Month: March 2016

Law Enforcers Caught Abusing A Databases Again

I have a natural aversion to government databases. This may seem ironic coming from a man whose name probably appears in dozens of them but that’s beside the point. Databases for sex offenders, felons, known gang members, and gun owners are always sold as being valuable tools for protecting the public. What is often ignored by proponents of such databases is how easily they can be abused by law enforcers. Denver law enforcers are the latest in a long line of law enforcers busted for abusing government databases for personal gain:

Denver Police officers caught using a confidential database for personal reasons should face stiffer penalties, the city’s independent monitor argued in a report released Tuesday.

The report, which reviewed both the Denver Police and the Denver Sheriff Department’s performance for 2015, found several instances of officers abusing both the National Crime Information Center (NCIC) and it’s state counterpart, the Colorado Crime Information Center (CCIC). Independent Monitor Nicholas Mitchell said in the report that he believes the penalties for those caught aren’t stiff enough to deter further abuse.

[…]

One officer, for example, was found to have used the database to assist an acquaintance who was going through a divorce determine the identity of the man he believed his wife was having an affair with. Then it spiraled out of control, possibly enabling violence from the vengeful ex-husband:

Shortly thereafter, the ex-husband began driving by the man’s house and threatening him. The ex-husband also found and contacted the man’s wife to tell her that the man was having an affair. The ex-husband told the wife that he knew their home address, showed her a picture of the man’s car, and asked her questions about the man to find out what gym he worked out at, what shift he worked, and where he spent his leisure time.

[…]

In another instance, a Denver Police officer who was at a hospital investigating a reported sexual assault made “small talk” with a female employee at the hospital who wasn’t involved in the investigation. The report continues:

At the end of her shift, the female employee returned home and found a voicemail message from the officer on her personal phone. She had not given the officer her phone number, and was upset that he had obtained it (she assumed) by improperly using law enforcement computer systems.

Note the lack of punishments received by officers caught abusing these databases. The first mentioned infraction resulted in a written reprimand and the second resulted in a fine of two days pay in addition to a written reprimand.

There are two major problems here. First, the existence of these databases. Second, the almost complete absence of oversight. These databases hold a tremendous amount of personal information on individuals. That information isn’t anonymized in any way so any officer can bring up the home address, phone number, and other personal information of those entered into the database. No oversight is apparently needed as multiple officers have been able to access the database for unauthorized uses. And no apparent interest in establishing oversight seems to exist since those finally caught abusing the database received no real punishment.

Databases containing personal information are dangerous to begin with. But when you add a complete lack of accountability for those accessing the databases, especially when they’re almost entirely shielded from personal liability, you have a recipe for disaster. Never let yourself be lulled into believing establishing a government database is necessary or in any way a good thing.

Libertarians Need To Embrace Their Radical Goal

I’ve said it before and I will say it again, libertarians are bad at politics. It’s not our fault. Politics is the art of aggression and libertarianism is a philosophy built on non-aggression. But many libertarians refuse to accept this fact so they end up doing stupid shit like starting Libertarians for Trump.

If you read through the post a lot of time is spent by the author, Walter Block, trying to argue what Donald Trump is the most libertarian mainstream candidate currently running. His arguments ring hollow though since his logic would just as easily lead one to compare who is more libertarian amongst Adolf Hitler, Joseph Stalin, and Pol Pot. While one can technically compared the three for the purposes of determining which is the most libertarian, in the end you’re still comparing three individuals who are fundamentally anti-libertarian.

But his article falls to pieces before he even gets to his justifications for supporting Trump. He immediately falls into the same trap many libertarians fall into by assuming only two options exist:

Let me just say that there is nothing, nothing at all, incompatible between libertarianism and voting, or supporting political candidates. Both Lew Rockwell and Murray Rothbard can be considered political junkies, and you won’t find too many better libertarians than those two.

Suppose we were all slaves, and the master said we could have a democratic election; we could vote for overseer Baddie, who would whip us unmercifully once per day, or overseer Goodie, who would do exactly the same thing, but only once per month. We all voted for the latter. Is this incompatible with libertarianism? Would this make us worse libertarians? Anyone who thinks so does not really understand this philosophy. For a remedial course, read this book: Rothbard, Murray N. 1998 [1982]. The Ethics of Liberty, New York: New York University Press.

