March 2016 – Page 5 – A Geek With Guns

We Interrupt Your Daily Grind To Bring You The Bloody Obvious

Gun control advocates have a laser like focus on guns, which causes them to lose sight of the actual issue of violence. This is most obvious when they declare victory because another weapon has started to be used common:

NEW YORK (FOX5NY) – New York mayor Bill de Blasio is trying to put a positive spin on a recent rash of stabbings and slashings across the city. He credits the NYPD taking guns off of the street.

“I’m not a criminologist but I can safely say that guns are being taken off the street in an unprecedented way. Some people, unfortunately, are turning to a different weapon,” de Blasio says.

[…]

The mayor claims that since there are so many fewer guns on the street, officers can now focus on criminals using knives and razors.

To be entirely honest I would much rather be shot than attacked with a knife. Assuming you survive, being shot tends to be more easily remedied than being slashed and stabbed.

Several things are worth noting with this story though. First, there is no evidence that New York’s gun control laws are the cause for the uptick in stabbings. Bill de Blasio is just declaring it so but offers no evidence to support his claim. Second, he doesn’t mention if shootings have gone down in addition to stabbings increasing. This is important to determine because it could be that shootings have remained the same and stabbings have simply increased. Third, even if we assume shooting are down the actual problem of violent crime obviously remains. Whether people are shot or stabbed doesn’t make a difference. Either way people are still being injured or killed. Four, and this is one that is usually overlooked, are the efforts of law enforcers to stop out violent crime creating more violent crime? It’s pretty hard to claim violence crime is down in law enforcers are injuring and killing people are a higher rate to enforce weapon prohibitions.

Here is something we do know though. Acquiring a carry permit in New York City is very difficult, which means the people operating within the letter of the law are at a severe disadvantage. If somebody attacks them with either a gun or a knife they are handicapped as far as self-defense goes.

Amazon Reverses Decision On Disabling Device Encryption

As an update to last weeks’s story about Amazon disabling device encryption in Fire OS 5, the company has since reversed its decision:

Amazon will restore optional full disk encryption to Fire OS 5 in a software update “coming this spring,” according to a statement released by the company on Friday evening.

This is a good announcement but I wouldn’t buy a Fire OS device until the firmware update reenabling device encryption has been rolled out. You never know when Amazon will decide to declare backsies.

As an aside, did you notice how quickly Amazon changed its mind? If this would have been a government decision we would be sitting through years of court cases, congressional hearings, congressional votes, and other such bureaucratic nonsense. But in the market it took less than a week for customer outrage to get things changing. The market gets shit done.

Monday Metal: Mystery Of A Blood Red Rose By Avantasia

This week we’re going with a song by Tobias Sammet’s supergroup, Avantasia:

If At First You Don’t Succeed, Lower Your Expectations

Rant time. The education system in this country is fucking terrible. A lot of people blame the teachers but it’s not their fault. They are, after all, victims of the education system themselves who were taught by previous victims of the education system. The blame goes to the policy makers who believe the solution to every embarrassing statistic is to dumb down the curriculum:

In his new book The Math Myth: And Other STEM Delusions, political scientist Andrew Hacker proposes replacing algebra II and calculus in the high school and college curriculum with a practical course in statistics for citizenship (more on that later). Only mathematicians and some engineers actually use advanced math in their day-to-day work, Hacker argues—even the doctors, accountants, and coders of the future shouldn’t have to master abstract math that they’ll never need.

You see? Math is hard so we should dumb it down. In a rather ironic twist, Hacker proposes replacing algebra II and calculus with statistics and statistics is part of what’s fueling the deterioration of the education system. Statistics itself isn’t bad but when it’s placed in the hands of policy makers it because a weapon of mass destruction. Hacker, probably unknowingly, makes this point perfectly:

Unlike most professors who publicly opine about the education system, Hacker, though an eminent scholar, teaches at a low-prestige institution, Queens College, part of the City University of New York system. Most CUNY students come from low-income families, and a 2009 faculty report found that 57 percent fail the system’s required algebra course. A subsequent study showed that when students were allowed to take a statistics class instead, only 44 percent failed.

His argument is based on statistics surrounding student failure rates. An intelligent person would look at such statistics and try to investigate the causes (there are likely numerous interacting causes involved here). But Hacker, like most policy makers, isn’t an intelligent person. He looks at the statistic and decides the only option is to make the hard classes easier. The problem with his attitude is that it can only lead to one outcome in the end: Idiocracy.

