Month: August 2015

Peripherals Are Potentially Dangerous

Some auto insurance companies are exploring programs where customers can receive reduced rates in exchange for attaching a dongle to their vehicle’s on-board diagnostics (OBD) port. The dongles then use the diagnostics information provided by the vehicle to track your driving habits. If you’re a “good” driver you can get a discount (and if you’re a “bad” driver you’ll probably get charged more down the road). It seems like a good deal for drivers who always obey speed limits and such but the OBD port has access to everything in the vehicle, which means any dongle plugged into it could cause all sorts of havoc. Understandably auto insurance companies are unlikely to use such dongles for evil but that doesn’t mean somebody else won’t:

At the Usenix security conference today, a group of researchers from the University of California at San Diego plan to reveal a technique they could have used to wirelessly hack into any of thousands of vehicles through a tiny commercial device: A 2-inch-square gadget that’s designed to be plugged into cars’ and trucks’ dashboards and used by insurance firms and trucking fleets to monitor vehicles’ location, speed and efficiency. By sending carefully crafted SMS messages to one of those cheap dongles connected to the dashboard of a Corvette, the researchers were able to transmit commands to the car’s CAN bus—the internal network that controls its physical driving components—turning on the Corvette’s windshield wipers and even enabling or disabling its brakes.

“We acquired some of these things, reverse engineered them, and along the way found that they had a whole bunch of security deficiencies,” says Stefan Savage, the University of California at San Diego computer security professor who led the project. The result, he says, is that the dongles “provide multiple ways to remotely…control just about anything on the vehicle they were connected to.”

I guarantee any savings you get from your insurance company from attaching one of these dongles to your OBD port will be dwarfed in comparison to the cost of crashing your vehicle due to your brakes suddenly being disabled.

This is a perfect example of two entities with little experience in security compounding their failures to create a possible catastrophe. Automotive manufacturers are finally experiencing the consequences of having paid no attention to the security of their on-board systems. Insurance agencies now have a glimpse of what can happen when you fail to understand the technology you’re working with. While a dongle that tracks the driving behavior of customers seems like a really good idea if that dongle is remotely accessible and insecure it can actually be a far bigger danger than benefit.

I wouldn’t attach such a device to my vehicle because it creates a remote connection to the vehicle (if it didn’t the insurance companies would have any reliable way of acquiring the data from the unit) and that is just asking for trouble at this story shows.

The EPA Investigated Itself And Found It Did Nothing Wrong

After dumping millions of gallons of polluted mining water into a clean river the Environmental Protection Agency (EPA) performed a quick investigation and decided it won’t suffer any punishment:

DENVER — Unlike BP, which was fined $5.5 billion for the 2010 Deepwater Horizon disaster, the EPA will pay nothing in fines for unleashing the Animas River spill.

“Sovereign immunity. The government doesn’t fine itself,” said Thomas L. Sansonetti, former assistant attorney general for the Justice Department’s division of environment and natural resources.

New Mexico Gov. Susana Martinez and other lawmakers have called on the EPA to hold itself to the same standards as it would a private company in the aftermath of Wednesday’s accident, in which an EPA-led crew uncorked a 3 million-gallon spill of orange wastewater from the abandoned Gold King Mine near Silverton, Colorado.

However, “The EPA does not fine itself the way that you would fine an outside company like BP,” said Mr. Sansonetti, who served from 2001 to 2005 under President George W. Bush.

OK, I was joking about it performing an investigation. But this harkens back to what I said yesterday. Depending on the state to protect the environment is foolhardy because it has no incentive to actually protect the environment. When a company violates its regulations it merely demands a piece of the action in the form of fines. And when it violates its own regulations is declares “sovereign immunity,” just like a “sovereign citizen” would, and says it may pay the cost of cleanup and compensation for damages but only if Congress appropriates money for it:

What the EPA can be expected to cover is the cost of the cleanup and compensation for the damage caused, funding that would have to be appropriated by Congress, meaning that the taxpayers will foot the bill.

