July 2015 – Page 6 – A Geek With Guns

VPN Isn’t A Magic Bullet

I really like virtual private networks (VPN) and a lot of people utilize them for various reasons including protecting anonymity, thwarting region locks on services, and bypassing filters put in place by Internet service providers (ISP). However it’s important to note that there are no magic bullets and VPN is not exception.

We’re in the midst of a transition from IPv4 to IPv6. A lot of software still either doesn’t support or isn’t properly configured to handle IPv6 yet. In fact my ISP, Comcast, still doesn’t give business customers IPv6 addresses so I can’t setup my services to properly work with the new fangled Internet addressing scheme (and Comcast happens to be the only option in my area, good thing for Comcast the government exists to protect monopolies). That means my VPN server, like many others, may very well leak personal information through IPv6:

The study of fourteen popular VPN providers found that eleven of them leaked information about the user because of a vulnerability known as ‘IPv6 leakage’. The leaked information ranged from the websites a user is accessing to the actual content of user communications, for example comments being posted on forums. Interactions with websites running HTTPS encryption, which includes financial transactions, were not leaked.

The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6. IPv6 replaces the previous IPv4, but many VPNs only protect user’s IPv4 traffic. The researchers tested their ideas by choosing fourteen of the most famous VPN providers and connecting various devices to a WiFi access point which was designed to mimic the attacks hackers might use.

This is why I recommend doing things that absolutely need to remain private through a dedicated anonymity tool such as the Tor Browser. VPNs aren’t great for preserving anonymity anyways since the server administrator knows the IP address of connect clients whereas Tor exit nodes only know the IP address of the relays directly connected to it. The Tor developers also focus on anonymity first, which means they’re far more likely to find and fix leaks that could reveal personally identifiable information. However VPNs still work well for establishing connections to remote networks in a secure manner and will still do a good job of bypassing filters and region locks.

It’s also worth nothing that as we continue to transition to IPv6 we’re going to keep running into issues like this. Change is never completely smooth, especially when some ISPs, such as Comcast, still don’t provider customers the tools needed to utilize IPv6.

Please Remember To Be Afraid This July 4th

The federal government has a very important message for you. This July 4^th, instead of enjoying yourselves and having a good time, you should be paralyzed with pants shitting fear! You see, the Islamic State (ISIS) is going to strike the homeland and you’re all going to die!

WASHINGTON – As our nation’s capital gets ready for its massive Fourth of July celebration, there are new warnings about a possible terror attack centered on Independence Day. The warning comes as thousands of people are expected to be on the National Mall this weekend.

The FBI, Homeland Security and the National Counterterrorism Center are all warning local law enforcement about a heightened concern involving possible terror attacks targeting the July 4th holiday. U.S. Park Police officials say they received the bulletin.

“We always take great care, we are constantly monitoring the updated security situation and we have a very robust security plan,” said Lt. Alan Griffith of the U.S. Park Police.

National security analysts say the warning is different and serious this year because of ISIS. They point to U.S.-based extremists who just this year launched attacks in Boston and Dallas and an arrest of a Virginia teenager for helping a friend join ISIS.

If you have any question what this is actually about this video clip explains it perfectly:

Did ISIS actually issue a threat or is this just another one of those “speculations based on unconfirmed reports from credible unspecified sources?” Who knows. It would be to ISIS’s benefit to issue such threats from time to time because they force the United States government to invest a lot of resources into investigating and preparing without actually costing ISIS anything. When you’re the smaller force in a conflict you need to expend as few resources as possible to get your opponent to invest as many resources as possible. If you succeed you wear them down and can ultimately achieve victory. On the other hand the government loves its “credible threats issued by unspecified sources.”

Either way the likelihood of an actual terrorist attack this weekend is basically zero. Don’t let yourself get caught up in the state’s fear mongering. Go out and enjoy yourselves, have a good time, and blow some shit up.

NSA Officially Allowed to Continue Spying Operation

Many people were too euphoric about the expiration of Section 215 of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (the whole name of the act doesn’t get printed out enough, which is a shame because somebody spent a tremendous amount of time trying to think of a backronym for USA PATRIOT) Act to take a moment to consider what it really meant. I noted that the expiration didn’t actually change anything but governments love their redundancy so the Foreign Intelligence Surveillance Court ruled that the National Security Agency (NSA) could resume (implying it didn’t simply continue its surveillance program after the expiration) wholesale spying on American citizens:

WASHINGTON — The Foreign Intelligence Surveillance Court ruled late Monday that the National Security Agency may temporarily resume its once-secret program that systematically collects records of Americans’ domestic phone calls in bulk.

[…]

In a 26-page opinion made public on Tuesday, Judge Michael W. Mosman of the surveillance court rejected the challenge by FreedomWorks, which was represented by a former Virginia attorney general, Ken Cuccinelli, a Republican. And Judge Mosman said the Second Circuit was wrong, too.

“Second Circuit rulings are not binding” on the surveillance court, he wrote, “and this court respectfully disagrees with that court’s analysis, especially in view of the intervening enactment of the USA Freedom Act.”

When the Second Circuit issued its ruling that the program was illegal, it did not issue any injunction ordering the program halted, saying it would be prudent to see what Congress did as Section 215 neared its June 1 expiration. Jameel Jaffer, an A.C.L.U. lawyer, said on Tuesday that the group would now ask for one.

Once again I find it necessary to reiterate that politics isn’t going to solve this problem. The government enjoys the ability to spy on the populace too much to give it up. No amount of begging, voting, or completely pointless filibustering by presidential hopefuls who don’t have a chance in Hell of winning the nomination is going make the NSA’s surveillance apparatus go away.

If you actually oppose this kind of spying then it is up to you to do something about it. Standing by and hoping you can vote somebody into office to deal with the problem for you isn’t going to cut it. You need to learn, encrypt, and decentralized.

The NSA’s program relies on the pervasive use of plaintext communications and centralization. Collecting plaintext, which is a term for any unencrypted data including e-mails and phone calls, costs very little outside of the taps on the lines and storage. Encrypted text is an entirely different beast. When the NSA scoops up encrypted communications it doesn’t know what it has obtained unless it is able to break the encryption. The documents leaked by Snowden showed us that the NSA had problems with numerous encryption tools including Pretty Good Privacy (PGP) and Off-the-Record (OTR) messaging. Even when the NSA is able to break the encryption it’s not a costless endeavor when compared to plaintext.

Another key thing the NSA relies on is centralization. It’s much easier to surveil people when they’re all using a handful of services. With the popularity of Gmail, the fact that there are only four major cell phone carriers in the country, and how many people use Facebook a lot of data is being stored in a handful of locations, which means the NSA only needs to focus its efforts on a few key spots to spy on a vast majority of American. If more people ran their own e-mail, XMPP, etc. servers it would increase the NSA’s costs as it would have to spread out its efforts. Utilizing decentralized networks, such as Wi-Fi mesh networks, instead of centralized Internet Service Providers (ISP) would even further complicate the NSA’s efforts.

Fighting the NSA’s surveillance apparatus requires increasing the agency’s costs. That can only be done by the ubiquitous use of encryption and decentralizing infrastructure. Don’t be a lazy libertarian, start learning how to utilize cryptographic tools today. As always I’m here to help.

Music to Listen to as You Watch Greece Burn

The people of Greece are getting fucked hard and the world is learning the only lesson worth learning from the European Union: there is a limit to the number of economic fuck up nations Germany can keep propped up. Every good story needs a song though and I’ve found one: