Month: March 2016

Let’s Talk About Privacy Rights

It was bound to happen sooner or later. The Republican lawmakers’ obsession with bathrooms has made its way to Minnesota. Senators Scott Newman, Dan Hall, Dave Thompson, Michelle Benson, and Paul Gazelka introduced a bill to mandate discrimination against transgender individuals:

Republicans in the Minnesota Senate introduced a bill on Friday that would block businesses and other employers from providing gender-neutral restrooms or from enacting policies that allow transgender employees to use appropriate restrooms. Senate File 3002 amends the 1993 Minnesota Human Rights Act — the nation’s first nondiscrimination law to include gender identity.

The bill starts with a specious definition of “sex.” It states, “A person’s sex is either male or female as biologically defined.” The bill does not mention people who fall outside the male-female binary such as those who are intersex, nor those whose sex designations have been legally changed under Minnesota law.

Why do these particular lawmakers feel qualified to define sex? Hell if I know. They probably believe democracy carries some kind of magical power that grants otherwise unremarkable individuals divine knowledge. Either way, their delusions of grandeur are only one absurdity amongst many in this case. Another absurdity is the justification given in the bill for its existence:

No claim of nontraditional identity or “sexual orientation” may override another person’s right of privacy based on biological sex in such facilities as restrooms, locker rooms, dressing rooms, and other similar places, which shall remain reserved for males or females as they are biologically defined.

Emphasis mine. Let’s discuss what a right to privacy is. A right, as it pertains to legal matters, is something that cannot be prohibited by the government. When somebody says you have a right to free speech they mean the government cannot prohibit you from saying something. When somebody says you have a right to a jury trail they mean the government cannot bar you from having a jury trail when it has accused you of a crime. When somebody says you have a right to privacy they mean the government cannot violate your privacy.

A right to privacy in a restroom, lock room, dressing room, or other similar facility means the government cannot surveil you in those facilities. That’s it. Since this bill has nothing to do with government surveillance in these facilities it also as no business arguing that its preserving a right to privacy.

In fact this bill would be a violation of privacy rights. How can a bill restricting what bathrooms transgender individuals can use be enforced? First, the enforcers have to identify transgender individuals. That would require looking through every individuals’ medical records. Second, the enforcers must surveil bathrooms so it can catch anybody violating the restriction. Since victimless violations of the law such at this one have no injured parties the only way to enforce them is through surveillance. That necessarily requires the government to violate everybody’s privacy.

Cruzing The Ghetto

The attack in Brussels is only happened a few days. That means there hasn’t been enough time for a serious investigation. But that isn’t stopping people from playing the blame game. Wild speculations are being thrown about everywhere but I think Ted Cruz managed to become king of the asshole mountain:

After repeating his standard campaign-trail assertion that Barack Obama has failed to confront – or even properly identify – “radical Islamic terrorists”, he called for the US to stop admitting refugees from areas with a so-called Islamic State or al-Qaeda presence.

He then turned his attention to the home front.

“We need to empower law enforcement to patrol and secure Muslim neighbourhoods before they become radicalised,” he said.

Cruz is always looking to make government smaller and more efficient. Whereas Franklin Roosevelt built expensive concentration camps to hold American citizens of Japanese decent, Cruz wants to use the cheaper option of simply turning Muslim neighborhoods into little Warsaw Ghettos.

Since Cruz stylizes himself as an individualist his proposal is ironic. Collective punishment, as the name denotes, is an entirely collectivist ideal. By saying Muslim neighborhoods must be patrolled Cruz is stating that he believes all Muslims shared responsibility for the action of the bombers in Brussels. That’s the exact opposite of individualism, which only holds the individuals directly responsible for crimes responsible (because they were the only ones responsible).

If turning Muslim neighborhoods into ghettos isn’t the proper response to these attacks, what is? As much as people hate to hear it the only proper response is to have patients. Nothing can be accomplished until a thorough investigation has been performed and the evidence has been analyzed. Until the investigation has concluded anything we hear will be speculative or preliminary in nature. Once the investigation has concluded we can consider methods of mitigating future attacks like this. Unfortunately it will be impossible to bring those responsible for these attacks to justice since they killed themselves. But we can use the information gathered by investigators to make future attacks like this harder to pull off (of course, since the government will claim a monopoly on implementing countermeasures, we’ll probably just get an expansion of the police state instead of effective methods of guarding against these kinds of attacks).

Property Taxes Encourage Gentrification

Property taxes are often used by municipal governments to raise funds for the services they’ve monopolized. These services include paychecks for municipal employees, which often includes the very people who voted to implement the current property tax rates.