“That’s going to have to be appropriated because that sort of thing is not included in the EPA’s budget,” said Mr. Sansonetti, now a Denver attorney.

Not only will the agency go unpunished but it won’t even have to pay the costs out of its budget! Consider this fact what motivation does the EPA have to protect the environment? It seems like the agency wins whenever the environment is polluted. If a private entity pollutes a river the EPA enjoys a cash payment and if it pollutes a river it does nothing unless it receives additional money from Congress to fix its fuck up.

Go ahead statists, explain to me how the state is necessary to protect the environment after this fiasco. I could use a good laugh.

Oracle. Because You Suck. And We Hate You.

Unpatched vulnerabilities are worth a lot of money to malicious hackers. Hoping to outbid more nefarious types many large software companies; including Google, Microsoft, and Mozilla; have begun offering cash payments for disclosed vulnerabilities. Companies that don’t have bounty programs will often publicly credit you for the discovery. But Oracle will do neither. In fact Oracle’s Chief Security Office went out of her way to describe Oracle’s official policy regarding vulnerability disclosure (the blog post was later, smartly, removed from Oracle’s site but the Internet is forever so we get to laugh anyways). The post contains some real gems:

If we determine as part of our analysis that scan results could only have come from reverse engineering (in at least one case, because the report said, cleverly enough, “static analysis of Oracle XXXXXX”), we send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer’s behalf – reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already. (In legalese, of course. The Oracle license agreement has a provision such as: “Customer may not reverse engineer, disassemble, decompile, or otherwise attempt to derive the source code of the Programs…” which we quote in our missive to the customer.) Oh, and we require customers/consultants to destroy the results of such reverse engineering and confirm they have done so.

It’s good to get this out of the way early. Oracle, upon receiving a report of a vulnerability, will first investigate whether discovering the vulnerability required reverse engineering its code. If it did Oracle’s way of saying thanks is to send you a legal threat for violating the license agreement. Although I’ve never sold a vulnerability to a malicious hacker I’m fairly certain their reaction is not to threaten you with legal action. Score one for the “bad guys” (I’m using quotes here because I’m not sure if malicious hackers really are bad guys when compared to Oracle).

Q. What does Oracle do if there is an actual security vulnerability?

Pay the person who disclosed it instead of selling it to malicious hackers, right?

A. I almost hate to answer this question because I want to reiterate that customers Should Not and Must Not reverse engineer our code. However, if there is an actual security vulnerability, we will fix it. We may not like how it was found but we aren’t going to ignore a real problem – that would be a disservice to our customers. We will, however, fix it to protect all our customers, meaning everybody will get the fix at the same time. However, we will not give a customer reporting such an issue (that they found through reverse engineering) a special (one-off) patch for the problem. We will also not provide credit in any advisories we might issue. You can’t really expect us to say “thank you for breaking the license agreement.”

Or not. People kindly disclosing discovered vulnerabilities to Oracle will only receive the legal threat. No payment or even public credit will be given. Meanwhile malicious hackers will give you cash for unpatched vulnerabilities so they score another point.

Q. But one of the issues I found was an actual security vulnerability so that justifies reverse engineering, right?

Under these circumstances I’m sure Oracle will forgive you for violating the license agreement since malicious hackers aren’t going to abide by it either, right?

A. Sigh. At the risk of being repetitive, no, it doesn’t, just like you can’t break into a house because someone left a window or door unlocked.

I guess not. Although I’m not sure how breaking into a house is an accurate analogy here. A better analogy would be buying a lock, taking it apart, and discovering a mechanical flaw that makes it easy to bypass. Entering a home uninvited is quite a bit different than being inviting into a home, and a customer who paid Oracle for a license was certainly invited to use the company’s software, and discovering that the locks inside the home could be easily bypassed due to a design flaw. Most homeowners would probably thank you for pointing out the locks they purchased are shitty. Regardless of the analogy a malicious hacker isn’t likely to care that you “broke into a house” or violated a license agreement. Score yet another point to them.