I’m not going to lie, math kicked my ass in school and college. Young me would have loved to hear that algebra II was being replaced by something far easier. But old me understands the value of higher level math. While I don’t use it in my daily life it taught me logic (as in reasoning, not as in a word to throw around when I’m losing an Internet argument and have nothing to resort to other than telling the other person they’re not logical), which I do use every day. And that’s the point. Many subjects themselves aren’t obviously useful in our day to day lives. But they do teach us how to learn, which is tremendously useful. Without understanding how to learn we’re relegated to memorizing information so we can regurgitate it later. In fact that’s the state of education in this country in a nutshell: memorize information so you can regurgitate it on a standardized test.

Another Day, Another Attack Against Cryptography Made Possible By Government Meddling

This week another vulnerability was discovered in the OpenSSL library. The vulnerability, given the idiotic marketing name Decrypting RSA with Obsolete and Weakened eNcryption (DROWN), allows an attacker to discover a server’s TLS session keys if it has SSLv2 enabled. Like FREAK and Logjam before it, DROWN was made possible by government meddling in cryptography:

For the third time in less than a year, security researchers have found a method to attack encrypted Web communications, a direct result of weaknesses that were mandated two decades ago by the U.S. government.

These new attacks show the dangers of deliberately weakening security protocols by introducing backdoors or other access mechanisms like those that law enforcement agencies and the intelligence community are calling for today.

[…]

Dubbed DROWN, this attack can be used to decrypt TLS connections between a user and a server if that server supports the old SSL version 2 protocol or shares its private key with another server that does. The attack is possible because of a fundamental weakness in the SSLv2 protocol that also relates to export-grade cryptography.

The U.S. government deliberately weakened three kinds of cryptographic primitives in the 1990s — RSA encryption, Diffie-Hellman key exchange, and symmetric ciphers — and all three have put the security of the Internet at risk decades later, the researchers who developed DROWN said on a website that explains the attack.

We’d all be safer if the government didn’t meddle in mathematical affairs.

This exploit also shows the dangers of supporting legacy protocols. While there may exist users that have software so old it doesn’t support TLS or even SSLv3, supporting them creates a hazard to every other user. There’s a point where you have to tell that user of ancient software to either upgrade to modern software or stop using the service. From a business standpoint, potentially losing one customer due to not having legacy support is far better than losing a lot of customers due to their trust in your company being lost because of a major security compromise.

Amazon Disabled Device Encryption In Fire OS 5

While Apple and, to a lesser extent, Google are working to improve the security on their devices Amazon has decided on a different strategy:

While Apple continues to resist a court order requiring it to help the FBI access a terrorist’s phone, another major tech company just took a strange and unexpected step away from encryption.

Amazon has removed device encryption from the operating system that powers its Kindle e-reader, Fire Phone, Fire Tablet, and Fire TV devices.

The change, which took effect in Fire OS 5, affects millions of users.

Traditionally firmware updates deliver (or at least attempt to) security enhancements. I’m not sure why Amazon chose to move away from that tradition but it should cause users of Fire OS devices concern. By delivering a firmware update that removes a major security feature Amazon has violated the trust of its users.

Unless Amazon fixes this I would recommend avoiding Fire OS based devices. Fortunately other phone and table manufacturers exist and are willing to provide you devices that offer good security features.

FBI Asks Apple, “What If We Do What We’re Planning To Do?”

On Tuesday there was a congressional hearing regarding encryption. I didn’t watch it because I had better shit to do. But I’ve been reading through some of the highlights and the hearing was like most hearings. A handful of competent individuals were brought in to testify in front of a group of clueless idiots who are somehow allowed to pass policies. What was especially funny to me was a comment made by the director of the Federal Bureau of Investigations (FBI), James Comey (which should really be spelled James Commie):

When Florida Congressman Ted Deutch asked Comey if the potential repercussions of such a back door falling into the wrongs hands were of valid concern, Comey responded by posing a hypothetical situation in which Apple’s own engineers were kidnapped.

“Slippery slope arguments are always attractive, but I suppose you could say, ‘Well, Apple’s engineers have this in their head, what if they’re kidnapped and forced to write software?'” Comey said before the committee. “That’s where the judge has to sort this out, between good lawyers on both sides making all reasonable arguments.”

Comey likely made the comment to highlight how Apple is capable of creating a back door to break the iPhone’s encryption, a fact the company has admitted.

Comey should have said, “Well, Apple’s engineers have this in their head, what will happen when my agency kidnaps them and forces them to write the backdoor?” Because that’s exactly what his agency is trying to accomplish in the San Bernardino case. The FBI wants the court to order Apple to write a custom version of iOS that would bypass several security features and brute force the encryption key. If the court does issue such an order and Apple doesn’t obey some federal goons will kidnap members of Apple (likely Tim Cook). Of course, the FBI couches its criminal activities in euphemisms such as “arrest” to make them appear legitimate.

