Month: April 2016

Free Apps Aren’t Free But Dumb Phones Won’t Protect Your Privacy

I have a sort of love/hate relationship with John McAfee. The man has a crazy history and isn’t so far up his own ass not to recognize it and poke fun at it. He’s also a very nonjudgemental person, which I appreciate. With the exception of Vermin Supreme, I think McAfee is currently the best person running for president. However, his views on security seem to be stuck in the previous decade at times. This wouldn’t be so bad but he seems to take any opportunity to speak on the subject and his statements are often taken as fact by many. Take the recent video of him posted by Business Insider:

It opens strong. McAfee refutes something that’s been a pet peeve of mine for a while, the mistaken belief that there’s such a thing as free. TANSTAAFL, there ain’t no such thing as a free lunch, is a principle I wish everybody learned in school. If an app or service is free then you’re the product and the app only exists to extract salable information from you.

McAfee also discusses the surveillance threat that smartphones pose, which should receive more airtime. But then he follows up with a ridiculous statement. He says that he uses dumb phones when he wants to communicate privately. I hear a lot of people spout this nonsense and it’s quickly becoming another pet peeve of mine.

Because smartphones have the builtin ability to easily install applications the threat of malware exists. In fact there have been several cases of malware making their way into both Google and Apple’s app stores. That doesn’t make smartphones less secure than dumb phones though.

The biggest weakness in dumb phones as far as privacy is concerned is their complete inability to encrypt communications. Dumb phones rely on standard cellular protocols for making both phone calls and sending text messages. In both cases the only encryption that exists is between the devices and the cell towers. And the encryption there is weak enough that any jackass with a IMSI-catcher render it meaningless. Furthermore, because the data is available in plaintext phone for the phone companies, the data is like collected by the National Security Agency (NSA) and is always available to law enforcers via a court order.

The second biggest weakness in dumb phones is the general lack of software updates. Dumb phones still run software, which means they can still have security vulnerabilities and are therefore also vulnerable to malware. How often do dumb phone manufacturers update software? Rarely, which means security vulnerabilities remain unpatched for extensive periods of time and oftentimes indefinitely.

Smart phones can address both of these weaknesses. Encrypted communications are available to most smart phone manufacturers. Apple includes iMessage, which utilizes end-to-end encryption. Signal and WhatsApp, two application that also utilize end-to-end encryption, are available for both iOS and Android (WhatsApp is available for Windows Phone as well). Unless your communications are end-to-end encrypted they are not private. With smartphones you can have private communications, with dumb phones you cannot.

Smart phone manufacturers also address the problem of security vulnerabilities by releasing periodic software updates (although access to timely updates can vary from manufacturer to manufacturer for Android users). When a vulnerability is discovered it usually doesn’t remain unpatched forever.

When you communicate using a smartphone there is the risk of being surveilled. When you communicate with a dumb phone there is a guarantee of being surveilled.

As I said, I like a lot of things about McAfee. But much of the security advice he gives is flawed. Don’t make the mistake of assuming he’s correct on security issues just because he was involved in the antivirus industry ages ago.

How The Government Protects Your Data

Although I oppose both public and private surveillance I especially loathe public surveillance. Any form of surveillance results in data about you being stored and oftentimes that data ends up leaking to unauthorized parties. When the data is leaked from a private entity’s database I at least have some recourse. If, for example, Google leaks my personal information to unauthorized parties I can choose not to use the service again. The State is another beast entirely.

When the State leaks your personal information your only recourse is to vote harder, which is the same as saying your only recourse is to shut up and take it. This complete lack of consequences for failing to implement proper security is why the State continues to ignore security:

FRANKFORT, Ky. (AP) — Federal investigators found significant cybersecurity weaknesses in the health insurance websites of California, Kentucky and Vermont that could enable hackers to get their hands on sensitive personal information about hundreds of thousands of people, The Associated Press has learned. And some of those flaws have yet to be fixed.

[…]

The GAO report examined the three states’ systems from October 2013 to March 2015 and released an abbreviated, public version of its findings last month without identifying the states. On Thursday, the GAO revealed the states’ names in response to a Freedom of Information request from the AP.