Q. Hey, I’ve got an idea, why not do a bug bounty? Pay third parties to find this stuff!

That’s a good question. Oracle can’t possibly argue that bug bounty programs are a bad idea, right?

A. Bug bounties are the new boy band (nicely alliterative, no?) Many companies are screaming, fainting, and throwing underwear at security researchers**** to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure. Ah, well, we find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers. (Small digression: I was busting my buttons today when I found out that a well-known security researcher in a particular area of technology reported a bunch of alleged security issues to us except – we had already found all of them and we were already working on or had fixes. Woo hoo!)

Jesus Christ. Really? Since Oracle finds 87 percent of vulnerabilities bug bounty programs are useless? I guess the other 13 percent are somehow valueless because they’re the minority? Seriously, what the fuck is Oracle thinking here? Malicious hackers pay per vulnerability. They don’t give a shit if it’s part of a minority of irrelevant metric kept by Oracle. And it only takes one vulnerability to put your customers at risk. That’s the fourth point for malicious hackers.

Q. Surely the bad guys and some nations do reverse engineer Oracle’s code and don’t care about your licensing agreement, so why would you try to restrict the behavior of customers with good motives?

I’m not even going to waste your time with asking if Oracle has found some common sense by now. We know it hasn’t.

A. Oracle’s license agreement exists to protect our intellectual property. “Good motives” – and given the errata of third party attempts to scan code the quotation marks are quite apropos – are not an acceptable excuse for violating an agreement willingly entered into. Any more than “but everybody else is cheating on his or her spouse” is an acceptable excuse for violating “forsaking all others” if you said it in front of witnesses.

Oracle seems to have the same mentality as those who put up those retched “no guns allowed” signs. That is a belief that words can somehow stop people from acting in a certain fashion. The question or malicious hackers reverse engineering Oracle’s code in violation of its license agreement isn’t one that lends itself to arguing about the moral high ground. They are doing it so it’s in your best interest to have other people, people who want to help you thwart the malicious hackers, doing the same. Once again we return to the fact malicious hackers aren’t going to give you a speech on morality, they’re going to pay you. That’s five points to them and zero to Oracle.

Considering what we learned in this blog post what motivation does anybody have to disclose discovered vulnerabilities in Oracle’s software? At worst you’ll receive a legal threat and at best you’ll receive nothing at all. Meanwhile malicious hackers will pay you cash for that vulnerability.

The reason companies like Google, Microsoft, and Mozilla established bounty programs is because they realize vulnerabilities are a valuable commodity and they have to outbid the competition.

I’ve long wondered why anybody does business with Oracle considering the company’s history. But this post really confirmed my dislike of the company. There are times where you have to set aside trivial disagreements, like a customer violating a license agreement, for the good of your business (which is also the good of the customers in this case). If somebody discloses a vulnerability to you you shouldn’t waste time asking a bunch of irrelevant legal questions and you certainly shouldn’t threaten them with legal action. Instead you should verify the bug and pay the person who disclosed it to you instead of disclosing it to somebody with a vested interest in exploiting your customers. Make it worth somebody’s while to disclose vulnerabilities to you so they don’t disclose them to people who are going to target your customers.

Seattle City Council Used Fear To Enrich Themselves

Gun violence is one of those phrases spoken by politicians who want to drum up fear in the general public. Although it’s no different than any other form of violence the idea of gun violence tends to be scarier to most people than, say, knife violence (which is kind of strange because I’d far prefer to be shot than stabbed) so it lends itself better expanding the surveillance state. The Seattle City Council took things a step further though. Instead of using gun violence as an excuse to expand the surveillance state it used it to directly enrich itself:

The Seattle City Council gave its unanimous approval Monday afternoon to a plan that slaps a $25 tax on each gun sale and 5 cents on each bullet sold in the city limits.

