If Hacking Team could control who had access to the technology before the attack the attack wouldn’t have been successful. The fact the attack was successful proves that Hacking Team didn’t have control over its technology. Apparently whoever is doing public relations for the company doesn’t know what the meaning of control is.

The next two sentences, especially combined with the above sentence, are especially laughable to me:

Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so.

Instead of governments and government agencies having exclusive use of Hacking Team’s technology now terrorists, extortionists, and others have access to its technology? What exactly is the difference between a government and an extortionist? None. Governments by their very nature are extortionists. They do tend to use nice sounding euphemisms like taxes, license fees, and citations but in reality government are in the business of forcefully taking wealth from the populace.

Looking a bit deeper we must asking how some of the governments and agencies Hacking Team sold to; such as Sudan, Ethiopia, and the Drug Enforcement Agency; differ in any notable way from other terrorist organizations. With the exception Hacking Team has accepted money from them there is no notable difference. Simply calling something by a different name doesn’t change what it is. Admittedly this is a problem many people have with the English language.

Outside of the failure to utilize the English language the Hacking Team response contains this gem:

HackingTeam is evaluating if it is possibile to mitigate the danger.

How could a company that discovers previously unknown vulnerabilities help mitigate danger to people? For actual security companies the answer is to work with developers to fix the vulnerabilities before they can be actively exploited. Hacking Team, on the other hand, sat on those vulnerabilities so it could sell tools for the sole purpose of exploiting them. Its entire business model relied on people being in danger. Had it actually cared about helping mitigate danger it wouldn’t have sold the tools it did, especially to the customers it did.

This Hacking Team breach just gets better by the day. Between the company’s scummy practices, source code getting open sourced, and complete failure at handling public relations this breach is the gift that keeps on giving.

If A Law Is Passed And Nobody Can Enforce It Is It Still A Law

Online harassment, often called cyber-bullying by legal marketing teams, has become a very hot topic in the last couple of years. More people are seeing first hand how ruthless denizens of the Internet can be and are demanding something be done. Governments around the world are acknowledging this issue and addressing it in the only way they know how, issuing decrees. New Zealand has lead the charge by passing a law making online harassment illegal:

The Harmful Digital Communications Bill passed its third and final reading last night.

[…]

The bill’s key elements:

Harmful Digital Communications Bill: key provisions

  • A fine of up to $50,000 for an individual or up to $200,000 for a body corporate, or up to two years’ jail for posting or sending a “harmful digital communication” – aka cyber-bullying with a post likely to cause distress. The bill covers racist, sexist and religiously intolerant comments, plus those about disabilities or sexual orientation;
  • Up to three years’ jail for the new crime of incitement to suicide;
  • An “approved agency” will advocate on behalf of complainants. The aim is that the agency will be able to make direct contact with web publishers and social media sites like Facebook and Twitter, where a member of the public often has trouble getting heard (the Law Commission has recommended NetSafe be the approved agency; the non-profit NetSafe’s backers include InternetNZ, the NZPolice, the Ministry of Education and private companies);
  • If the approved agency makes no headway, a complaint is escalated to a District Court judge; and
  • Web publishers can opt in to a safe-harbour provision, protecting them from liability (and arguably also crimping free speech) if they agree to take down allegedly offending material on demand or at least within a grace period of 48 hours.

When used outside of legal circles the word law implies something that, as far as we know, cannot be violated. The laws of physicals, for example, state that the speed of light cannot be exceeded. That leads me to ask an important question, if nobody can enforce a law is it still a law?

If you read through this bill you’ll quickly realize that it puts the legal burden on the content host. In order to avoid being held liable for user content the host must agree to remove reported content within 48 hours of notifying the author if the author doesn’t submit a counter-notice within the same span of time. Anybody who has worked in a sizable company knows that the default position of the legal department is always on the safe side. That being the case this bill will likely convince companies to pull down any reported content with little or no investigation. So this bill, on the surface, appears to solve the problem by ensuring companies are motivated to remove harassing content (and, as a more concerning aside, could end up being a tool useful for general censorship as well if companies remove content without actually investigating it).

But deleting content doesn’t actually solve the problem of online harassment. Content is easy to create and post. If something harassing is deleted it can simply be posted again. Even if the account of the person posting offending content is shutdown it’s a simple matter on most sites to create a new account. And if there’s a specific person being targeted by numerous individuals, such as the people targeted by GamerGate, it quickly becomes infeasible to shutdown accounts faster than they’re created. A handful of administrators charged with reviewing complaints and closing offending accounts is no match for hundreds or thousands of individuals dedicated to posting harassing content. Therefore I would argue this bill isn’t a law because it can be easily bypassed by online harassers.