According to the GAO, one state did not encrypt passwords, potentially making it easy for hackers to gain access to individual accounts. One state did not properly use a filter to block hostile attempts to visit the website. And one state did not use the proper encryption on its servers, making it easier for hackers to get in. The report did not say which state had what problem.

Today encrypting passwords is something even beginning web developers understand is necessary (even if they often fail to property encrypt passwords). Most content management systems do this by default and most web development frameworks do this if you use their builtin user management features. The fact a state paid developers to implement their health insurance exchange and didn’t require encrypted passwords is ridiculous.

Filtering hostile attempts to visit websites is a very subjective statement. What constitutes a hostile attempt to visit a website? Some websites try to block all Tor users under the assumption that Tor has no legitimate uses, a viewpoint I strongly disagree with. Other websites utilize blacklists that contain IP addresses of supposedly hostile devices. These blacklists can be very hit or miss and often block legitimate devices. Without knowing what the Government Accountability Office (GOA) considered effective filtering I’ll refrain from commenting.

I’m also not entirely sure what GOA means by using property encryption on servers. Usually I’d assume it meant a lack of HTTP connections secured by TLS. But that doesn’t necessarily impact a malicious hackers ability to get into a web server. But it’s not uncommon for government websites to either not implement TLS or implement it improperly, which puts user data at risk.

But what happens next? If we were talking about websites operated by private entities I’d believe the next step would be fixing the security holes. Since the websites are operated by government entities though it’s anybody’s guess what will happen next. There will certainly be hearings where politicians will try to point the finger at somebody for these security failures but finger pointing doesn’t fix the problem and governments have a long history of never actually fixing problems.

If You Can Rig The Lottery Only Do It Once

Most fraudsters are caught because they’re a combination of shortsighted and greedy. Take this block for example:

A lottery vendor for years manipulated drawings to enrich himself and associates by installing software code that allowed him to predict winning numbers on specific days of the year, Iowa investigators alleged Wednesday.

Authorities called the newly obtained forensic evidence a breakthrough in the investigation of alleged jackpot-fixing scheme by Eddie Tipton, former security director of the Multi-State Lottery Association. A jury convicted him last year of rigging a $16.5 million jackpot, and he’s awaiting trial on charges linking him to prizes in Colorado, Wisconsin, Oklahoma and Kansas.

Assuming Mr. Tipton is actually guilty, he will join the ranks of fraudsters who were in a position and had the ability to execute a great self-enriching scam and were caught because they pulled it more than once.

The odds of winning the lottery are astronomical so winning more than once raises all sorts of red flags. If you’re in a position to manipulate the lottery, only do it once. You can usually get away with winning once. But when you start winning in your home state, the neighboring state, and three states away people begin to get suspicious. And if your friends seem to be winning as well there’s going to be an investigation.

People like to attribute these scams purely to greed. If greed was the only factor in these scams the culprits would walk away after they accomplished their initial mission. After all, if you get caught you don’t get to keep the money so a truly greedy person will take the cash and run. These scams are usually uncovered because the culprits are both greedy and shortsighted. They fail to properly assess the risks involved in their scams and therefore continue to perpetrate them again and again. Eventually their “luck” becomes suspicious and their scam is uncovered.

FBI Claims Its Method Of Accessing Farook’s Phone Doesn’t Work On Newer iPhones

So far the Federal Bureau of Investigations (FBI) hasn’t given any specific details on how it was able to access the data on Farook’s phone. But agency’s director did divulge a bit of information regarding the scope of the method:

The FBI’s new method for unlocking iPhones won’t work on most models, FBI Director Comey said in a speech last night at Kenyon University. “It’s a bit of a technological corner case, because the world has moved on to sixes,” Comey said, describing the bug in response to a question. “This doesn’t work on sixes, doesn’t work on a 5s. So we have a tool that works on a narrow slice of phones.” He continued, “I can never be completely confident, but I’m pretty confident about that.” The exchange can be found at 52:30 in the video above.