The proposal, introduced last month by Council President Tim Burgess, is billed as the city’s solution to the $17 million in medical costs from 253 gunshot victims at Harborview Medical Center last year, which Seattle underwrites with public funds.

How will this new tax solve the problem of gun violence? It won’t because it doesn’t impact people who are actually committing acts of violence with firearms (you know, the ones who generally acquire their firearms through theft). The only people this tax will impact are non-violent gun owners who aren’t part of the problem. In fact this tax doesn’t even address the root of the city’s $17 million medical bill, which is violence. But this tax will rake in more cash for the city government, which is the point. After all, how else will the City Council vote itself a raise if it’s not finding new revenue sources?

Once again we get to witness the lie of government solutions. Governments have no motivation to fix problems because the existence of problems allows it to further cement its power and enrich its members.

Don’t Return To The Caves

Robert Anton Wilson popularized the words neophiles and neophobes to describe people who enjoy and can adapt to rapid changes and those who fear and oppose change respectively. Whenever neophiles create and adopt a technological advancement neophobes step in to try and retard it. Strong cryptography allows individuals to securely communicate between one another. Neophobes, who are fearful by nature, cannot accept the idea of people having conversations that cannot be spied on. Advancements in automation require less human labor to produce more goods and services. Neophobes fear automation because they cannot conceive of a world where laborers don’t have to work as much or can find meaningful employment after being displaced by machines. Genetically modified crops can dramatically increase our species food production and feed more people with less resource expenditure. Neophobes want to halt production of genetically modified crops because they fear tampering with nature will have frightening and currently unrealized consequences.

The biggest difference between neophiles and neophobes is the former understands risks are inherent in change and accepts those risks while the latter fears change because it involves unknown risks.

Would you enjoy living a much shorter and hard life as a hunter gatherer in a cave? Because that’s what we’d all being doing if everybody listened to the neophobes. Advancement is scary because we don’t know how they will change the world. But advancement is far less scary than stagnation. This is why I don’t give any weight to arguments against technological advancement.

Are there risks in widespread availability to strong cryptography? Yes. Are there risks in allowing machines to do more and more of our labor? Yes. Are there risks in creating and cultivating genetically modified crops? Again, yes. However there are risks in enabling widespread surveillance, relying on manual labor, and refusing to advance agriculture. Those risks are powerful police states, injuries and deaths on jobs, and starvation.

Since the industrial revolution we’ve enjoyed a world where neophilia has surpassed neophobia. Even though we’re enjoying a standard of living unheard of only a generation ago the neophobes are still pounding their drums and trying to scare people into returning to the caves. Do you want to live in a world where we’re relegated to subsistence agriculture or one where robots produce more food than our species can possibly consume? If you, like me, desire the latter then you should work to ensure technological advancement isn’t hindered by neophobes. That means not supporting any efforts to stop the advancement of technology. Don’t support attempts to control the exportation of strong cryptography. Don’t support attempts to stop the adoption of automation. Don’t support prohibitions against genetically modified crops. Try to help technological advancements to flourish so more people can enjoy their benefits. Refute the neophobic fear mongering by pointing out how not adopting new technologies is also risky and how the fears of neophobia have seldom, if ever, been realized. Don’t help those who would return us to the caves.

Why Demonizing Your Opposition Hurts You

I haven’t mentioned the upcoming presidential election too much because it’s inconsequential. No matter who wins we’ll lose. But Bernie Sanders has offered me a stepping stone into a topic that’s actually useful. Namely history, or more specifically why demonizing opposition prevents us from learning from history.

Sanders’ big selling point, according to many of his proponents, is he’s a socialist. Unlike most of the pathetic politicians running for office in this country, Sanders has no problem openly admitting he is a socialist. To his proponents this means he’s going to give everybody free everything. Healthcare? Free! Education? Free! Food? Free!

