Month: February 2016

Sovereign Immunity Means Never Having To Take Responsibility For Your Actions

If a private company poisoned your water supply you’d have grounds for a lawsuit. The reason for this is obvious, poisoning your water causes damage to both your person and property. Because of this the only way to make things as right as possible is for the poisoner to pay reparations. But the rules are different when the State poisons your water supply because it enjoys a legal fiction called sovereign immunity:

Michigan’s state and local officials poisoned Flint’s water with lead but innocent federal taxpayers are the ones having to foot the cleanup bill. President Obama has pledged to hand Flint $85 million in aid money. This sounds like a lot, but the fact of the matter is that it is far less than what Flint’s victims would have gotten if a corporation — rather than government — had been the culprit. That’s because, unlike private companies, the government is shielded from liability lawsuits.

[…]

The main reason that they don’t have a prayer of collecting much more is something called the doctrine of sovereign immunity. Under this doctrine, citizens are barred from suing their government for screw-ups that it has caused in the course of discharging a core function unless the government itself consents. Some very narrow exceptions exist but it is very difficult to make them stick.

We’re often told that governing bodies within the United States contain a series of checks and balances. The federal government has legislative, executive, and judicial branches that are supposed to keep each other in check. Municipal governments are supposed to be kept in check by country governments which are supposed to be kept in check by state governments which are supposed to be kept in check by the federal government. Reality is much different though.

Instead of acting as a checks and balances the various pieces of the government more accurately reflect a circlejerk. Each part works to absolve the other of responsibility.

People have sued parts of the government before but only after it consented to being sued. Herein lies the major difference between private entities and the State. When a private entity causes you damage you can sue them whether they agree to allow you to do so or not. Suing the State requires getting its permission to do so. Since the State enjoys a monopoly on legal services within its borders you have no recourse if the State tells you to go pound sand when you come asking for permission to sue it.

Registering A Drone Puts Your Home Address Publicly To The Internet

When a handful of drone owners made some poor choices the Federal Aviation Administration (FAA) saw the opportunity to drum up some cash. It mandated that all drones must be registered with the FAA. Registering as a drone pilot costs $5.00 and failing to register can cost up to $250,000 and/or up to three years in a cage. Either way the FAA wins and you lose. Why do you lose? Because a hidden costs of registering your drone is making your home address publicly available on the Internet:

The FAA is delighted that signups for its new drone registry have hit 300,000. But the agency’s buoyant mood is destined for a nosedive. The FAA isn’t warning drone owners their names and addresses are easily searchable and downloadable (47MB) in the agency’s online registry.

To add a bit more insult than usual to public registries, the FAA’s drone pilot registry even includes minors:

While drone owners must be 13 years old to register, the privacy threat posed by this registry is particularly concerning for minors — for obvious reasons.

The poor manner in which this registry program has been handled just adds credence to the entire thing being a quick cash grab. Even a little bit of thought would have caused the developers to realize how bad of an idea making people’s name and addresses publicly available is. It’s especially damning when it’s so easy to make a more anonymized database.

The Next Stage In 3D Printed Firearms

Proving once again that technology overcomes legal restrictions, a new stage in 3D printed firearms has been reached. Instead of a single shot pistol that’s difficult to reload we now have a 3D printed semiautomatic 9mm handgun:

Last weekend a 47-year-old West Virginia carpenter who goes by the pseudonym Derwood released the first video of what he calls the Shuty-MP1, a “mostly” 3-D printed semi-automatic firearm. Like any semi-automatic weapon, Derwood’s creation can fire an actual magazine of ammunition—in this case 9mm rounds—ejecting spent casings one by one and loading a new round into its chamber with every trigger pull. But unlike the typical steel semi-automatic rifle, Derwood says close to “95 percent” of his creation is 3-D printed in cheap PLA plastic, from its bolt to the magazine to the upper and lower receivers that make up the gun’s body.

Heres a video of it firing:

As the article notes, the gun isn’t perfect. The plastic around the barrel apparently starts to melt after firing 18 rounds if sufficient cooling time isn’t given. But the pace at which 3D printed firearms are evolving is staggering. In a few short years we’ve gone from the single shot Liberator pistol to a fully functional semiautomatic pistol. It won’t be long until practical 3D printed firearms are designed.

What does this mean? It means prohibitions against firearms are less relevant. Prohibiting something that any schmuck can make in their home isn’t possible. Alcohol prohibition and the current war on drugs have proven that.