Since he specifically mentioned the iPhone 5S, 6, and 6S it’s possible the Secure Enclave feature present in those phones thwarts the exploit. This does make sense assuming the FBI used a method to brute force the password. On the iPhone 5C the user password is combined with a hardware key to decrypt the phone’s storage. Farook used a four digit numerical password, which means there were only 10,000 possible passwords. With such a small pool of possible passwords it would have been trivial to bruce force the correct one. What stood in the way were two iOS security features. The first is a delay between entering passwords that increases with each incorrect password. The second is a feature that erases the decryption keys — which effectively renders all data stored on the phone useless — after 10 incorrect passwords have been entered.

On the 5C these features are implemented entirely in software. If an attacker can bypass the software and combine passwords with the hardware key they can try as many passwords they want without any artificial delay and prevent the decryption keys from being erased. On the iPhone 5S, 6, and 6S the Secure Enclave coprocessor handles all cryptographic operations, including enforcing a delay between incorrect passwords. Although this is entirely speculation, I’m guessing the FBI found a way to bypass the software security features on Farook’s phone and the method wouldn’t work on any device utilizing Secure Enclave.

Even though Secure Enclave makes four digit numerical passwords safer they’re still dependent on outside security measures to protect against bruce force attacks. I encourage everybody to set a complex password on their phone. On iPhones equipped with Touch ID this is a simple matter to do since you only have to enter your password after rebooting the phone or after not unlocking your phone for 48 hours. Besides those cases you can use your fingerprint to unlock the phone (just make sure you reboot the phone, which you can do at anytime by holding the power and home buttons down for a few seconds, if you interact with law enforcement so they can’t force you to unlock the phone with your fingerprint). With a strong password brute force attacks become unfeasible even if the software or hardware security enhancements are bypassed.

The FBI Heroically Saves Us Yet Again From A Criminal It Created

Just one week after heroically saving us from a terrorist it created, the Federal Bureau of Investigations (FBI) has saved us from yet another criminal it created:

US authorities depict Franey as an unstable anti-government militant who deserved a closer look to see how far he might go. One of his neighbors told FBI agents that Franey said he hated the US military for not allowing him “to leave the Army” after he enlisted, and that he railed at the system for “taking away his kids.” As US Attorney Hayes put it, the Justice Department was obligated to “pursue all available leads to ensure the public was protected from any possible harm.”

But while it seems Franey talked often and enthusiastically about plotting a terrorist attack, there’s little indication he ever had any intention of following through with his threats until the FBI’s undercover agent came along. After befriending Franey, the agent took him on an eight-month ride — sometimes literally, including a road trip along the West Coast — while recording their conversations, doling out cash, furnishing him with guns, and then busting him for illegal possession of the weapons.

I once heard that the FBI used to arrest criminals it didn’t create. Does it still do that once in a while? Is that still a thing?

What happened here is the same thing that always happens. The FBI identified somebody, likely of lukewarm intelligence, who it thought was capable of being radicalized into a threat. It then assigned an agent to befriend the individual and slowly radicalize him. After radicalizing him the agent then provided him a means to perpetuate an attack. The operation then closed with the agent arresting the guy for basically being a radicalized individual in possession of a means to commit an attack.

In this case the FBI’s prey was arrested for illegally possessing weapons. Weapons which were given to him by the FBI.

These operations rely on taking a hypothetical scenario and making it a reality. The individuals they target are those the agency deems capable of being radicalized. If left to their own devices the individuals would almost certainly remain harmless. Most of these individuals are socially isolated, aren’t the brightest bulbs in the box, and are seldom go-getters. Since they’re socially isolated they’re usually desperate for friendship, which makes them vulnerable to FBI agents. Their lukewarm intelligence also makes them more susceptible to being influenced. When you combine social isolation with lukewarm intelligence you have a recipe for an individual who can be easily manipulated to do bad things. But even if they’re manipulated into doing something bad they seldom have the motivation or means. So the FBI prods these individuals into performing an attack and provides them a means with which to pull it off. Finally, with all the pieces in place the FBI arrests its creation.

