Month: February 2016

Doublethink

In George Orwell’s Nineteen Eighty-Four doublethink is described as, “The power of holding two contradictory beliefs in one’s mind simultaneously, and accepting both of them… To tell deliberate lies while genuinely believing in them, to forget any fact that has become inconvenient, and then, when it becomes necessary again, to draw it back from oblivion for just as long as it is needed, to deny the existence of objective reality and all the while to take account of the reality which one denies – all this is indispensably necessary.” That is the most accurate term to describe the White House’s claim that what the Federal Bureau of Investigations (FBI) is demanding of Apple isn’t a back door:

The White House says a court ruling asking Apple to help the FBI access data on a phone belonging to the San Bernardino gunman does not mean asking for a “back door” to the device.

By definition a backdoor, as it pertains to security, is a purposely placed mechanism that allows an unauthorized party to bypass security measures. What the FBI is asking Apple to develop is a special version of iOS that attempts to brute force the device’s password and doesn’t contain the increasing timed lockout functionality when entering incorrect passwords or the functionality that erases the phone after 10 incorrect passwords have been entered. The FBI is asking for a backdoor.

Just because the FBI is demanding this special firmware for a specific iPhone doesn’t mean the firmware isn’t a backdoor. But through the magic of doublethink the White House is able to claim what the FBI is demanding isn’t a backdoor.

Legally Speaking, You’re The Property Of The State

The All Writs Act is a piece of legislation that made it clear in vague but certain terms that everybody in the United States is the property of the State:

Basically, it’s “a very short, cryptic statute” that gives the courts “all sorts of incidental powers” to require things not specifically covered by other laws, according to Stephen Vladeck, a law professor at American University.

In the past, the act has been used to compel non-parties — like service providers of tech companies — to help in criminal investigations, Vladeck said. But that help has typically been limited to straightforward requests, like activating or turning off particular features and using systems that are already in place, he said.

The new order is different: It tells Apple to help the government by creating an entirely new software to help investigators bypasses security features. “That requires Apple to go much further than any company has ever been required to go in one of these cases,” said Vladeck.

Although the statue is short and rather vague its intention is quite clear: to give the State the legal authority to compel people into performing actions. It’s currently being cited to compel Apple to create a custom backdoor for the Federal Bureau of Investigations (FBI). But this isn’t he first time this archaic law has been used to force technology companies to perform the State’s will.

Can a court compel a person to act? If so that effectively makes everybody the slave of any judge with an order. It’s clear that the State believes a judge has such authority because it allows them to hold disobedient individuals in a cage for being in contempt of court. Therefore it must be said that the All Writs Act creates a form of legalized slavery.

TANSTAAFL

Free K-12 schooling! Free college! Free healthcare! The State sure is magnanimous!

Unfortunately, to the chagrin of utopians, there ain’t no such thing as a free lunch:

WILLOW RIVER — Scott Killerud was about to throw away a mailing about the 2016 enrollment period for MNsure last November when something caught his eye.

“Just as I was going to drop it in the trash, I was like — wait a second. What did I just read?” the Pine County farmer said.

What caught his eye was a notification that if you’re 55 or older and on Medical Assistance — Minnesota’s version of Medicaid — the state places an estate claim with which to recover its costs after you and your spouse have died.

Killerud was younger than 55, but his wife, Ellen, had reached that age the previous September. The couple, who supplement their farm income with part-time jobs, were told when they signed up for insurance through MNsure in 2014 that their income level qualified them for Medical Assistance.

But they didn’t know about the estate claim until Scott saw that mailing.

The State is in the business of stealing wealth, not handing it out. Whenever it claims to be giving something out for free you can be assured it’s part of a scam that is actually granting it further power to plunder the people.

Health insurance is the peak of the latest pyramid scheme. Acknowledging the fact that income taxes offer little in the way of plunder from people with little income, the State has created a program that allows it to take assets instead. This is especially important because it’s not unusual for retired individuals to have little in the way of income but a sizable sum in assets. By getting these individuals to sign up with MNsure, the State of Minnesota can give itself access to wealth that was previously outside of its grasps.

There is a lengthy list of things you should always be wary off. At the top of that list should people offering free stuff.

Apple Tells The Feds To Pound Sand

The technology industry has a long history of being run by antiauthoritarians who bark a lot but roll over as soon as Uncle Sam commands it. This has lead to a great deal of disappointment for me. Fortunately, after the Edward Snowden leaks, some technology companies have started developing a bit of a spine.

Yesterday a robed one in a court room commanded Apple to produce a custom firmware that would allow the Federal Bureau of Investigations (FBI) to more easily brute force the passcode on a suspect’s iPhone:

On Tuesday, a federal judge in Riverside, California, ordered Apple to help the government unlock and decrypt the iPhone 5C used by Syed Rizwan Farook, who shot up an office party in a terrorist attack in nearby San Bernardino in December 2015.