Building A Mesh Network In New York City

One of the biggest weaknesses of today’s Internet is its reliance on centralized providers. Getting Internet access at home usually requires signing up with one of the few, if you’re even lucky to have more than one, Internet service providers (ISPs). In my area, for example, the only real options are Comcast or CenturyLink. CenturyLink only offers Digital subscriber line (DSL) services so the only actual option for me, assuming I want access speeds above 1Mbps, is Comcast. My situation isn’t unique. In fact it’s the norm.

The problem with highly centralized systems such as this are numerous, especially when you consider how cozy most ISPs are with the State. Censorship and surveillance are made much easier when a system is centralized. Instead of having to deal with a bunch of individuals to censor or surveil Internet users the State only has to make a few sweetheart deals with the handful of ISPs. Another issue with heavily centralized systems is that users are at a severe disadvantage. The entire debate surrounding net neutrality is really only an issue because so little competition exists in the Internet provision market. If Comcast wants to block access to Netflix unless I pay an additional fee there really isn’t much I can do about it.

Many consider to this nightmare proof that the market has failed. But such accusations are nonsense because the market isn’t at work here. The reason so little competition exists in the Internet provision market is because the State protects current ISPs from competition. It’s too easy for a massive regulatory entity such as the State to put its boot down on the fact of centralized service providers.

Does all this mean an uncensored, secured Internet is impossible to achieve? Not at all. The trick is to move away from easily identified centralized providers. If, for example, every Internet users was also a provider it would make it practically impossible for the State to effectively control it. That’s what mesh networks can offer and the idea is becoming more popular every day. Denizens of New York City have jumped onboard the mesh network bandwagon and are trying to make local ISPs irrelevant:

The internet may feel free, but it certainly isn’t. The only way for most people to get it is through a giant corporation like Comcast or Time Warner Cable, companies that choke your access and charge exorbitant prices.

In New York City, a group of activists and volunteers called NYC Mesh are trying to take back the internet. They’re building something called a mesh network — a makeshift system that provides internet access. Their goal is to make TWC totally irrelevant.

The hardest part about establishing a mesh network is achieving critical mass. A mesh network needs a decent number of nodes to begin being truly useful. That’s why it makes sense to start building mesh networks in very densely populated areas such as New York City. If the necessary critical mass is achieved in a few major metropolitan areas it will become feasible to bypass centralized ISPs by connecting various regional mesh networks together.

Looking at NYC Mesh’s map of active nodes it seems like they’ve already established pretty decent coverage considering the organization has only been around since January of 2014. If they can keep up this pace they could soon become a viable alternative to local centralized ISPs.

When Karma Bites You In The Ass

The National Security Agency (NSA), which is supposedly tasked with security domestic networks in addition to exploiting foreign networks, has caused a lot of damage to overall computer security. It appears one of its efforts, inserting a backdoor into the Dual Elliptic Curve Deterministic Random Bit Generation algorithm, may have bit the State in the ass:

The government may have used compromised software for up to three years, exposing national security secrets to foreign spies, according to lawmakers and security experts.

Observers increasingly believe the software defect derived from an encryption “back door” created by the National Security Agency (NSA). Foreign hackers likely repurposed it for their own snooping needs.

[…]

The software vulnerability was spotted in December, when Juniper Networks, which makes a variety of IT products widely used in government, said it had found unauthorized code in its ScreenOS product.

[…]

The case is especially frustrating to security experts because it may have been avoidable. The hackers, they say, likely benefited from a flaw in the encryption algorithm that was inserted by the NSA.

For years, the NSA was seen as the standard-bearer on security technology, with many companies relying on the agency’s algorithms to lock down data.

But some suspected the NSA algorithms, including the one Juniper used, contained built-in vulnerabilities that could be used for surveillance purposes. Documents leaked by former NSA contractor Edward Snowden in 2013 appeared to confirm those suspicions.

Karma can be a real bitch.

This story does bring up a point many people often ignore: the State relies on a great deal of commercial hardware. Its infrastructure isn’t built of custom hardware and software free of the defects agencies such as the NSA introduce into commercial products. Much of its infrastructure is built on the exact same hardware and software the rest of us use. That means, contrary to what many libertarians claim as a pathetic justification not to learn proper computer security practices, the State is just as vulnerable to many of the issues as the rest of us and is therefore not as powerful as it seems.

Microsoft Makes Windows 10 A Recommended Upgrade For Users Of Older Versions Of Windows

File this under things that really annoy me:

From Monday, Windows Update will start making the upgrade to version 10 of the operating system a recommended update, rather than an optional one, a spokesperson for the software giant confirmed.