What the FBI is doing is preying on vulnerable individuals, convincing them to do something bad, and then providing the means to do that bad thing. If the FBI didn’t involve itself these people would normally just fade into the annals of history. The FBI isn’t protecting us from anything with these operations. It’s creating a bad situation and then claiming to save everybody from it.

Religious Freedom*

Mississippi recently passed House Bill 1523 [PDF] into law. The bill was described by its proponents as legislation to protect religious freedom by prohibiting the government from discriminating against actions performed due to strong religious convictions. What the proponents of the bill forgot to mention was the giant asterisk that noted the restrictions. House Bill 1523 only protects your religious freedom as long as you believe the right things:

SECTION 2. The sincerely held religious beliefs or moral convictions protected by this act are the belief or conviction that:

(a) Marriage is or should be recognized as the union of one man and one woman;

(b) Sexual relations are properly reserved to such a marriage; and

(c) Male (man) or female (woman) refer to an individual’s immutable biological sex as objectively determined by anatomy and genetics at time of birth.

If your religious beliefs our outside of those three criteria this bill does not protect them. For example, members of the Church of the Phenomenological Agorist hold a strong moral conviction that participation in the black market is not only righteous but a holy duty. Even though black market participation is a strongly held moral conviction the government will still ruthlessly pursue discriminatory action against them.

Do your religious beliefs acknowledge polygamy? If so those beliefs actually directly go against this bill since it only protects beliefs that acknowledge marriage as a union of one man and one woman. Don’t like it? Tough shit. You should have chosen a governmentally protected religion.

So long as you believe one of the three approved beliefs the government of Mississippi will not prosecute you for refusing to perform a wedding or bake a cake nor will it prosecute you for enforcing bathroom assignments. It will not restrain itself from prosecuting you for, for example, refusing service to police officers, something the Church of the Phenomenological Agorist strongly encourages, or people who discriminate against polygamous families.

This bill isn’t about religious freedom, it’s about religious discrimination. It creates two tiers for religions: those that subscribe to the beliefs specifically noted in the bill and those that do not. Members of religions in the first tier receive special treatment from the Mississippi government. Members of all other religions have to suffer the full brunt of the government’s boot stomping down on their faces.

A New Hero Arises

Setting aside my general hatred of intellectual property, I want to discuss an especially heinous abuse of intellectual property laws. A lot of research done in the United States is funded by tax dollars. We’re told this is necessary because the research wouldn’t be done if it was left to the market and that we shouldn’t complain because the research benefits all of us. But the research fueled by tax funding seldom benefits all of us because the findings are locked away being the iron curtain of publisher paywalls. We may have been forced to fund it but we don’t get to read it unless we’re willing to pay even more to get a copy of the research papers.

Aaron Swartz fought against this and was ruthlessly pursued by the State for his actions. Now that he has left us a new hero has risen to the call. Alexandra Elbakyan is the creator and operator of Sci-Hub, a website created to distribute research papers currently secured behind paywalls:

But suddenly in 2016, the tale has new life. The Washington Post decries it as academic research’s Napster moment, and it all stems from a 27-year-old bioengineer turned Web programmer from Kazakhstan (who’s living in Russia). Just as Swartz did, this hacker is freeing tens of millions of research articles from paywalls, metaphorically hoisting a middle finger to the academic publishing industry, which, by the way, has again reacted with labels like “hacker” and “criminal.”

Meet Alexandra Elbakyan, the developer of Sci-Hub, a Pirate Bay-like site for the science nerd. It’s a portal that offers free and searchable access “to most publishers, especially well-known ones.” Search for it, download, and you’re done. It’s that easy.

“The more known the publisher is, the more likely Sci-Hub will work,” she told Ars via e-mail. A message to her site’s users says it all: “SCI-HUB…to remove all barriers in the way of science.”

I fear many libertarians will be quick to dismiss Alexandra because she espouses anti-capitalist ideals. But it’s important to focus her actions, which are very libertarian indeed. She is basically playing the role of Robin Hood by liberating stolen wealth from the State and returning it to the people. The money has already been spent so it cannot be retrieved but what it bought, research, is still there and should be returned to the people as compensation for the original theft. That is all freely releasing tax funded research is and for her part Alexandra should be treated as the hero she is.

