Month: February 2016

Bill Gates Sides With The FBI

Microsoft has always enjoy a cozy relationship with the State. This isn’t surprising to anybody who has paid attention to Bill Gates and his ongoing love affair with the State. It’s also not surprising that he is siding with the Federal Bureau of Investigations (FBI) against Apple:

Technology companies should be forced to cooperate with law enforcement in terrorism investigations, Gates said, according to a Financial Times story posted late Monday.

“This is a specific case where the government is asking for access to information. They are not asking for some general thing, they are asking for a particular case,” he said.

This statement by Gates is laughable. The FBI is demanding Apple create a custom signed version of iOS that doesn’t include several security features and includes builtin software to brute force the decryption key set by the user. That is not a general thing for a particular case, that’s a general tool that can used on many iPhones.

What is funny about this though is that Bill Gates tried to backpedal but in so doing only said exactly the same thing over again:

In an interview with Bloomberg, Bill Gates says he was “disappointed” by reports that he supported the FBI in its legal battle with Apple, saying “that doesn’t state my view on this.”

Still, Gates took a more moderate stance than some of his counterparts in the tech industry, not fully backing either the FBI or Apple but calling for a broader “discussion” on the issues. “I do believe that with the right safeguards, there are cases where the government, on our behalf — like stopping terrorism, which could get worse in the future — that that is valuable.” But he called for “striking [a] balance” between safeguards against government power and security.

Any “balance” would require Apple to create firmware that includes a backdoor for government use. In other words, it would require exactly what the FBI is demanding of Apple.

Cryptography is math and math belongs to that very small category of things that are either black or white. Either the cryptography you’re using is effective and only allows authorized parties to access the unencrypted content or it is ineffective. There is no middle ground. You cannot break cryptography just a little bit.

Although the existence of a version of iOS with a backdoor is frightening in of itself, the idea that a single judge can enslave software developers by issuing a writ is terrifying. That’s an aspect of this case that is getting glossed over a lot. Apple has already publicly stated it has no desire to write a weakened version of iOS. If the court sides with the FBI it will try to force Apple to write software against its will. Why should any individual have the power to legally do that?

The Public-Private Surveillance Partnership Strike Again

As a history buff Ancestry.com has always interested me. I’d love to trace back my family lineage. But the public-private surveillance partnership has held me back.

I figured it was only a matter of time until government agents began demanding genetic records from services like Ancestry.com and 23andMe. Once again my paranoia turned out to be prophetic (not because I’m so smart but because it was so bloody obvious):

Now, five years later, when 23andMe and Ancestry both have over a million customers, those warnings are looking prescient. “Your relative’s DNA could turn you into a suspect,” warns Wired, writing about a case from earlier this year, in which New Orleans filmmaker Michael Usry became a suspect in an unsolved murder case after cops did a familial genetic search using semen collected in 1996. The cops searched an Ancestry.com database and got a familial match to a saliva sample Usry’s father had given years earlier. Usry was ultimately determined to be innocent and the Electronic Frontier Foundation called it a “wild goose chase” that demonstrated “the very real threats to privacy and civil liberties posed by law enforcement access to private genetic databases.”

[…]

Both Ancestry.com and 23andMe stipulate in their privacy policies that they will turn information over to law enforcement if served with a court order. 23andMe says it’s received a couple of requests from both state law enforcement and the FBI, but that it has “successfully resisted them.”

As a general rule I’m wary of any service that collects information the State wouldn’t normally have. I know any personal information collected on me by a service provider is a single court order away from being in the hands of the State.

This is a problem many libertarians fail to fully realize. They make a stark distinction between corporate and government surveillance and fail to realize the former becomes the latter at the whim of a judge. If it wasn’t for the State’s power to obtain private records I wouldn’t be as concerned with corporate surveillance since companies aren’t in a habit of sending armed goons to my door to shoot my dog and kidnap me.

Google Releases RCS Client. It’s Backdoored.

With the recent kerfuffle between Apple and the Federal Bureau of Investigations (FBI) the debate between secure and insecure devices is in the spotlight. Apple has been marketing itself as a company that defends users’ privacy and this recent court battle gives merits to its claims. Other companies have expressed support for Apple’s decision to fight the FBI’s demand, including Google. That makes this next twist in the story interesting.