Between the two options presented he makes a valid argument. However, there are options outside of voting for either the really evil slave owner or the slightly less evil slave owner. You can instead attempt to escape or overthrow the slave owner. In fact this is exactly what Lysander Spooner proposed when most people were arguing over electing politicians who supported the Southern views of slavery or the less harsh Northern views of slavery.

People like to divide libertarians into right and left. If we’re going to collectivize, err, categorize individual libertarians into two groups though I’d much rather divide them up into neophobes and neophiles. Both groups recognize the system of slavery they suffer under and express a desire to create radical change. But the neophobes act inconsistently with their stated goal whereas the neophiles embrace their radical goal.

Walter Block belongs to the Rothbard tradition of libertarianism. I would classify them as neophobes. While they do want to bring about change by moving society towards libertarianism they want to do it without radical changes. They want to utilize the already existing political system to elect the already existing politicians to the already existing political offices. By doing that they hope to legislate libertarianism into existence. Well, at least some libertarianism. Many of them also want to ensure certain already existing political creations, such as government borders continue to exist. But that’s beside the point. Neophobe libertarians fail to embrace the radical nature of their stated goal and that leads them to take ineffective political action.

Agorists such as myself belong to the Konkin tradition of libertarianism. The Konkin tradition falls into the neophile category. We want to bring about radical change and see the already existing political system as a hinderance. After all, how can a fundamentally anti-libertarian system be used in a fundamentally anti-libertarian society to bring about libertarianism? Incrementally over decades? To that I will point out that Rothbard and his followers were working on that decades ago and the only result has been a continuation of the slide towards totalitarianism. We recognize that libertarianism cannot be legislated. Furthermore, we want radical change. The currently existing political creations? Destroy them and salt the Earth they once occupied.

By failing to embrace their radical goal neophobes artificially limit themselves to a course of action libertarians have never been good at (because, after all, it is a course of action created by the opponents of libertarianism). This leads them to do incredibly anti-libertarian things such as support Donald Trump. Neophiles, by embracing our radical goal, are able to act in a way that is consistent with our stated goals. This allows us to avoid anti-libertarian actions such as supporting politicians who have a vested interest in maintaining the status quo.

You are free to join Block’s little club and help continue the system of oppression that exists today. But realize that doing so will require you to participate in a system that libertarians have never been any good at. Furthermore, it will require you to support somebody who is fundamentally anti-libertarain. Or you could not join his little club and enjoy the clear conscious acting consistently with your stated goal brings. As always, the choice is yours but you will be graded based on your decision.

AR Hacking

When you think about starting points for hackers what comes to mind? For many people images of Arduinos and Raspberry Pis connected to strange looking robotic parts are the first things they think of. But there’s no reason you have to start there. Deviant did a good presentation about hacking the AR-15. If you’re into firearms and want to get into hacking it’s a good video to watch since it explains how the two intersect very well:

No Matter Who You Are, No Matter Where You Are, The Black Market Has Your Back

What is the enemy of tyranny? Is it the ballot box? Is it the bullet box? No! It’s the black market:

North Korea’s isolation from most of the world is not just economic and diplomatic, but technological too. Only about 3 million of its people have access to its domestic telecommunications network, which does not permit access to outside countries. Its internet, meanwhile, is accessible only to the nation’s elites.

But some North Koreans have been able to circumvent these restrictions, thanks to the spread of illegal black market phones into the country. A new report from Amnesty International explains that these smuggled devices—referred to as “Chinese mobile phones,” even if they’re not actually from China—have become an important tool for North Koreans looking to connect with loved ones who have left the country and want to stay in touch.

If their relatives or friends at home don’t already have a “Chinese mobile phone,” the report explains, “often the person who has left will try to send them a phone, for example one bought in South Korea, Japan, or China.”

North Koreans who obtain one of these smartphones can connect with people outside the country by installing a Chinese SIM card in their device. They then must go to a part of the country close to the Chinese border, where they might pick up signal from a neighboring Chinese network.

No matter how repressive of a regime you suffer under the black market is there to provide you the goods you want. Are your overlords preventing you from communicating with the outside world? Never fear! The black market is here to provide you unrestricted telecommunications. Do your overlords prohibit you from owning the most effective means of self-defense? The black market is here to provide you with guns and ammo. Is there some government agency that artificially restricts your access to medication? The black market is here to provide you the medications you need.