I’m not a fan of complaining about a proposed solution without offering one of my own. To that end I want to diverge from the topic of whether or not this is a law and focus on what is actually needed to counter online harassers. Dealing with the issue of online harassment means focusing on the harassers, not the content hosts. But siccing law enforcers after individuals who have effective tools to anonymize themselves (as with any technology, tools that anonymize people can be used for good and bad) is also infeasible. How, for example, can law enforcement agents pursue an Internet protocol (IP) address, which is the only identifiable information content hosts may have access to, of a Tor exit relay or a virtual private network (VPN) provider in a foreign country? Even if the IP address can be traced back to an entity law enforcers can go after how can they verify the owner even knew their network was being used for online harassment? A depressingly large number of people have no idea how to secure their wireless access points and many businesses that offer wireless access to customers do so with open networks because the logistics involved in doing the same with a secure network is too complex for them.

So the question becomes, what can be done to counter online harassment? Back when malicious hackers acquired login credentials for several celebrities’ iCloud accounts I said a counter-hacker initiative was needed and I believe such a tactic could be applicable here as well. Groups dedicated to countering online harassers could raise the costs of harassing people online, which is nearly zero at the moment. The key, in my opinion, is having people dedicated to the task (in other words, like any private security group, paid for their services so they can focus on providing them) that aren’t restricted by state decrees and have the motivation law enforcers lack.

Is this the only solution? Hardly. It’s just one that I can think of. Would this solution work? I believe so but I can’t say for certain. What I do know is finding a solution to online harassment, as with finding a solution to any problem, requires markets. The creativity of the world has to be tapped to find a way to effectively address this problem because the creativity of the world is currently being tapped to create this problem. Relying on a handful of individuals to write unenforceable words on pieces of paper isn’t going to accomplish anything.

Company That Provides Spyware To Oppressive Regimes Gets Hacked; LULZ Follow

Yesterday might as well have been Christmas for the information security industry. Hacking Team, a company known for selling surveillance malware to oppressive regimes, was hacked an 400GB of its data was released to the Internet. A hacker going by the name PhineasFisher, who made a reputation for themselves when they hacked the spyware provider Gamma International, has supposedly claimed responsibility. If that’s true then we all own them a bear.

Remember what I said about Hacking Team having a reputation for selling software to oppressive regimes? Documents in the leaked data reveal some of the company’s customers. From that information it appears that the company will deal with anybody willing to throw cash at it:

One document pulled from the breached files, for instance, appears to be a list of Hacking Team customers along with the length of their contracts. These customers include Azerbaijan, Bahrain, Egypt, Ethiopia, Kazakhstan, Morocco, Nigeria, Oman, Saudi Arabia, Sudan, and several United States agencies including the DEA, FBI and Department of Defense. Other documents show that Hacking Team issued an invoice to Ethiopia’s Information Network Security Agency (the spy agency of a country known to surveil and censor its journalists and political dissidents) for licensing its Remote Control System, a spyware tool. For Sudan, a country that’s the subject of a UN embargo, the documents show a $480,000 invoice to its National Intelligence and Security Services for the same software.

Nigeria, Saudi Arabia, Sudan, and the Drug Enforcement Agency (DEA)? Talk about some nasty buyers. If I owned a company that had entities like these as customers I would shut my doors and label myself as the biggest failure in business. But Hacking Team apparently has not moral issues with selling to such scum and are even willing to bypass a United Nations embargo for $480,000! The bottom line is if you have the cash Hacking Team will sell to you.

Another interesting revelation that has come from this breach is just how terrible Hacking Team’s own internal security was. When you think of shady surveillance software providers you probably imagine some of the tightest network security in the business, right? As it turns out not so much:

The data released Sunday night and through to today not only contains a large number of emails, none of which have proven too embarrassing so far, but also a number of the firms’ internal passwords, which appear to be worryingly insecure for a company that deals in exposing others’ security. These include credentials belonging to Christian Pozzi, security engineer at Hacking Team, stored in a file called login.txt. His chosen logins include easily-crackable variations on the word “password” and the name of an X-Men character all in lower-case and with no numbers or symbols.

A file directly linked to Pozzi also included images believed to show RCS grabbing screenshots.