Yesterday Christopher Soghoian posted the following Tweet:

His Tweet linked to a comment on a Hacker News thread discussing Google’s new Rich Communication Services (RCS) client, Jibe. What’s especially interesting about RCS is that it appears to include a backdoor as noted in the Hacker News thread:

When using MSRPoTLS, and with the following two objectives allow compliance with legal interception procedures, the TLS authentication shall be based on self-signed certificates and the MSRP encrypted connection shall be terminated in an element of the Service Provider network providing service to that UE. Mutual authentication shall be applied as defined in [RFC4572].

It’s important to note that this doesn’t really change anything from the current Short Message Service (SMS) service and cellular voice protocols, which offers no real security. By using this standard Google isn’t introducing a new security hole. However, Google also isn’t fixing a known security hole.

When Apple created iMessage and FaceTime it made use of strong end-to-end encryption (although that doesn’t protect your messages if you back them up to iCloud). Apple’s replacement for SMS and standard cellular calls addressed a known security hole.

Were I Google, especially with the security debate going on, I would have avoided embracing RCS since it’s insecure by default. RCS may be an industry standard, since it’s managed by the same association that manages Global System for Mobile Communications (GSM), but it’s a bad standard that shouldn’t see widespread adoption.

Political Campaigns Suck At Protecting Your Personal Information

I don’t need more reasons to abandon politics but I realize others do. To that end I feel that it’s important to point out the abysmal security record of political campaigns:

Over the last three months, more than 100 million US voters have had their data exposed online. These data breaches weren’t caused by a sophisticated hack or malware. Instead, political campaigns’ abysmal cybersecurity practices are to blame. Although modern campaigns constantly acquire and purchase massive amounts of data, they often neglect to fully beef up security surrounding it, effectively turning the campaigns into sitting ducks — huge operations with databases left open and vulnerable.

[…]

That might be unsettling, but perhaps more troubling is the fact that political campaigns are terrible at cybersecurity. Not only do the organizations have access to more information than ever before, they’re not able to keep it safe. The incentives to do so just don’t exist, and that’s why we’re seeing so much compromised voter data.

In Iowa last month, the state’s Republican party failed to adequately protect a database containing information on 2 million voters, making it readily available through just a basic scan of the website’s source code. In December, an independent security researcher uncovered a publicly available database of 191 million voter records. Included in that trove was each voter’s full name, home address, mailing address, unique voter ID, state voter ID, gender, date of birth, phone number, date of registration, political affiliation, and voter history since 2000.

I’ve mentioned these sorts of issues to friends before but they always hid behind the “I give campaigns a fake phone number” excuse. But the phone number you gave to a campaign isn’t what’s getting out, it’s your real personal information including your home address.

Politics is continuing to become more polarizing in this country. Both parties have become religions where disagreements with the party being tantamount to heresy. True believers are often willing to shun former friends and family members. Some employers are even willing to avoid hiring or terminating employees based on their form of political worship. There are no signs indicating this trend will cease or reverse so your voting record could become a major problem in the near future.

The amount of personal information many campaigns have on individuals is rather shocking. It’s often enough information for people with access to commit acts of identify theft.

There really isn’t anything to gain for political participation and there’s a lot to lose. Control over your personal information is one of the things you could potentially lose. My advise is to avoid politics since it’s obvious campaigns have no interest in protecting you.

Is That A Bitcoin In Your Pocket

Considering the Transportation Security Administration (TSA) achieved a 95 percent failure rate it’s not surprising this happened:

The TSA attempted to “screen” airline passenger Davi Barker for the virtual currency Bitcoin.

Barker is co-founder of BitcoinNotBombs, a Bitcoin advocacy group that gets donation-based organizations and social entrepreneurs set up to handle the currency. He’s written a very detailed telling of what happened right here. After going through security (he opted out of the body scanner but was successfully cleared through the checkpoint), two people stopped him, and it got uncomfortable quickly.

What next? Will some random TSA goon demand to see the Transportation Layer Security (TLS) certificate in your briefcase?