Don’t Stick Just Anything In Your Port

Universal Serial Bus (USB) flash drives are ubiquitous and it’s easy to see why. For a few dollars you can get a surprising amount of storage in a tiny package that can be connected to almost any computer. Their ubiquity is also the reason they annoy me. A lot of people wanting to give me a file to work on will hand me a USB drive to which I respond, “E-mail it to me.” USB drives are convenient for moving files between local computers but they’re also hardware components, which means you can do even more malicious things with them than malicious software alone.

The possibility of using malicious USB drives to exploit computers isn’t theoretical. And it’s a good vector for targeted malware since the devices are cheap and a lot of fools will plug any old USB drive into their computer:

Using booby-trapped USB flash drives is a classic hacker technique. But how effective is it really? A group of researchers at the University of Illinois decided to find out, dropping 297 USB sticks on the school’s Urbana-Champaign campus last year.

As it turns out, it really works. In a new study, the researchers estimate that at least 48 percent of people will pick up a random USB stick, plug it into their computers, and open files contained in them. Moreover, practically all of the drives (98 percent) were picked up or moved from their original drop location.

Very few people said they were concerned about their security. Sixty-eight percent of people said they took no precautions, according to the study, which will appear in the 37th IEEE Symposium on Security and Privacy in May of this year.

Leaving USB drives lying around for an unsuspecting sucker to plug into their computer is an evolution of the old trick of leaving a floppy drive labeled “Payroll” lying around. Eventually somebody’s curiosity will get the better of them and they’ll plug it into their computer and helpfully load your malware onto their network. The weakest link in any security system is the user.

A lot of energy has been invested in warning users against opening unexpected e-mail attachments, visiting questionable websites, and updating their operating systems. While it seems this advice has mostly fallen on deaf ears it has at least been followed by some. I think it’s important to spend time warning about other threats such as malicious hardware peripherals as well. Since it’s something that seldom gets mentioned almost nobody thinks about it and that helps ensure experiments like this will show disappointing results.

But They’ll Keep A Master Key Safe

We’re constantly being told by the State and its worshippers that cryptographic backdoors are necessary for the safety and security of all. The path to security Nirvana, we’re told, lies in mandating cryptographic backdoors in all products that can be unlocked by the State’s master key. This path is dangerous and idiotic on two fronts. First, if the master key is compromised every system implementing the backdoor is also compromised. Second, the State can’t even detect when its networks are compromised so there’s no reason to believe it can keep a master key safe:

The feds warned that “a group of malicious cyber actors,” whom security experts believe to be the government-sponsored hacking group known as APT6, “have compromised and stolen sensitive information from various government and commercial networks” since at least 2011, according to an FBI alert obtained by Motherboard.

The alert, which is also available online, shows that foreign government hackers are still successfully hacking and stealing data from US government’s servers, their activities going unnoticed for years.

[…]

This group of “persistent cyber criminals” is especially persistent. The group is none other than the “APT6” hacking group, according to sources within the antivirus and threat intelligence industry. There isn’t much public literature about the group, other than a couple of old reports, but APT6, which stand for Advanced Persistent Threat 6, is a codename given to a group believed to be working for the Chinese government.

Even if somebody believes the United States government is a legitimate entity that can be trusted with a cryptographic master key, they probably don’t believe the likes of Iran, China, and North Korea are as well. But those are the governments that would likely get the master key and enjoy exploiting it for years before anybody became the wiser.

And the impact of such a master key being leaked, even if you mistakenly believe the United States government can be trusted to only use it for good, is hard to overstate. Assuming a law was passed mandating all devices manufactured or sold in the United States had to implement the backdoor, a leak of the master key would effective render every American device unencrypted.

So the real question is, do you trust a government that cannot detect threats within its network for years on end to secure a master key that can unlock all of your sensitive information? Only a fool would answer yes.