The black market has been and continues to be the single greatest enemy to tyranny. By flagrantly providing illicit goods the black market shows that the emperor wears no clothes.

Let Me Emphasize That Ad-Blockers Are Security Tools

Once again ad networks have been utilized to serve up malware:

According to a just-published post from Malwarebytes, a flurry of malvertising appeared over the weekend, almost out of the blue. It hit some of the biggest publishers in the business, including msn.com, nytimes.com, bbc.com, aol.com, my.xfinity.com, nfl.com, realtor.com, theweathernetwork.com, thehill.com, and newsweek.com. Affected networks included those owned by Google, AppNexis, AOL, and Rubicon. The attacks are flowing from two suspicious domains, including trackmytraffic[c],buz and talk915[.]pw.

The ads are also spreading on sites including answers.com, zerohedge.com, and infolinks.com, according to SpiderLabs. Legitimate mainstream sites receive the malware from domain names that are associated with compromised ad networks. The most widely seen domain name in the current campaign is brentsmedia[.]com. Whois records show it was owned by an online marketer until January 1, when the address expired. It was snapped up by its current owner on March 6, a day before the malicious ad onslaught started.

In this case the attacks appear to be originated from domains of ad networks that had been allowed to expire. After being allowed to expire the domains were snapped up by malware distributors. This allowed them to distribute malware to visitors of sites that still allowed ads from those expired domains.

Ad networks have become an appealing target for malware distributors. By compromising a single ad network a malware distributor can successfully target users across many websites. It offers a much better return on investment than compromising a single large website such as the New York Times and the BBC. Compromising ad networks is often easier than compromising large websites as well since operators of large websites often have skilled administrators on hand that keep things fairly locked down. The fact that advertising companies come and go with notable frequency also makes life difficult for site administrators. In this case the purchased domains likely were legitimate ad networks at one time and simply vanished without anybody noticing. Since nobody noticed they weren’t removed from any of the ad distribution networks and could therefore still serve up ads to legitimate sites.

This event, if nothing else, should serve as a reminder that ad blockers are security tools.

Threat Posed By Personally Owned Drones Overblown, Water Is Wet

Last year the Federal Aviation Administration (FAA) announced it would be requiring all drone owners to register so their personal information, including home address, could be published for all to see. This requirement was justified under the claim that personally owned drones posed a major threat to other forms of aviation traffic. A lot of people, including myself, called bullshit on that and now research exists backing up our accusation:

That research, shown in a study just published by George Mason University’s Mercatus Center, was based on damage to aircraft from another sort of small, uncrewed aircraft—flying birds.

Much of the fear around drones hitting aircraft has been driven by FAA reports from pilots who have claimed near-misses with small drones. But an investigation last year by the Academy of Model Aeronautics (AMA) found that of the 764 near-miss incidents with drones recorded by the FAA, only 27 of them—3.5 percent—actually were near misses. The rest were just sightings, and those were often sightings that took place when drone operators were following the rules. The FAA also overcounted, including reports where the pilot said explicitly that there was no near miss and some where the flying object wasn’t identified, leading the AMA to accuse the FAA of exaggerating the threat in order to get support for its anti-drone agenda.

So for starters all the “near misses” we’ve read about in the media weren’t near misses. A vast majority of them were mere sightings. But the FAA’s bullshit doesn’t stop there:

There hasn’t yet been an incident in which a drone has struck an aircraft. But bird strikes (and bat strikes) do happen, and there’s a rich data set to work from to understand how often they do. Researchers Eli Dourado and Samuel Hammond reasoned that the chances of a bird strike remain much higher than that of an aircraft hitting a drone because “contrary to sensational media headlines, the skies are crowded not by drones but by fowl.”

The researchers studied 25 years of FAA “wildlife strike” data, reports voluntarily filed by pilots after colliding with birds. The data included over 160,000 reported incidents of collisions with birds, of which only 14,314 caused damage—and 80 percent of that number came from collisions with large or medium-sized birds such as geese and ducks.

Emphasis mine. No drones have struck a plane yet, which means the threat of drones to already existing aviation traffic is still entirely unrealized. Hell, this combined with the fact most reported near misses weren’t near misses, we should actually take a moment to recognize how much of a nonissue personally owned drones have been so far. Drone operators by and large have been very well behaved.