The agency’s 95 percent failure rate makes a lot of sense when stories like this keep popping up in the news. When your agents are so clueless that they harass passengers after seeing something entirely imaginary there’s little hope that they’ll catch any of the real dangers.

Legalizing Slavery

The United States has a long history of slavery. Since the very beginning of this country through the end of the Civil War black individuals could be owned as slaves in many states. After that the rules were changed. Private ownership of slaves was deemed illegal (a very good thing) but the State gave itself permission to enslave anybody it arbitrarily labeled as a criminal (a very bad thing). Eventually the process was streamlined and Federal Prison Industries (UNICOR) was created so manage the federally owned slaves. Individual states used this precedence to establish their own government owned corporations to managed their slaves.

Now a congressman is looking to change the rules yet again by expanding the State’s ability to own slaves. If passed, this bill will allow the State to enslave anybody by issuing a simple court order:

Sen. Richard Burr (R-North Carolina), the chairman of the Senate Intelligence Committee, reportedly will introduce legislation soon to criminalize a company’s refusal to aid decryption efforts as part of a governmental investigation. The news was first reported Thursday afternoon by the Wall Street Journal.

Aiding decryption efforts requires labor. In the San Bernardino case the Federal Bureau of Investigations (FBI) is order Apple to create a custom version of iOS that removes several key security features. Apple has refused and it has every right to do so because nobody should be compelled into performing labor against their will. If the FBI wants the phone unlocked so badly it can either put in the effort itself or hire somebody willing to try.

We’re living in interesting times. The State is seeing less and less reason to conceal its intentions.

Private Surveillance

Although public surveillance is more frightening to me because the consequences are generally more dire, I also don’t shy away from criticizing private surveillance. This is where I often part company with other libertarians because they often instinctively say private surveillance, because it’s voluntary, is entirely acceptable. Of course this attitude is overly simplistic. First, private surveillance often turns into public surveillance. Second, the market manipulations performed by the State have raised the consequences of private surveillance even when it doesn’t turn into public surveillance.

Consider health insurance. For most people their health insurance is tied to their employment. This practice is a holdover from World War II, where the State manipulated the market in such a way that employers had to find forms of compensation besides pay to attract employees:

There is no good reason for any of this, aside from historical accident. During World War II, federal wage controls prevented employers from wooing workers with higher pay, so companies started offering health insurance as a way around the law. Of course, this form of nonmonetary compensation is still pay. When the war ended, the practice stuck.

I doubt the long term consequences of this marriage were realized by the employers who first used health insurance as a means to attract employees. Fast forward many decades later and we have a relationship so tight that employers are surveilling their employees’ health data:

Employee wellness firms and insurers are working with companies to mine data about the prescription drugs workers use, how they shop, and even whether they vote, to predict their individual health needs and recommend treatments.

Trying to stem rising health-care costs, some companies, including retailer Wal-Mart Stores Inc., are paying firms like Castlight Healthcare Inc. to collect and crunch employee data to identify, for example, which workers are at risk for diabetes, and target them with personalized messages nudging them toward a doctor or services such as weight-loss programs.

One of the downsides of employers providing health insurance is that they front a lot of the costs. Employers, like everybody else, have an interest in keeping their costs down. Now, instead of minding their own business, employers are trying to snoop on their employees’ health care information.

Health care information is something most people see as confidential. It can reveal a lot of potentially embarrassing things about a person such as having a sexually transmitted disease or mental illness. Unless your health is preventing you from working it shouldn’t be the business of your employer and most likely wouldn’t be if your health insurance wasn’t tied to your employment status.

This is why I respect Samuel Edward Konkin III more than most libertarian philosophers. His philosophy, agorism, argue for the death of wage labor. Instead it encourages everybody to be an entrepreneur that contracts directly with others. This is a stark contrast to many libertarian philosophers who seem to encourage wage labor.

The more independent you are the more free you are. By moving away from wage labor an individual becomes more independent and therefore more free. If you’re your own employer then you are free from worries of being surveilled and possibly fired for simply being too expensive to insure.

The Party Of Fascism

I believe that getting into bed with social conservatives was one of the worst things to happen to libertarianism. Now that election season is upon us I’m reminded of this every day. Self-proclaimed libertarians are openly declaring their support for Republican frontrunners that continue to remind us that their interests aligned with fascism, not libertarianism.

