Month: August 2015

Public-Private Partnerships

When I first tell people I’m a libertarian their reaction is often to accuse me of being a corporate shill. Many people believe there is some separate between corporations and governments. Depending on what side of the political spectrum they fall on corporations are entirely good and governments are entirely evil or vice versa. In reality corporations and governments depend on one another, which is why governments created the idea of limited legal liability, what we call incorporation, in the first place.

Today corporations and governments work hand in hand. I like to refer to this relationship as a private-public partnership. They’re extremely common and almost always bad for you and me. Case in point, the private-public partnership that has greatly expanded the surveillance state:

The National Security Agency’s ability to spy on vast quantities of Internet traffic passing through the United States has relied on its extraordinary, decades-long partnership with a single company: the telecom giant AT&T.

While it has been long known that U.S. telecommunications companies worked closely with the spy agency, newly disclosed NSA documents show that the relationship with AT&T has been considered unique and especially productive. One document described it as “highly collaborative,” while another lauded the company’s “extreme willingness to help.”

AT&T’s cooperation has involved a broad range of classified activities, according to the documents, which date from 2003 to 2013. AT&T has given the NSA access, through several methods covered under different legal rules, to trillions of e-mails as they have flowed across its domestic networks. It provided technical assistance in carrying out a secret court order permitting the wiretapping of all Internet communications at the United Nations headquarters.

Establishing a massive surveillance state from scratch is expensive so the National Security Agency (NSA) tries to partner with companies that already have access to data. Back in 2006 we learned that AT&T was operating an interception facility for the NSA so it shouldn’t surprise anybody to see that partnership has expanded. The NSA doesn’t want to foot the expense of intercepting traffic and AT&T is more than happy to sell data that crosses its lines to the NSA.

A big issue here is that the government, with its monopoly on justice, can create separate rules for itself and private entities. This is a legal reality few people spend enough time considering. While the state may pass a law that prevents it from collecting data on domestic individuals to make the commoners feel good it won’t write a rule preventing private entities from doing the same. Through these separate rule systems the state can still access data through private corporations and be honest when claiming it isn’t collecting the data. And since the state pays well these corporations are more than happy to collect and sell the data.

You Have Something To Hide Even If you Don’t Do Anything Illegal

The federal government’s non-military networks are a mess, which is why attackers have been focusing their efforts on hacking them. One of the agencies bitten in the ass was the Internal Revenue Service (IRS). Personal information for 100,000 people was leaked through one of the IRS’s online services. I’m sorry, did I say 100,000? I meant 334,000:

WASHINGTON (AP) — A computer breach at the IRS in which thieves stole tax information from thousands of taxpayers is much bigger than the agency originally disclosed.

An additional 220,000 potential victims had information stolen from an IRS website as part of a sophisticated scheme to use stolen identities to claim fraudulent tax refunds, the IRS said Monday. The revelation more than doubles the total number of potential victims, to 334,000.

The breach also started earlier than investigators initially thought. The tax agency first disclosed the breach in May.

The thieves accessed a system called “Get Transcript,” where taxpayers can get tax returns and other filings from previous years. In order to access the information, the thieves cleared a security screen that required knowledge about the taxpayer, including Social Security number, date of birth, tax filing status and street address, the IRS said.

We again see why even if you have nothing to hide you have plenty to worry about. You may not have done anything wrong, although that’s highly improbable, but any data collected on you can easily wind up in the wrong hands. In this case Social Security numbers, birth dates, street addresses, and tax filing statuses for 334,000 people ended up in unknown hands. Had that data not been collected in the first place it wouldn’t have been available to steal.

Manufacturer Included Malware

When we buy a computer we are necessarily trusting the manufacturer to some extent. One of the things we trust the manufacturer to do is deliver a system free of malware. This trust isn’t always properly placed since many manufacturers include a lot of software that is indistinguishable from malware but we usually trust the manufacturer to not make that malware persistent. What happens when the manufacturer not only includes malware but also makes it so persistent that a clean installation of Windows won’t remove it?

Windows 8 and Windows 10 contain a surprising feature that many users will find unwelcome: PC OEMs can embed a Windows executable in their system firmware. Windows 8 and 10 will then extract this executable during boot time and run it automatically. In this way, the OEM can inject software onto a Windows machine even if the operating system was cleanly installed.

The good news is that most OEMs fortunately do not seem to take advantage of this feature. The bad news is that “most” is not “all.” Between October 2014 and April of this year, Lenovo used this feature to preinstall software onto certain Lenovo desktop and laptop systems, calling the feature the “Lenovo Service Engine.”

[…]

Making this rather worse is that LSE and/or OKO appear to be insecure. Security issues, including buffer overflows and insecure network connections, were reported to Lenovo and Microsoft by researcher Roel Schouwenberg in April. In response, Lenovo has stopped including LSE on new systems (the company says that systems built since June should be clean). It has provided firmware updates for affected laptops and issued instructions on how to disable the option on desktops and clean up the LSE files.

This is an example of a manufacturer using a legitimate feature for nefarious purposes. The feature, as far as Microsoft intended it, was meant to be an anti-theft measure:

And in its own awful way, it’s a feature that makes sense. The underlying mechanism is simple enough; the firmware constructs tables of system information when the machine boots. The operating system then examines these tables to, for example, learn what hardware is installed in the machine and how it is connected. This is all governed by a specification called ACPI, Advanced Configuration and Power Interface. Microsoft defined a new ACPI table, the Windows Platform Binary Table (WPBT), that contains information about a firmware-embedded executable. When it boots, Windows looks for a WPBT. If it finds one, it copies the executable onto the filesystem and runs it.

The primary purpose of WPBT is the automatic installation of anti-theft software. This kind of software typically does a couple of things that require online connectivity: it can phone home to check if it’s been reported stolen (and brick or otherwise disable itself if it has), and it can phone home to simply report where it is to aid recovery of lost or stolen hardware.

Instead Lenovo used it to ensure the pre-install software that comes with the laptop, which was insecure, would always be installed even if the user did a clean install with a Windows disc. That’s pretty scummy behavior. Fortunately Lenovo appears to have stopped doing this but trust, as far as I’m concerned, has already been breached.

Another Infected Ad Network, Another Reason To Use An Ad Blocker

As many website publishers whine about ad blockers destroying their revenue source we have yet another story demonstrating that ad blockers are actually security tools. Another ad network was exploited and the exploit lead to malware being distributed to visitors of the Drudge Report (which, in addition to delivering malware, also delivers brain cancer to visitors) and Wundergorund:

Millions of people visiting drudgereport.com, wunderground.com, and other popular websites were exposed to attacks that can surreptitiously hijack their computers, thanks to maliciously manipulated ads that exploit vulnerabilities in Adobe Flash and other browsing software, researchers said.

The malvertising campaign worked by inserting malicious code into ads distributed by AdSpirit.de, a network that delivers ads to Drudge, Wunderground, and other third-party websites, according to a post published Thursday by researchers from security firm Malwarebytes. The ads, in turn, exploited security vulnerabilities in widely used browsers and browser plugins that install malware on end-user computers. The criminals behind the campaign previously carried out a similar attack on Yahoo’s ad network, exposing millions more people to the same drive-by attacks.

There are really two lessons to learn from this story. First, run an ad blocker. Second, uninstall Adobe Flash. But some people are unwilling to do the latter so they, even more than the rest of us, need to run a good ad blocker.

Personally I recommend using a tool such as NoScript to block all JavaScript from domains that haven’t been expressly white listed. But that’s a pain in the ass for many people and ad blockers act as a nice middle ground that blocks most of the crap but don’t require a lot of fine tuning to utilize.

Cat And Mouse Game

Since they want to revolutionize the world you would think libertarians would be hard to beat down. But so many of them, at least in my experience, are willing to roll over if the alternative requires too much work. Computer security is one of those things that tend to require too much work for the average libertarian.