Of course many countries have tried the socialism thing before. The Soviet Union, Nazi Germany (and don’t scream “Godwin’s Law,” because this is an accurate historical reference that’s especially applicable here since Bernie is a national socialist), Maoist China, North Korea, Khmer Rouge, and many other nations have tried socialism. All of these nations devolved into massive pits of death. And with the exception of China, which is only an exception because it eventually woke up enough to separate itself from Maoism, they have ended in complete economic collapse. Today we’re seeing one of the few remaining socialist states, Venezuela, relive the final days of the Soviet Union. With so much historical evidence demonstrating the futility of socialism why are so many people in this country supportive of it? Usually a dirty libertarian like myself would blame it on idiocy but I don’t think it’s so simple.

The above mentioned states have something else in common: they’ve all been demonized by the United States government. I don’t think this point gets discussed enough. During the Cold War the United States government was creating anti-socialist propaganda like it was going out of style. The problem with propaganda is it doesn’t refute ideas with reason. Propaganda relies entirely on demonizing the opposition and declaring yourself an angel. Bad guys are bad because they’re not us! Americans are better and can do anything! Their leaders rule by terror but ours lead by the will of the people! Those are examples of propaganda. No idea are refuted. The only reason the other side is bad is because they’re not us.

When you believe your team is the paragon of all that is righteous and everybody else is the epitome of evil you’ve set yourself up to fail. For most of Sanders’ supporters socialism didn’t fail because it’s unworkable, it failed because evil people were doing it. In their eyes the United States isn’t evil and therefore can therefore succeed at socialism.

Demonizing your opposition hurts in the long run because it convinces you that you can succeed where your opposition failed. Not falling into the demonizing trap is difficult but the consequences of failing to avoid it are so severe that you’re likely to destroy yourself.

Without Government Who Would Pollute The Rivers

I’ve been told the Environmental Protection Agency (EPA) is the lone barrier that stands between us and the entire country being turned into an uninhabitable wasteland by greedy corporations that want to fill our lakes and rivers with industrial waste. But I’ve also been told that socialism can work so I don’t put a lot of weight into what others have told me. The EPA, as with most government agencies, doesn’t really do what its name implies. It doesn’t protect the environment so much as licenses pollution. When somebody is dumping waste into a body of water the EPA steps in and demands a little piece of the action in exchange for looking the other way. And if nobody is polluting a body of water the EPA steps in and does it:

DURANGO — A spill that sent 1 million gallons of wastewater from an abandoned mine into the Animas River, turning the river orange, set off warnings Thursday that contaminants threaten water quality for those downstream.

The Environmental Protection Agency confirmed it triggered the spill while using heavy machinery to investigate pollutants at the Gold King Mine, north of Silverton.

I know somebody reading this will feel the need to point out that the EPA didn’t do this on purpose, which I’m sure is true. That’s not the point. The point is the lack of recourse. When an individual or corporation dumps waste into a body of water people usually sic the EPA on them. But what happens in this case? Who watches the watchmen? Does the EPA sue itself and transfer some of its money to itself? Will another agency, maybe an oversight committee, step in to find the EPA and therefore transfer some of the state’s wealth from itself to itself?

Herein lies the problem. Then government, which is the biggest polluter, is held entirely unaccountable because it has declared a monopoly on environmental protection. As it has declared this monopoly for itself there is no way to hold it accountable because it’s in its best interest to not enforce its own laws against itself. And if anybody else tries to hold it accountable it attacks them for breaking the law.

The biggest failure of environmentalism is its reliance on the state. A state has no interest in protecting the environment, its interests lie in polluting it without consequence and getting a piece of any polluting action.