Apparently the head of a malware provider isn’t aware of password managers. Had he been he wouldn’t have needed to use insecure passwords stored in plain text files. This just goes to show that being smart enough to write exploits doesn’t mean you’re skilled enough to defend against even the most basic of them.

Now that I’ve had a little fun at Hacking Team’s expense let’s get down to the nitty gritty. What does this hack mean? Since the company’s exploitation software was just open sourced (not by its choice) a lot more good than simply revealing the immoral actions of a scummy company can come of this. The software security holes Hacking Team’s malware relied on can now be discovered and fixed. Malware producers, like government surveillance agencies, cause a lot of damage simply by keeping the exploits they discover secret. Instead of being helpful members of the security community by assisting companies in fixing their security flaws they write software that exploits them and sell it to anybody willing to pay. Ironically breaking into these companies’ networks and releasing their source code to the world makes everybody safer.

I’ll post more interesting information as it is revealed. But if you want real-time updates of what is being discovered I urge you to follow #HackingTeam on Twitter. There you’ll find such entertaining tidbits as the supposed Transport Layer Security (TLS) private key for support.hackingteam.com and the Hacking Team’s owner’s really shitty passwords.

You Have To Pay To Play

Every year people from around the world gather in the Nevada desert to show off art, demonstrate their self-sufficiency, and just generally have a good time. This even is called Burning Man and it has been going on since 1986. Because all property is owned by the federal government the organizers of Burning Man have to beg for permission from the Bureau of Land Management (BLM) in order to host the event in the middle of nowhere. Anytime you have to beg the government for permission there’s a payoff involved. Usually this payoff is wrapped in bureaucratic paperwork and terminology such as permit and license. Seldom is the government blatant about what it wants and why it wants it. But this year the BLM decided toss off the thin veil of officialdom and just demand the luxury air conditioned trailer and unlimited ice cream for some of its agents:

Lavish requests by federal authorities for flush toilets and 24-hour access to soft-serve ice cream at Burning Man are putting Sen. Harry Reid (D-NV) and Nevada Republicans on the same side as hippies.

The Bureau of Land Management is denying a permit to hold the music and cultural festival on public land unless organizers pay more than $1 million to house “VIP” agents in an air-conditioned compound with couches and hot water, reported the Reno Gazette-Journal.

Why do federal agents need 24-hour access to soft-serve ice cream, flush toilets, and air conditioned trailers to keep an eye on a bunch of hippies who have managed to host a yearly event since 1986 without nuking a portion of the Nevada desert? Because it’s not about ensuring safety, enforcing environmental protections, or preventing the violation of federal decrees. The BLM’s involvement, like all government involvement, is about transferring wealth from the people to the state and stroking the egos of state agents. State agents often receive inferior pay to people who hold similar jobs in the private sector. In exchange for lesser pay they demand certain benefits such as pensions and obedience from serfs. All of these demands by the BLM are about forcing serfs to kowtow to the king and his knights. But it does give us a rare glimpse of the state outright demonstrating its true intentions instead of trying to make them more palatable by wrapping them in bureaucratic nonsense.

Unaffordable Health Insurance Soon To Be More Unaffordable

I assume any bill passed by Congress will do the opposite of what its title says and I’m usually correct. The Affordable Care Act (ACA) may be the best example of this. Going by the title you would assume the bill is means to lower the cost of healthcare in this country. What it actually does is puts a gun to everybody head (which really is the only thing the government knows how to do) to force them to buy health insurance. What happens when a business knows you must do business with them? This:

WASHINGTON — Health insurance companies around the country are seeking rate increases of 20 percent to 40 percent or more, saying their new customers under the Affordable Care Act turned out to be sicker than expected. Federal officials say they are determined to see that the requests are scaled back.

Blue Cross and Blue Shield plans — market leaders in many states — are seeking rate increases that average 23 percent in Illinois, 25 percent in North Carolina, 31 percent in Oklahoma, 36 percent in Tennessee and 54 percent in Minnesota, according to documents posted online by the federal government and state insurance commissioners and interviews with insurance executives.

And there’s not a damn thing we can do about it. Of course government officials are going to ensure the requests are scaled back because the health insurance companies paid them a great deal to pass the ACA so they could jack up rates. If government officials actually care about the costs fronted by the people they would have made it illegal to raise insurance rates (or not have passed the ACA in the first place).