The recent kerfuffle between Apple and the Federal Bureau of Investigations (FBI) is yet another demonstration of this. Using the All Writs Act, a federal court is trying to make literal slaves out of Apple’s iOS developers. Anybody who subscribed to even very basic libertarian principles would oppose this order. But a fascist, whose loyalty is to the State above all else, would support. So where does Donald Trump stand?

GOP presidential front-runner Donald Trump is insisting that Apple unlock the iPhone of one of the shooters in the San Bernardino, Calif., terrorist attack.

[…]

Trump disagreed stridently on Wednesday, calling it a matter of “common sense.”

“I agree 100 percent with the courts,” the business mogul said. “In that case, we should open it up. I think security over all — we have to open it up, and we have to use our heads. We have to use common sense.”

Donald believes Apple’s software developers are property of the State and should be compelled to write software. Let’s look at the current favorite amongst so-called libertarians, Ted Cruz (and we’ll throw in his buddy Carson as an added bonus):

Cruz said, “Apple has a serious argument” in protecting users’ privacy but said resisting the FBI’s request for help amounted to defying a search warrant. Carson said that Apple should find a way to get over mistrust of the government, but then added that might have to wait until President Obama leaves office, allowing for a delay that the FBI would probably oppose.

As if defying a terrible court order is a bad thing. My “libertarian” friends that support Cruz keep telling me he’s for small government and individual liberty but I can’t fathom how a man who thinks a court has a right to enslave software developers is for small government. Carson also demonstrates his love of government by criticizing Apple for being mistrustful of it.

Finally, just for fun, I’m going to throw in Tom “I Hate Due Process” Cotton for giggles:

“As a society, we don’t allow phone companies to design their systems to avoid lawful, court-ordered searches,” Cotton said in the statement. “If we apply a different legal standard to companies like Apple, Google, and Facebook, we can expect them to become the preferred messaging services of child pornographers, drug traffickers, and terrorists alike — which neither these companies nor law enforcement want.”

Whereas the other Republicans at least tried to sound kind of reasonable, Cotton went straight for the “messaging service of child pornographers, drug traffickers, and terrorists” line.

The Republican Party really is the party of fascism (as opposed to their close rival, the Democratic Party, which prefers its socialism be international). Not only are the policies put forth by Republican lawmakers generally fascist in nature but its members can’t help themselves when an opportunity to go on television and public declare their fascist policies presents itself. How this is supposed to be the party libertarians can prevail with is beyond me.

Invest In Security Now Or Pay Later

Security is a difficult thing to pitch. To summon Bastiat from beyond the grave, the costs of implementing security are seen but the costs of not implementing security are unseen. Making the pitch even more difficult is the fact most people think, “It’ll never happen to me.” But a breach can happen to anybody and the associated costs are often tremendous:

Hollywood Presbyterian Medical Center, the Los Angeles hospital held hostage by crypto-ransomware, has opted to pay a ransom of 40 bitcoins—the equivalent of $17,000—to the group that locked down access to the hospital’s electronic medical records system and other computer systems. The decision came 10 days after the hospital lost access to patient records.

$17,000 is already a decent chunk of change and 10 days of network downtime for a hospital is a very serious expense. This disaster could have been greatly mitigated with proper security practices. First of all, based on what we know so far about the breach, e-mail should never have been accessible on a computer with direct access to a mission critical system:

Stefanek did not say how the malware was introduced into the hospital’s EMR system. But the leading suspect, according to sources familiar with the investigation, is a phishing attack—likely a link in an e-mail that was clicked by a hospital employee on a computer with access to the EMR system.

E-mail is the source of a lot of malware and phishing attacks, specifically targeted ones, have become surprisingly effective. Knowing this, mission critical systems should be isolated from likely malware vectors (although I would argue those systems shouldn’t be connected to the Internet at all). Mission critical data should also be available redundantly so if one system goes down another can be made immediately while the down one is repaired. Frequent backups should also be part of any security plan in case something like this happens the machine can be quickly restored.

If you’re in a position that oversees budgeting give serious consideration to the unseen consequences of not providing funds for security and realize that an attack can happen to your organization.