Libertarianism is about wrestling power away from the state. One way of doing this is exploiting economics. The more resources you can make the state misallocate the less it will available for maintaining and expanding its power. That being the case cryptography should be every libertairans best friend. Cryptography, even when it’s not entirely effective, still forces the state to allocate more resources into its surveillance apparatus. Even data secured with weak cryptography requires more effort to snoop than plaintext data. When you start using effective cryptography the amount of resources you force the state to invest increased greatly.

Learning how to use cryptographic tools requires quite a bit of initial effort. Instead of investing their time into learning these tools a lot of libertarians invest their time in creating excuses to justify not learning these tools. One of the excuses I hear frequently is that current cryptographic tools will be broken in a few years anyways.

It’s certainly possible but that’s not an excuse. Cryptography is a cat and mouse game. As cryptographic tools improve the tools used to break them need to improve and as those tools improve cryptographic tools need to improve again. In keeping with the theme I established above the key to this cycle is that the tools to break cryptography need to improve as cryptography improves. In other words adopting better cryptography forces the state to allocate more of its resources into improving its tools to break cryptography. Using effective cryptography today forces the state to invest resources today. If you don’t use it the state doesn’t have to invest resources to break it and therefore has more resources to solidify its power further.

Libertarians have to accept the fact that they’re in a big cat and mouse game anyways. As libertarians work to seize power from the state the state develops new ways to maintain its power. Surveillance is one way it maintains its power and effective cryptography turns it into a cat and mouse game instead of a mouse and mousetrap game. So stop making excuses and start learning about these tools.

You Can Catch A Hacker

I dissuade people from harassing other people. Not only is it morally repugnant to me but it’s also a waste of time that could be spent doing something beneficial. But some people have a deep-seated need to be complete assholes. This has lead to endless headaches for website administrators. Fortunately most of these assholes aren’t the sharpest tools in the shed and vastly overestimate their ability and underestimate their targets’ inability to retaliate. One of these assholes had instigated multiple swatting incidents and thought he couldn’t be caught because he was a “hacker.” Kids, what you’re going to read here is an example of how not to opsec:

In April 2015, after months of harassing Marshall Public Schools officials and pulling off swatting attacks in the area, Morgenstern called a public resources officer assigned to Marshall High School and left a voicemail saying that it was “not possible” for him to be caught. Why? Well, he was a “hacker,” and as everyone knows, “you can’t catch a hacker.”

He continued his eloquent rant: “You’re a fat fucking lesbian. I want to kill your family, I want to kill your family, I want to make you watch me kill your family. I am going to call a bomb threat into your house every day, just to piss you off. And then, I am going to jerk off to it. How does that make you feel? How does it make you feel to know that I am a hacker??”

So how did federal authorities ultimately bring down Morgenstern?

Well, among several of the handles and e-mail addresses that the 19-year-old used was anonymously.lulzsec@gmail.com and the Twitter handle @RIURichHomie. The FBI simply filed a subpoena to Google for the records associated with that account and another to Twitter. They both showed that they had been accessed by the same IP address from a Comcast account served to a home in Cypress, Texas.

Authorities also found through a simple Google search that Morgenstern had previously controlled the Twitter account @ZackL337H4X0R.

I’m sure the website administrators were all but too happy to hand over those records. Even with my hatred of the state I think I’d have enjoyed turning those records over.

Many of the tools I advocate on this blog would provide pretty good protection for people such as this. That’s certainly the downside of the double-edged sword that is computer security. However, the good greatly outweighs the bad, especially when you realize that most people like this aren’t smart enough to properly use anonymizing tools. And even the assholes who are smart enough to use such tools are usually too dumb to use them properly but have an ego that’s large enough to convince them they’re smarter than they really are.

Professionally Built Illicit Firearms

As an advocate of self-defense and an agorist I always enjoy stories that involve both. Opponents of self-defense have worked hard to put laws in place that restrict access to firearms. But laws are mere words on pieces of paper and cannot stop human action. We’ve seen countless examples of illicitly manufactured firearms but they generally appear to be rather crude. Now a mystery manufacturer appears to be illegally producing professionally built firearms and distributing them in Europe:

Pictured is an unknown 9mm machine pistol which has been seized in the Netherlands and more recently in the UK. ‘R9-Arms Corp USA’ appears to be a fictional company, suggesting it has been manufactured illicitly. The model is made to a very professional standard with a milled receiver and slide, perhaps even produced in a former legitimate arms factory in a country such as Croatia. It appears to accept an Uzi type magazine and can fire semi or fully automatically.