Specifically, United States Magistrate Judge Sheri Pym mandated that Apple provide the FBI a custom firmware file, known as an IPSW file, that would likely enable investigators to brute force the passcode lockout currently on the phone, which is running iOS 9.

By issuing this order Judge Pym openly stated that he believes Apple is a slave to the federal government and therefore can be forced to perform labor against its will. This is the point where a lot of technology companies would simply roll over and accept their place. Apple has decided it doesn’t want to play ball:

The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.

[…]

Rather than asking for legislative action through Congress, the FBI is proposing an unprecedented use of the All Writs Act of 1789 to justify an expansion of its authority.

The government would have us remove security features and add new capabilities to the operating system, allowing a passcode to be input electronically. This would make it easier to unlock an iPhone by “brute force,” trying thousands or millions of combinations with the speed of a modern computer.

The implications of the government’s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.

Opposing this order is not something we take lightly. We feel we must speak up in the face of what we see as an overreach by the U.S. government.

It will be interesting to see how far Apple can go in resisting this order but even if it does end up folding under the threat of government guns I want to give the company a hell of a lot of credit for this.

As Apple’s letter notes, this ruling as consequences far greater than this case alone. First, it would set a precedence that everybody is little more than a slave to the robed overlords of the courtrooms. Second, it would introduce an officially signed firmware that is purposely weakened to allow law enforcers to bypass built-in security mechanisms.

The first consequence isn’t anything new since the State has always viewed the people as slaves. But the second consequence is severe. I’m sure the FBI has pinky swore that it will never use this firmware again but anybody familiar with the agency’s history knows such a promise will be broken. And the state of the federal government’s network security means this custom firmware will almost certainly end up online at some point. Then it will be available to nongovernmental terrorists, domestic abusers, and other violent individuals with a vested interest in snooping on their targets.

Whether you like Apple or not, I believe the company deserves a lot of credit for this. I hope it inspires other companies to follow suit.

Uncle Sam Wants His Money


Dennis Farina plays Uncle Sam in Get Shorty.

Let this story be a lesson to everybody, be careful when you’re taking out a loan with the country’s biggest gang:

It might seem odd in an era defined by stagnant wages and rising income inequality for the long arm of the law to be cuffing Americans who default on their federal student loans. But according to reports out of Texas, that’s exactly what’s happening.

Paul Aker, 48, tells the New York Daily News and a local Fox broadcast affiliate that a coterie of heavily armed US Marshals showed up at his door in Houston last Thursday. His alleged crime? Failing to pay Uncle Sam back for a $1,500 student loan he took out to attend Prairie View A&M in 1987, he claims.

If you fail to pay back the mafia there’s a good chance armed men will come to your door, kidnap you, and take you to the Don.

This is another example of the rules being different from private individuals and the State. If you or a private institution loans money to somebody and they refuse to pay you cannot kidnap them and place them in a cage until they pay you back. Uncle Sam can. So think twice before taking any of his filthy lucre.

Everything Is Better With Internet Connectivity

I straddle that fine line between an obsessive love of everything technologically advanced and a curmudgeonly attitude that results in me asking why new products ever see the light of day. The Internet of Things (IoT) trend has really put me in a bad place. There are a lot of new “smart” devices that I want to like but they’re so poorly executed that I end up hating their existence. Then there are the products I can’t fathom on any level. This is one of those:

Fisher-Price’s “Smart Toys” are a line of digital stuffed animals, like teddy bears, that are connected to the Internet in order to offer personalized learning activities. Aimed at kids aged 3 to 8, the toys actually adapt to children to figure out their favorite activities. They also use a combination of image and voice recognition to identify the child’s voice and to read “smart cards,” which kick off the various games and adventures.

According to a report released today by security researchers at Rapid7, these Smart Toys could have been compromised by hackers who wanted to take advantage of weaknesses in the underlying software. Specifically, the problem was that the platform’s web service (API) calls were not appropriately verifying the sender of messages, meaning an attacker could have sent requests that should not otherwise have been authorized.

I’m sure somebody can enlighten me on the appeal of Internet connected stuffed animals but I can only imagine these products being the outcome of some high level manager telling a poor underling to “Cloud enable our toys!” In all likelihood no specialists were brought in to properly implement the Internet connectivity features so Fisher-Price ended up releasing a prepackaged network vulnerability. Herein lies the problem with the IoT. Seemingly every company has become entirely obsessed with Internet enabled products but few of them know enough to know that they don’t know what they’re doing. This is creating an Internet of Bad Ideas.

There’s no reason the IoT has to be this way. Companies can bring in people with the knowledge to implement Internet connectivity correctly. But they’re not. Some will inevitably blame each company’s desire to keep overhead as low as possible but I think the biggest part of the problem may be rooted in ignorance. Most of these companies know they want to “cloud enable” their products to capitalize on the new hotness but are so ignorant about network connectivity that they don’t even know they’re ignorant.