Because property taxes are used to fund municipal services they’re also a popular topic for political do-gooders. Whenever a perceived blight on the city arises; whether it be homelessness, crime, or environmental issues; the do-gooders demand the property taxes be raised to fund programs to alleviate the blight. Oftentimes these do-gooders are also the same people who complain about gentrification. As politics tends to do, this creates a vicious cycle that leads people to be at odds with themselves.

The very property taxes that fund municipal services are also an incentive for municipal governments to gentrify entire neighborhoods. Gentrification, after all, leads to an increase in property taxes since older, lower-valued properties are replaced with newer, higher-valued properties. Together a few home built in the 1940s tend to have a much lower property value than a single high-density apartment complex. Since property taxes are almost always tied to the value of a property a municipal government can make more money off of the high-density apartment complex than the old homes.

As the number of municipal services increases the number of city employees also increases. That means a larger and larger block of municipal voters are dependent on the rate of property taxes. Furthermore, municipal employees, like every other kind of employee, want to see their pay increase over time. Since politicians tend to want to stay in office instead of finding meaningful employment they have a vested interest in pandering to the majority of voters. How can members of a city council promise municipal employees that their jobs won’t go away and that they’ll get their desired raises? By raising property taxes, of course. As an added benefit the increase in property taxes allows the members of the city council to increase their pay as well.

I’m sure you can see the vicious cycle that forms from this. Wanting to increase the amount of money brought in by property taxes, the municipal governments continue to implement programs that encourage lower-valued property be replaced by higher-valued properties. As these programs fulfill their intended goal the number of properties affordable by poorer individuals continues to decrease. In effect property taxes, instead of being a form of relief for the poor, create a cycle that incentivizes municipal governments to push the poor out of the city.

When Your Radical Goals Become Self-Defeating

From yesteryear’s anti-war movement to today’s social justice movement, college campuses have served as some of the biggest hot zones for social upheaval. Today’s upheaval, just like yesteryear’s, is being played out by conservatives who want things to remain as they are, radicals who want to change things, and everybody caught between them.

Both extremes have an unfortunate habit of becoming extremely authoritarian. For the radicals this authoritarianism can quickly become self-defeating though:

At Western Washington University, a public institution with roughly 15,000 students, a group of leftist activists calling itself the Student Assembly for Power and Liberation has issued a sweeping list of demands that would radically reshape its school.

[…]

The petition goes on to call for $45,000 annually to compensate “students and faculty doing de-colonial work on campus” and the creation of a 15-member student panel, dubbed the Office for Social Transformation, “to monitor, document, and archive all racist, anti-black, transphobic, cissexist, misogynistic, ablest, homophobic, Islamophobic, xenophobic, anti-semitic, and otherwise oppressive behavior.” This panel would have the power to investigate and discipline students and faculty members and to fire even tenured faculty members.

Surveillance always favors those already in power. Conservatives, as proponents of the current system, favor the current individuals in power. That means any surveillance system will necessarily favor conservatives.

Herein lies the moment when radicalism can become self-defeating. Surveillance sounds like a very attractive tool to both sides because it allows them to identify and take out their opposition. Given an excuse the established power will gladly implement a surveillance system. By demanding such a surveillance system the radicals are giving the conservatives a convenient excuse to implement a surveillance system while justifying it as a compromise. Once implemented though the surveillance system remains in their control and they can use it to identify and take out radicals.

The current social justice movement isn’t unique in this. Many radical movements throughout history have provided the rope needed to hang them with to their conservative opposition. If you’re a radical any authoritarian system will be used against you so don’t volunteer your support for its implementation.

What The Paris Attackers Used Instead Of Encryption

Our overlords are still trying to make us believe the the reason the Paris attackers weren’t discovered before the attack is because they used effective cryptography. That is a blatant lie though. So what did the attackers use to avoid detection? A lot of cell phones:

New details of the Paris attacks carried out last November reveal that it was the consistent use of prepaid burner phones, not encryption, that helped keep the terrorists off the radar of the intelligence services.

As an article in The New York Times reports: “the three teams in Paris were comparatively disciplined. They used only new phones that they would then discard, including several activated minutes before the attacks, or phones seized from their victims.”

The article goes on to give more details of how some phones were used only very briefly in the hours leading up to the attacks. For example: “Security camera footage showed Bilal Hadfi, the youngest of the assailants, as he paced outside the stadium, talking on a cellphone. The phone was activated less than an hour before he detonated his vest.” The information come from a 55-page report compiled by the French antiterrorism police for France’s Interior Ministry.

I hesitate to say the attackers used burner phones because the term usually implies phones that were purchased in convenience stores with cash. In reality this type of evasion is possible with any type of cell phone so long as a group has enough of them. The trick is to only use a particular cell phone for one or two messages before disposing of it. With numbers changing constantly it’s difficult for the spooks to create a reliable social graph and therefore a plot.