But what would happen? As it turns out, not much. Kidnapping one of Apple’s engineers wouldn’t give access to the company’s software signing key. Without that key any software the engineer was forced to write wouldn’t load onto an iOS device.

The Busses Have Ears

Surveillance is pervasive in our society. You can hardly walk down a street without some nosey camera recording your movements or ride public transportation without some snoopy microphone recording your conversation:

MTA began using recording devices inside some of its buses in 2012, without seeking legislative approval. Nearly 500 of its fleet of 750 buses now have audio recording capabilities. Officials say the devices can capture important information in cases of driver error or an attack or altercation on a bus.

They can also record conversations so they can later be requested by law enforcers looking to nail somebody to a cross. The dangers of pervasive surveillance are almost always understated by statists. Surveillance fetishists always justify their spying by claiming it’ll protect the children, thwart terrorism, or otherwise help combat some overblown concern. What they leave out is that the data is also available to prosecute nonviolent individuals.

Imagine if two people were making a peaceful drug transaction on one of these surveillance buses. Without the microphones in place the transaction would probably go unnoticed. But because the data exists it would only take one law enforcer or concerned citizen to listen to it to turn that previously peaceful transaction into a violent home raid.

Surveillance is dangerous precisely because law enforcers are willing to use any collected data to ruthlessly enforce victimless crimes. That’s a reality that is never mentioned by the surveillance state’s proponents.

Because Punishing The Victim Makes Sense

Hypothetically let’s say a student stole a cell phone from their teacher. The teacher, being an average person and almost entirely ignorant on security, didn’t set a lock code. Because there was no lock code the student was able to log in. After logging in the student found embarrassing pictures of the teacher and sent them to friends.

In this situation would you punish the teacher or the student? Although not setting a lock code on your phone isn’t a wise decision there is no victim involved when somebody is ignorant. There is, however, a victim when a theft occurs. That being the case, I would argue the student should be punished but the teacher should not. Of course, that’s not how things work in our society:

A South Carolina high-school teacher may be charged with contributing to the delinquency of a minor after a student stole her cellphone and distributed partially nude photos from it around the school. Administrators say she should have password-protected the phone.

[…]

One might think that the student would at least face disciplinary action from the school, if not criminal charges of some sort. But thus far, the school has not moved to hold the 16-year-old student accountable at all. Arthur, however, is another story. After teaching in Union County for 13 years, she resigned when district officials gave her the choice to do so immediately or start the firing process.

Interim superintendent David Eubanks told The State that Arthur might also be charged with contributing to the delinquency of a minor. “I think we have a right to privacy, but when we take inappropriate information or pictures, we had best make sure it remains private,” he said.

I would argue that this is the inevitable result of combining zero tolerance policies, a total lack of critical thinking when “it’s for the children”, and having a legal system instead of a justice system.

The only victim here was the teacher because her phone was stolen. But since children saw her nude photos the fact that she was the victim of theft and didn’t send the photos is ignored. To make matters worse, the thief is left unpunished because, well, reasons.

So here we are, continuing to wallow in a society that punishes victims and lets criminals go unscathed.

Argh, Pirates Be A Hackin’ The High Seas

The biggest threat to computer security may be the average person’s lack of creativity. Imagine if you asked a random person on the streets what the possible ramifications of poor computer security at a shipping company could be. I would wager a bet that you’d get a lot of blank stares and variations of, “Uh, nothing.” But if you ask a creative person, say a pirate, the same question you will likely hear some pretty interesting ideas:

Tech-savvy pirates once breached the servers of a global shipping company to locate the exact vessel and cargo containers they wanted to plunder, according to a new report from Verizon’s cybersecurity team.

“They’d board the vessel, locate by bar code specific sought-after crates containing valuables, steal the contents of that crate — and that crate only — and then depart the vessel without further incident,” says the report, Verizon’s Data Breach Digest.

Just because you can’t think of a reason security is important doesn’t mean somebody else can’t. This is especially important to keep in mind if you’re one of those “I’ve got nothing to hide,” people. You might not be able to think of any reason but somebody who means you ill almost certain can.

When you’re assessing your own security, whether it be on a person or organizational level, it’s wise to bring in some outsiders, perhaps people with experience in breaching networks for malicious purposes, and pay them a little something to provide you with ideas you haven’t thought of yet. You will likely be surprised at how many things you simply failed to think of.