Even An Air Gap Won’t Save You

Security is a fascinating field that is in a constant state of evolution. When new defenses are created new attackers follow and vice versa. One security measure some people take is to create and store their cryptography keys on a computer that isn’t attached to any network. This is known as an air gap and is a pretty solid security measure if implemented correctly (which is harder than most people realize). But even air gaps can be remotely exploited under the right circumstances:

In recent years, air-gapped computers, which are disconnected from the internet so hackers can not remotely access their contents, have become a regular target for security researchers. Now, researchers from Tel Aviv University and Technion have gone a step further than past efforts, and found a way to steal data from air-gapped machines while their equipment is in another room.

“By measuring the target’s electromagnetic emanations, the attack extracts the secret decryption key within seconds, from a target located in an adjacent room across a wall,” Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer write in a recently published paper. The research will be presented at the upcoming RSA Conference on March 3.

It needs to be stated up front that this attack requires a tightly controlled environment so isn’t yet practical for common real world exploitation. But attacks only improve over time so it’s possible this attack will become more practical with further research. Some may decry this as the end of computer security, because that’s what people commonly do when new exploits are created, but it will simply cause countermeasures to be implemented. Air gapped machines may be operated in a Faraday cage or computer manufacturers may improve casings to better control electromagnetic emissions.

This is just another chapter in the never ending saga of security. And it’s a damn impressive chapter no matter how you look at it.

You Can’t Stop The Signal

What would happen if the United States government passed a bill mandating the inclusion of backdoors in cryptographic algorithms? Not much. The politicians in Washington DC, like many denizens of this nation, forget that there is an entire world outside of this nation’s borders. A recent report put together by actual security experts shows that any domestic laws hindering encryption will be futile because a lot of cryptography software comes from abroad:

An estimated 63 percent of the encryption products available today are developed outside US borders, according to a new report that takes a firm stance against the kinds of mandated backdoors some federal officials have contended are crucial to ensuring national security.

The report, prepared by security researchers Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar, identified 865 hardware or software products from 55 countries that incorporate encryption. Of them, 546 originated from outside the US. The most common non-US country was Germany, a country that has publicly disavowed the kinds of backdoors advocated by FBI Director James Comey and other US officials. Although the Obama administration is no longer asking Congress for legislation requiring them, it continues to lobby private industry to include ways law enforcement agencies can decrypt encrypted data sent or stored by criminal or terrorism suspects.

We’re told that mandatory backdoors are necessary to make the lives of law enforcers easier. But passing a law mandating backdoors in systems that utilize cryptography would only effect domestic companies. Most devices are manufactured outside of the United States. Any law mandating ineffective cryptography would only applies to domestic devices, which means the mandated backdoors would likely only be included in devices meant for sale in the United States. That means avoiding a purposely weakened device would be as simple as ordering it from a foreign reseller.

Most of the boogeymen the politicians point to to justify mandating backdoors are primarily based in foreign countries. The terrorist and sex trafficking organizations are already buying their communication equipment outside of the United States so they will be entirely unaffected by any new domestic laws. Furthermore, being criminal organizations, nothing will change for them since they’re already breaking numerous laws.

At most a mandatory backdoor law will put the denizens here, at least those dumb enough to continue buying domestic devices, at risk of being exploited by domestic and foreign governments as well as malware producers.

Why We Can’t Have Nice Things

Do you know why we can’t have nice things? It’s because there are quisling out there ready and willing to cooperate with their oppressors:

MINNEAPOLIS – A Maple Grove bar owner and manager have been charged after being caught illegally importing Spotted Cow beer that they then sold at their establishment.

The two men, Brandon Hlavka, 37, of St. Michael and David Lantos, 28, of Brooklyn Park, were charged with a single felony of transporting alcohol into Minnesota for resale on Feb. 4.

Lantos, the bar manager, and Hlavka, the owner, of Maple Tavern were busted in April of last year after someone reported they were selling the Wisconsin beer on tap.

The New Glarus Brewing Co. beer is not a licensed manufacturer in Minnesota and its beer cannot be sold in the state.

Alcohol laws here in Minnesota are, well, really fucking stupid. There are different rules for alcohol that is sold only for on site consumption, referred to as on sale liquor, and alcohol sold only for off site consumption, referred to as off sale liquor. You can only buy on sale liquor at bars and restaurants and off sale liquor at liquor stores. Grocery stores can only sell liquor if they have a store separate from the grocery section. And the list goes on and on.

In this case the bar owners were importing beer from a company that isn’t licensed here in Minnesota. Here in Minnesota that’s a felony. You read that right, selling beer from an unlicensed manufacturer is a fucking felony.

These laws wouldn’t be as big of a deal if it wasn’t for quisling like the one who turned these bar owners over. If nobody cooperated with the laws the laws would be much harder to enforce. Unfortunately there are people who are willing to ruin the lives of others because their religion of statism mandates that individual humans are of less value than the arbitrary decrees issued by the political clergy. It’s fucking sick.