The data on wildlife strikes is also valuable since it indicates that when a drone finally does strike a plane there probably won’t be much damage to the plane. Most personally owned drones are more fragile than the large or medium sized birds that managed to cause damage when colliding with a plane.

What we have here is another example of a government money grab disguised as a crisis. With the FAA’s new rules in place the agency can extract $5 from every registered drone operator and up to $250,000 from operating a drone without being registered. Furthermore, the FAA can up the fees and fines as it sees fit.

One Step Forward, Two Steps Back

Were I asked I would summarize the Internet of Things as taking one step forward and two steps back. While integrating computers into everyday objects offers some potential the way manufacturers are going about it is all wrong.

Consider the standard light switch. A light switch usually has two states. One state, which closes the circuit, turns the lights on while the other state, which opens the circuit, turns the lights off. It’s simple enough but has some notable limitations. First, it cannot be controlled remotely. Having a remotely controlled light switch would be useful, especially if you’re away from home and want to make it appear as though somebody is there to discourage burglars. It would also be nice to verify if you turned all your lights off when you left to reduce the electric bill. Of course remotely operated switches also introduce the potential for remotely accessible vulnerabilities.

What happens when you take the worst aspects of connected light switches, namely vulnerabilities, and don’t even offer the positives? This:

Garrett, who’s also a member of the Free Software Foundation board of directors, was in London last week attending a conference, and found that his hotel room has Android tablets instead of light switches.

“One was embedded in the wall, but the two next to the bed had convenient looking ethernet cables plugged into the wall,” he noted. So, he got ahold of a couple of ethernet adapters, set up a transparent bridge, and put his laptop between the tablet and the wall.

He discovered that the traffic to and from the tablet is going through the Modbus serial communications protocol over TCP.

“Modbus is a pretty trivial protocol, and notably has no authentication whatsoever,” he noted. “Tcpdump showed that traffic was being sent to 172.16.207.14, and pymodbus let me start controlling my lights, turning the TV on and off and even making my curtains open and close.”

He then noticed that the last three digits of the IP address he was communicating with were those of his room, and successfully tested his theory:

“It’s basically as bad as it could be – once I’d figured out the gateway, I could access the control systems on every floor and query other rooms to figure out whether the lights were on or not, which strongly implies that I could control them as well.”

As far as I can tell the only reason the hotel swapped out mechanical light switches with Android tablets was to attempt to look impressive. What they ended up with was a setup that may look impressive to the layman but is every trolls dream come true.

I can’t wait to read a story about a 14 year-old turning off the lights to every room in a hotel.

Obama To South By Southwest: Fuck Your Privacy

I normally don’t follow South by Southwest too much but when Obama takes the stage to talk about privacy I can’t help but take note. Unfortunately his speech wasn’t surprising. It could be summed up as fuck your privacy:

President Barack Obama called on the tech community to build a safe encryption key to assist in law enforcement investigations, saying that if it failed, it could one day face a more draconian solution passed by a Congress that is less sympathetic to its worldview. The president said he could not comment on the FBI’s current fight with Apple over its demand that the company build software to unlock data on an iPhone used by one of the alleged San Bernardino shooters. But he spoke broadly about the need to balance privacy and security, and warned that absolutist views on both sides are dangerous.

Balance, in the case of privacy and security, means people like you and me get shitty crypto that the government, and anybody else with the master key, can break while the government gets to enjoy crypto we can’t break.

Obama warned against an absolutist view but crypto belongs to one of those very few things in the universe that is either black or white. There is no gray. Crypto is either effective, that is to say it has no known methods of attack that are faster than brute force, or it is ineffective. I’ve written extensively on this blog as to why this is.

The biggest problem with a master key is that anybody who holds that key can decrypt any data encrypted with a scheme that key can work for. If every iPhone was setup to decrypt the data with the government’s master key it would only be a matter of time, probably an alarmingly short period of time, before the key was leaked to the Internet and everybody in the world had the ability to decrypt any iPhone at will.

So we need an absolutist view because it’s the only view that offers any amount of security. But Obama heads one of the largest surveillance states in the world so it’s no surprise that he holds a total disregard for the security of us little people.