So if you’ve got Windows Update set up to automatically fetch and install recommended items – and the vast majority of people do because it’s the default setting – expect to, well, download and install a few gigabytes of Windows 10.

I understand Microsoft’s position. Its getting tried of sinking resources into supporting older versions of its operating system. Moving more people to Windows 10 reduces the amount of resources it has to invest in older versions. At the same time, this makes my life difficult.

One of the simplest pieces of security advice that can be given is to tell users to turn on automatic updates. A lot of malware infections are the result of a user failing to apply the latest security patches for their operating system. Turning on automatic updates ensures the latest security patches are automatically downloaded and installed soon after they’re released.

But a lot of users don’t want to upgrade to Windows 10. By moving Windows 10 into the recommended updates category users with automatic updates turned on will, unless they jump through a few hoops, find themselves running Windows 10.

This is an awkward position for me because I feel as though I must continue recommending people use automatic updates but I don’t want to force them into using the latest version of Windows if they don’t want to.

The Networks Have Ears

Can you trust a network you don’t personally administer? No. The professors at the University of California are learning that lesson the hard way:

“Secret monitoring is ongoing.”

Those ominous words captured the attention of many faculty members at the University of California at Berkeley’s College of Natural Resources when they received an email message from a colleague on Thursday telling them that a new system to monitor computer networks had been secretly installed on all University of California campuses months ago, without letting any but a few people know about it.

“The intrusive device is capable of capturing and analyzing all network traffic to and from the Berkeley campus, and has enough local storage to save over 30 days of *all* this data (‘full packet capture’). This can be presumed to include your email, all the websites you visit, all the data you receive from off campus or data you send off campus,” said the email from Ethan Ligon, associate professor of agricultural and resource economics. He is one of six members of the Academic Senate-Administration Joint Committee on Campus Information Technology.

When you control a network it’s a trivial matter to setup monitoring tools. This is made possible by the fact many network connects don’t utilize encryption. E-mail is one of the biggest offenders. Many e-mail server don’t encrypt traffic being sent so any network monitoring tools can’t read the contents. Likewise, many websites still utilize unencrypted connections so monitoring tools can easily read what is being sent and received between a browser and a web server. Instant messaging protocols often transmit data in the clear as well so monitoring tools can read entire conversations.

It’s not feasible to only use networks you control. A network that doesn’t connect to other networks is very limited in use. But there are tools to mitigate the risks associated with using a monitored network. For example, I run a Virtual Private Network (VPN) server that encrypts traffic between itself and my devices. When I connect to it all of my traffic goes through the encrypted connection so local network monitoring tools can’t snoop on my connects. Another tools that works very well for websites is the Tor Browser. The Tor Browser sends all traffic through an encrypted connection to an exit node. While the exit node can snoop on any unencrypted connections local monitoring tools cannot.

Such tools wouldn’t be as necessary to maintain privacy though if all connections utilized effective encryption. E-mail servers, websites, instant messengers, etc. can encrypt traffic and often do. But the lack of ubiquitous encryption means monitoring tools can still collect some data on you.

Getting Off The No-Fly List

With the rekindled excitement for prohibition people on the government’s terrorist watch lists from purchasing firearms it’s a good time to review how terrible of an idea the lists themselves are. The lists and the criteria for appearing on them are secret so there is no due process involved. We know approximately 40 percent of the names on the lists aren’t affiliated with any known terrorist organization. To make matters even worse there’s no way to know whether you’re on the lists until you try to fly and end up being detained and interrogated for hours. And once you’re on the lists getting off of them is no simple matter:

Kadura, an American citizen, was placed on the federal government’s no-fly list in 2012. Since then, in addition to being prevented from boarding flights, he has been detained, interrogated, and harassed at border crossings and pressured by authorities to become a government informant.

yaseen Yaseen Kadura Photo: Courtesy of Yaseen KaduraThe 25-year-old American medical student, who was raised in Indiana, has spent the last three years trying to coax information out of the government and clear his name. Last year, he sued in federal court over his watchlisting, joining four other Muslim Americans represented by lawyers from the Michigan chapter of the Council on American-Islamic Relations. That case was still ongoing, when, this past September, Kadura suddenly received a brief, terse letter from the government indicating that he was no longer on the list and could board a plane without impediment.

Since 2012 Kadura hasn’t been able to fly. He finally found his ability to fly restored but there is no indication of why. There was no known process for him to file an appeal. He initiated a lawsuit, which hadn’t concluded when his ability to fly was restored so no information of how one might restore their privileges was drawn out during the hearing. Like getting on the list, getting off of the list is a black box.