Why I Generally Recommend iOS Over Android

As I’m sure many of you are, I’m the guy who friends and family come to when seeking advice on what electronic device to purchase. When somebody asks me whether they should get an iOS or Android device I generally point them towards iOS. It’s not because Android is bad, it’s a very good operating system. Unfortunately, in most cases, when you get an Android device you’re not so much dealing with Android as the manufacturer and carrier. Because of their meddling in an otherwise great operating system it’s difficult to know when or for how long you’ll get updates and that creates a security nightmare:

Now, though,Android has around 75-80 percent of the worldwide smartphone market—making it not just the world’s most popular mobile operating system but arguably the most popular operating system, period. As such, security has become a big issue. Android still uses a software update chain-of-command designed back when the Android ecosystem had zero devices to update, and it just doesn’t work. There are just too many cooks in the kitchen: Google releases Android to OEMs, OEMs can change things and release code to carriers, carriers can change things and release code to consumers. It’s been broken for years.

The Android ecosystem’s reaction to the “Stagefright” vulnerability is an example of how terrible things are. An estimated 95 percent of Android devices have a have a remote arbitrary code execution just by receiving malicious video MMS. Android has other protections in place to stop this vulnerability from running amok on your smartphone, but it’s still really scary. As you might expect, Google, Samsung, and LG have all pledged to “Take Security Seriously” and issue a fix as soon as possible.

Their “fix” is going to be to patch 2.6 percent of all active Android devices. Tops. That’s the percentage of Android devices that are running Android 5.1 today, nearly five months after the OS was released.

This isn’t a new problem. Manufacturers and carriers have been interfering with software updates for phones for ages. My first cell phone was a Palm Treo 700p running on Sprint’s network. Sprint, compared to other carriers who also had the 700p, would take forever to approve updates for the device and sometimes wouldn’t approve them at all. That meant I was stuck with unpatched software much of the time because Palm was at the mercy of Sprint.

Apple refused to allow carriers any control over iOS. Although this is likely part of why the iPhone was relegated to only being available on AT&T for a long time the decision paid off in the long run. When a vulnerability is discovered in iOS Apple can push out the patch and no carrier can interfere. Google, on the other hand, gave almost all control to manufacturers and carriers. Because of that it can’t push out Android updates to all of its users and that leaves many Android users with insecure devices.

I hope Google changes this and at least requires manufacturers to use Android’s official update channel in order to gain access to its proprietary apps (which is what most people use Android for anyways). The current situation is untenable, which is sad because Android really is a good operating system.

Remember When Obama Argued Peace Instead Of Bragging About The Number Of Countries He’s Bombed

It’s hard to remember the days of Obama’s first presidential run. Bush was in office, had dragged us into wars throughout the Middle East, and had lead the charge to increase the already pervasive and unaccountable surveillance state. Obama promises to end the wars and dismantle the surveillance state.

Since then Obama has dragged us into more wars and further empowered the surveillance state. His love of war has become so strong that he can’t even pretend to be reluctant about it anymore. Hilariously a lot of Republicans have been accusing him of not being a big enough war monger because of the deal he’s been negotiating with Iran. Not wanting people to question his dedication to bombing children in the Middle East Obama rebutted the Republicans’ accusations by pointing out just how many countries he’s bombed:

Beyond accurately describing Iran Deal opponents, Obama also accurately described himself and his own record of militarism. To defend against charges that he Loves the Terrorists, he boasted:

As commander-in-chief, I have not shied away from using force when necessary. I have ordered tens of thousands of young Americans into combat. . . .

I’ve ordered military action in seven countries.

By “ordered military actions in seven countries,” what he means is that he has ordered bombs dropped, and he has extinguished the lives of thousands of innocent people, in seven different countries, all of which just so happen to be predominantly Muslim.

It’s amazing how much things have changed since his first presidential run. He’s not even pretending to be anti-war anymore. And why should he? It’s not like he can run for a third term anyways. I think it’s also amusing, and sad, to see how his supporters went from being a huge percentage of the anti-war movement to either entirely silent on the issue of war or proponents of these new wars.