This news will likely have the undesired effect of inspiring legislators to write bills prohibiting the purchase of cell phones for cash but such legislation won’t hinder this kind of strategy.

FBI Versus Apple Court Hearing Postponed

It appears that the Federal Bureau of Investigations (FBI) is finally following the advice of every major security expert and pursuing alternate means of acquire the data on Farook’s iPhone, which means the agency’s crusade against Apple is temporarily postponed:

A magistrate in Riverside, CA has canceled a hearing that was scheduled for Tuesday afternoon in the Apple v FBI case, at the FBI’s request late Monday. The hearing was part of Apple’s challenge to the FBI’s demand that the company create a new version of its iOS, which would include a backdoor to allow easier access to a locked iPhone involved in the FBI’s investigation into the 2015 San Bernardino shootings.

The FBI told the court that an “outside party” demonstrated a potential method for accessing the data on the phone, and asked for time to test this method and report back. This is good news. For now, the government is backing off its demand that Apple build a tool that will compromise the security of millions, contradicts Apple’s own beliefs, and is unsafe and unconstitutional.

This by no means marks the end of Crypto War II. The FBI very well could continue its legacy of incompetence and fail to acquire the data from the iPhone through whatever means its pursuing now. But this will buy us some time before a court rules that software developers are slave laborers whenever some judge issues a court order.

I’m going to do a bit of speculation here. My guess is that the FBI didn’t suddenly find somebody with a promising method of extracting data from the iPhone. After reading the briefs submitted by both Apple and the FBI it was obvious that the FBI either had incompetent lawyers or didn’t have a case. That being the case, I’m guessing the FBI decided to abandon its current strategy because it foresaw the court creating a precedence against it. It would be far better to abandon its current efforts and try again later, maybe against a company that is less competent than Apple, than to pursue what would almost certainly be a major defeat.

Regardless of the FBI’s reasoning, we can take a short breath and wait for the State’s next major attack against our rights.

Giving Children A Taste Of The Police State While They’re Young

It’s true, the United States is a police state. But even Uncle Sam has nothing compared to his dear old mum. While the United States is still fighting terror by having the Federal Bureau of Investigations (FBI) radicalize adults with lukewarm intelligence the United Kingdom (UK) has already moved on from such trivial matters and is now dealing with the threat of radicalized four year-olds:

Staff at a nursery school threatened to refer a four-year-old boy to a de-radicalisation programme after he drew pictures which they thought showed his father making a “cooker bomb”, according to the child’s mother.

The child’s drawing actually depicted his father cutting a cucumber with a knife, his mother says, but staff misheard his explanation and thought it referred to a type of improvised explosive device.

On Friday the boy’s mother showed the Guardian video footage of her son in which he is playing happily on the floor of his home, and is shown a cucumber and asked what it is. “A cuker-bum,” he says, before going back to his toys.

The footage was taken by the mother at the family home in Luton after the nursery discussed referring the child to a de-radicalisation programme out of concerns that pictures drawn by him referred to explosions and an improvised explosive device known as a “cooker bomb”.

How brainwashed by propaganda does a nursery school staff have to be to assume a four year-old is saying “cooker bomb” when they say “cuker-bum”? At that age children are still working out how to pronounce words. Hell, at that age I will still trying to figure out why “very” wasn’t pronounced “berry”. The fact that these mouth breathers are so fucking terrified that they immediately assume a child failing to pronounce a word correctly is related to a terror plot should disqualify them from working with children.

What was especially egregious was the nursery school staff’s statement to the mother:

In between the odd tear and laugh of disbelief, the mother spoke about the experience, which she said had left her shaken and upset, and involved her being told at one point: “Your children might not be taken off you … you can prove yourself innocent.”

Emphasis mine. Prove her innocence? That’s not how things are supposed to work. The fact that the nursery school staff believes a person must prove their innocence instead of the State proving guilt demonstrates just how fucked the UK is.

One of the biggest problems facing The United States and many European countries is the rampant number of quislings. You know the type. The jackass neighbor who calls the police because you have a fire pit going in your backyard and they know you didn’t get a permit. The car mechanic who calls the police because they found a dime bag of weed in your car while they were fixing it. The nosy neighborhood watcher who calls in your car because it was parked on the street for over 24 hours. Because of these worthless busybodies the State is well informed of its laws being broken and can enforce them. Without them the State would have a much harder time enforcing its laws because it wouldn’t know about the violations.

iOS 9.3 With iMessage Fix Is Out

In the ongoing security arms race researchers from John Hopkins discovered a vulnerability in Apple’s iMessage:

Green suspected there might be a flaw in iMessage last year after he read an Apple security guide describing the encryption process and it struck him as weak. He said he alerted the firm’s engineers to his concern. When a few months passed and the flaw remained, he and his graduate students decided to mount an attack to show that they could pierce the encryption on photos or videos sent through iMessage.