Proponents of barring people on the terrorist watch lists from purchasing firearms like to say, “If you can’t fly, you shouldn’t be able to own a gun.” It’s idiocy that ignored the fact that nobody on the terrorist watch lists should be prohibited from flying since there is no due process involved in appearing on the lists nor is there a known way of getting remove.

Everything Is Becoming A Snitch

The Internet of Things promises many wonderful benefits but the lack of security focus guarantees there will be severe detriments. A column in the New York Times inadvertently explains how dire some of these detriments could be:

WASHINGTON — For more than two years the F.B.I. and intelligence agencies have warned that encrypted communications are creating a “going dark” crisis that will keep them from tracking terrorists and kidnappers.

Now, a study in which current and former intelligence officials participated concludes that the warning is wildly overblown, and that a raft of new technologies — like television sets with microphones and web-connected cars — are creating ample opportunities for the government to track suspects, many of them worrying.

“ ‘Going dark’ does not aptly describe the long-term landscape for government surveillance,” concludes the study, to be published Monday by the Berkman Center for Internet and Society at Harvard.

The study argues that the phrase ignores the flood of new technologies “being packed with sensors and wireless connectivity” that are expected to become the subject of court orders and subpoenas, and are already the target of the National Security Agency as it places “implants” into networks around the world to monitor communications abroad.

The products, ranging from “toasters to bedsheets, light bulbs, cameras, toothbrushes, door locks, cars, watches and other wearables,” will give the government increasing opportunities to track suspects and in many cases reconstruct communications and meetings.

Encryption is only part of the electronic security puzzle. Even if your devices are properly implementing encryption to secure the data they store, transmit, or receive they may not be properly enforcing credentials. Authorized users are expected to be able to gain access to plaintext data so bypassing the security offered by encryption can be done by gaining access to an authorized user account.

Let’s consider the Amazon Echo. The Echo relies heavily on voice commands, which means it has a built-in microphone that’s always listening. Even if the data it transmits to and receives from Amazon is properly encrypted an unauthorized user who gains access to the device as an authorized user could use the microphone to record conversations. In this case cryptography hasn’t failed, the device is merely providing expected access.

Internet of Things devices, due to the lack of security focus, often fail to enforce authorization. Some devices require no authorized at all, have vulnerabilities that allow an unauthorized user to gain access to an authorized user’s account, include built-in backdoor administrative accounts with hardcoded passwords, etc. That gives the State potential access to a great deal of sensors in a targeted person’s household.

I’m not against the idea behind the Internet of Things per se. But I’m wary of such devices at the moment because the manufacturers are, in my opinion, being sloppy with security. In time I’m sure the hard lessons will be learned just as they were learned by operating system developers in the past. When that finally happens and I can be reasonably assured the security of my smart television isn’t nonexistent I may becoming more willing to buy such products.

Mandatory Tracking

Fitness trackers are convenient devices for tracking health related information. Unfortunately many organizations see genuinely good ideas and decide they must be mandatory. That’s what the Oral Roberts University in Oklahoma has decided:

Oral Roberts University in Tulsa, Oklahoma, is requiring incoming freshmen to wear Fitbit fitness trackers to record 10,000 steps per day, with the information being made available to professors.

“ORU offers one of the most unique educational approaches in the world by focusing on the Whole Person — mind, body and spirit,” ORU President William M. Wilson said in a statement, a local CBS News affiliate reported.

“The marriage of new technology with our physical fitness requirements is something that sets ORU apart,” he said. “In fact, when we began this innovative program in the fall of 2015, we were the first university in the world to offer this unique approach to a fitness program.”

The Fitbit device uses GPS technology to track how and where students exercise, eat and sleep, as well as the calories they burn, how much they weigh and other personal information, EAGNews reported.

This raises so many privacy related questions. How does the university verify each student has taken the right number of steps per day? Is the information synced to the student’s smartphone (assuming the student has a smartphone)? If so, is the data collected by an app created by the university or Fitbit’s app? If the latter does the university demand students hand over their Fitbit account credentials? Is the health data accessible at any time to the university?

More concerning is how this technology will be mandated in the future. Will health insurance companies begin mandating that customers must wear Fitbits and meet a certain number of daily steps? While one can choose not to attend the Orwell, err, Oral Roberts University they cannot decide to forgo health insurance less they be fined by the State. Could businesses require employees to wear Fitbits as part of a wellness program (one of my friends works a place where wearing a Fitbit is required to receive a health insurance discount but it’s not mandatory yet)?

Technology is great so long as it remains voluntary. It’s when organizations start mandating the use of a technology that things become frightening.