If you live in the Twin Cities you know what game is being played here. It’s the same game Xcel Energy plays every few years. Xcel will request to raise its rates by a large amount knowing government officials who oversee its granted power provision monopoly will scale back the request. So long as Xcel demands double of what it really wants it gets what it wants in the end.

Now that we’re all forced to buy health insurance the insurance providers are going to request to jack up their rates every several years. Government officials, claiming to be magnanimous, will bitch that the rate hike is outrageous and demand the rate be raised by less. Eventually a number the insurance providers and government officials are happy with will be agreed upon and we’ll all be forced to pay more.

Shit like this is why I thought everybody who advocated for the ACA was a bloody idiot. It’s also why I think anybody who wants to “repeal and replace” or “modify” the ACA instead of completely abolishing it is a bloody idiot.

Monday Metal: Chosen by Tengri by Mongol

Do you know what I love? Metal. Do you know what else I love? History of the Mongolian Empire. Needless to say when I came across the band Mongol, which predominantly sings about Mongolian history, I was a fan. According to Encyclopedia Metallum the bad actually hails from Canada, which is kind of funny to me because Mongolian history is a theme seldom touched by western bands. Truth be told Mongol is a bit growlier than I usually enjoy but I really like how this song mixes in some clear vocals:

CryptoPartyMN Website is Up Again

You probably noticed that posting has been sparse this week. That’s because I’ve been focusing my efforts on setting up the new website for CryptoPartyMN. For those of you who haven’t heard of CryptoPartyMN, it’s a group of us in the Twin Cities region that are organizing periodic meetups with the intention of teaching people who to utilize string crypto to protect online anonymity and security communications. We hosted a CryptoParty at The Hack Factory on May 9th and B-Sides MSP and are planning more in the future.

Admittedly the website is pretty bland right now. Unfortunately the theme we were using was on the other server that I don’t have access to. It’ll be improved in time. Likewise now that the site is up and will remain up regularly we’ll make sure to post meetup notifications on it (we usually meet every other Tuesday). Add it to your RSS feed if you want to know when the next CryptoParty event is.

David Cameron Is On A Holy Crusade To End Encryption

When Edward Snowden showed the world that the United States and British governments were spying on the entire world, including their own citizens, a lot of people were pissed. Citizens of those countries were pissed because their governments had promised them for decades that they weren’t going to spy on them. Other countries, especially those who were allied with the United States and Britain, were pissed for the same reason. Both the United States and British governments were pissed because lots of people suddenly started encrypting the lines of communication that were being spied upon.

In addition to becoming pissed off the people being spied on decided to start making more thorough use of encryption. Seeing this and noting how it could hurt their spying efforts the two government responsible for this entire mess have been working diligently on making those who have begun using strong encryption criminals. David Cameron, a British politician, has been beating on the criminalizing encryption drum especially hard:

David Cameron has signalled that he intends to ban strong encryption — putting the British government on a collision course with some of the biggest tech companies in the world.

As reported by Politics.co.uk, the British Prime Minister reaffirmed his commitment to tackling strong encryption products in Parliament on Monday in response to a question.

Crypto Wars II is moving into full swing. What I really enjoy about Mr. Cameron’s crusade is how blatantly it demonstrates the true goals of the British state. Like all states the British state claims to protect the person, property, and rights of the people within its borders. However banning strong encryption would violate every British citizens’ person, property, and rights.

By not having access to strong encryption users of the Internet are directly at risk of many threats. The first threat is that their personal information is up for grabs by anybody who has the knowledge to bypass weak crypto systems. That means, for example, abused spouses could have their efforts to contact help discovered and thwarted.

Property is also at great risk if strong crypto isn’t available. If you think the leaking of credit card data is bad now just imagine what it would be like if anybody snooping communications between a client and server could break the crypto and nab the card data. Business deals would also be at risk because anybody snooping communications between two businesses could see what deals were being worked on and maneuver to hamper those deals.

Weak crypto systems also put peoples’ rights at risk. Due process could go entirely out the window if law enforcement officers are able to extend their “anything you say can and will be used against you” to snooping on every citizen at all hours of the day. On a personal level you also put the right of privacy at risk Embarrassing communications, such as those between a doctor and their patient could suddenly find themselves posted on public forums.

There is an upside to all of this. What Mr. Cameron proposes is a pipe dream. Prohibiting strong crypto is impossible because it is nothing more than math and math, being in the realm of ideas, cannot be stopped from spreading. With the widespread use of the Internet we’ve seen how impossible censorship has become and that isn’t going to change.