It took a few months, but they succeeded, targeting phones that were not using the latest operating system on iMessage, which launched in 2011.

To intercept a file, the researchers wrote software to mimic an Apple server. The encrypted transmission they targeted contained a link to the photo stored in Apple’s iCloud server as well as a 64-digit key to decrypt the photo.

Although the students could not see the key’s digits, they guessed at them by a repetitive process of changing a digit or a letter in the key and sending it back to the target phone. Each time they guessed a digit correctly, the phone accepted it. They probed the phone in this way thousands of times.

“And we kept doing that,” Green said, “until we had the key.”

A modified version of the attack would also work on later operating systems, Green said, adding that it would likely have taken the hacking skills of a nation-state.

With the key, the team was able to retrieve the photo from Apple’s server. If it had been a true attack, the user would not have known.

There are several things to note about this vulnerability. First, Apple did response quickly by including a fix for it in iOS 9.3. Second, security is very difficult to get right so it often turns into an arms race. Third, designing secure software, even if you’re a large company with a lot of talented employees, is hard.

Christopher Soghoian also made a good point in the article:

Christopher Soghoian, principal technologist at the American Civil Liberties Union, said that Green’s attack highlights the danger of companies building their own encryption without independent review. “The cryptographic history books are filled with examples of crypto-algorithms designed behind closed doors that failed spectacularly,” he said.

The better approach, he said, is open design. He pointed to encryption protocols created by researchers at Open Whisper Systems, who developed Signal, an instant message platform. They publish their code and their designs, but the keys, which are generated by the sender and user, remain secret.

Open source isn’t a magic bullet but it does allow independent third party verification of your code. This advantage often goes unrealized as even very popular open source projects like OpenSSL have contained numerous notable security vulnerabilities for years without anybody being the wiser. But it’s unlikely something like iMessage would have been ignored so thoroughly.

The project would likely attracted a lot of developers interested in writing iMessage clients for Android, Windows, and Linux. Since iOS, and therefore by extension iMessage, is so popular in the public eye it’s likely a lot of security researchers would have looked through the iMessage code hoping to be the first to find a vulnerability and enjoy the publicity that would almost certainly entail. So open sourcing iMessage would likely have gained Apple a lot of third party verification.

In fact this is why I recommend applications like Signal over iMessage. Not only is Signal compatible with Android and iOS but it’s also open source so it’s available for third party verification.

It Was Snowden All Along

In 2013 the Federal Bureau of Investigations (FBI) demanded Ladar Levison hand over the TLS keys to his Lavabit service. He did comply, by providing the key printed out in small text, but also shutdown his service instead of letting the key be used to snoop on his customers. The FBI threw a hissy fit over this and even threatened to kidnap Levison for shutting down his business. But one question that always remained was who the FBI was after. Everybody knew it was Edward Snowden but there was no hard evidence… until now.

Court documents related to the Lavabit case have been released. The documents are naturally heavily redacted but the censors missed a page:

In court papers related to the Lavabit controversy, the target of the investigation was redacted, but it was widely assumed to be Edward Snowden. He was known to have used the service, and the charges against the target were espionage and theft of government property, the same charges Snowden faced.

Now, what was widely assumed has been confirmed. In documents posted to the federal PACER database this month, the government accidentally left his e-mail, “Ed_snowden@lavabit.com,” unredacted for all to see. The error was noted by the website Cryptome earlier this week, and Wired covered it yesterday.

This revelation didn’t tell us anything we didn’t know before but it’s nice to have hard evidence in hand. Now we know with certainty that the FBI completely destroyed a business as retaliation for having Snowden as a customer. I say this was retaliatory because the court documents [PDF] clearly show that Levison was willing to cooperate with the FBI by surveilling the single target of the order. However, the FBI decided it would accept nothing less than the surrender of Lavabit’s TLS key.

Had the FBI been reasonable it would have had its tap. Instead its agents decided to be unreasonable fuckheads, which forced Levison to shutdown his business entirely instead of putting thousands of innocent users at risk. This case is also a lesson in never cooperating with terrorists. Levison offered to cooperate and still had his business destroyed. When the FBI comes to your door you should refuse to cooperate in any way. Cooperating will not save you. The only difference between cooperating and refusing to cooperate is that in the case of the latter your business will be shutdown before innocent users are put at risk.