The ATF in the USA were consulted on its origin and apparently had no matches on record.

Manufacturing a firearm isn’t rocket science. Firearms are pretty simple mechanical devices and the tooling needed to manufacture one is already fairly affordable and only becoming more so every day. But manufacturing them on a large scale without getting caught still requires skill and it appears Europe has somebody with the necessary skills.

In addition to providing a means of self-defense outside of the state’s control the act of illegally manufacturing and distributing firearms also ensures taxes aren’t siphoned to the very beast that attempts to hinder people’s access to self-defense tools. It’s a win-win. Hopefully we will see more mystery firearm manufacturers in the coming years.

An Expedient Alternative To The Election Cycle

I’m not in the market for a master but a lot of my fellow countrymen apparently are. Millions of them spent an evening watching a debate to decide what master they would most like to submit to. One potential master has been enjoying record turnouts to his appearances. Soon many of these people will be investing hundreds of hours door knocking, working call centers, and annoying co-workers to evangelize for their preferred master. And that’s not even the tip of the iceberg. Most of these people will also be giving their hard earned money to their preferred master and even take time out of their day to vote for them!

It doesn’t have to be this way. They don’t have to invest hundreds of hours and dollars to submit to a master! There are people who will actually lord over them for cash alone! That’s right, they can just buy a dom who will beat them mercilessly to their heart’s content and it won’t require a year of political bullshit to realize!

If you know somebody who is searching for a master do them, and everybody else (so we don’t have to listen to them), a favor and let them know about FetLife. It’s a website to help people interested in bondage, discipline, sadomasochism, and masochism (BSDM) connect with one another. Submissives can connect with masters without suffering a year of fruitless politicking first and the rest of us can enjoy a little peace and quiet.

There Is No Free Web

Ad blockers are wonderful plugins that save bandwidth (and therefore money for people paying by usage) and protect computers against malware. But a lot of people, namely website operators that rely on advertisements for revenue, hate them:

This is an exciting and chaotic time in digital news. Innovators like BuzzFeed and Vox are rising, old stalwarts like The New York Times and The Washington Post are finding massive new audiences online, and global online ad revenue continues to rise, reaching nearly $180 billion last year. But analysts say the rise of ad blocking threatens the entire industry—the free sites that rely exclusively on ads, as well as the paywalled outlets that rely on ads to compensate for the vast majority of internet users who refuse to pay for news.

[…]

Sean Blanchfield certainly doesn’t share Carthy’s views. He worries that ad blocking will decimate the free Web.

As the war between advertisers and ad blockers wages there’s something we need to address: the use of the phrase “free web.” There is no “free web.” There has never been a “free web.” Websites have always required servers, network connectivity, developers, content producers, and other costs. This war isn’t between a “free web” and a pay web; it’s between a revenue model where viewers are the product and a revenue model where the content is the product.

If you’re using a service and not paying for it the content isn’t the product, you are. The content exists only to get you to access the website to either increase the number of page clicks and therefore give the owners a good argument for why advertisers should advertise on their sites or hand over your personal information so it can be sold to advertisers. In exchange for being the product other costs are also pushed onto you such as bandwidth and the risk of malware infection.

Ad blockers can’t decimate the “free web” because it doesn’t exist. What they will likely do is force website operators to find alternate means of generating revenue. Several content providers have started experimenting with new revenue models. The Wall Street Journal, for example, puts a lot of article behind a paywall and the New York Times gives readers access to a certain number of articles per month for free but expects payment after that. Other content providers like Netflix charge a monthly subscription for access to any content. There are a lot of ways to make money off of content without relying on viewers as a product.

As this war continues always remember TANSTAAFL (there ain’t no such thing as a free lunch) otherwise you might get suckered into believing there is a “free web” and let that color your perception.