Month: May 2016

Updating Your Brand New Xbox One When It Refuses To Update

The new Doom finally convinced me to buy a new console. I debated between a PlayStation 4 and an Xbox One. In the end I settled on the Xbox One because I still don’t fully trust Sony (I may never get over the fact that they included malicious root kits on music CDs to enforce their idiotic copy protection and I’m still unhappy about them removing the Linux capabilities for the PlayStation 3) and I was able to buy a refurbished unit for $100.00 off (I’m cheap).

When I hooked up the Xbox One and powered it up for the first time it said it needed to download and apply an update before doing anything else. I let it download the update, since I couldn’t do anything with it until it finished updating, only for it to report that “There was a problem with the update.” That was the entirety of the error message and the only diagnostic option available was to test the network connection, which reported that everything was fine and I was connected to the Internet. I tried power cycling the device, disconnecting it from power for 30 seconds, and every other magical dance that Microsoft recommended on its useless trouble shooting site. Nothing would convince the Xbox to download and install the update it said it absolutely needed.

After a lot of fucking around I finally managed to update it. If you’re running into this problem you can give this strategy a try. Hopefully it saves you the hour and a half of fucking around I went through. What you will need is a USB flash drive formatted in NTFS (the Xbox One will not read the drive if it’s formatted in a variation of FAT because reasons) and some time to wait for the multi-gigabyte files to download.

Go to Microsoft’s site for downloading the Offline System Update Diagnostic Tool. Scroll down to the downloads. You’ll notice that they’re separated by OS versions. Since you cannot do anything on the Xbox One until the update is applies you can’t look up your OS version (nice catch-22). What you will want to do is download both OSUDT3 and OSUDT2.

When you have the files unzip them. Copy the contents of OSUDT3 to the root directory of the flash drive and connect the flash drive to the side USB port on the Xbox One. Hold down the controller sync button on the side and press the power button on the Xbox One (do not turn the Xbox One on with the controller otherwise this won’t work). Still holding down the sync button now press and hold the DVD eject button as well. You should hear the startup sound play twice. After that you can release the two buttons and the Xbox One should start applying the OSUDT3 update. Once that is finished the system will boot normally and you will return to the initial update screen that refuses to apply any updates.

Remove the flash drive, erase the OSUDT3 files from it, and copy the contents of the OSUDT2 zip file to the root directory of the flash drive. Insert the flash drive into the side USB port on the Xbox One and perform the above dance all over again. Once the update has applied your Xbox One should boot up and actually be something other than a useless brick.

As an aside, my initial impression of the Xbox One is less than stellar.

Monday Metal: Daybreak By DevilDriver

This week I’m posting something that I both like and dislike. Daybreak is a song by DevilDriver, a band I had not previously heard of. I really enjoy the instrument playing but I don’t really like the vocals so, overall, I’m not entirely sure what I think. DevilDriver seems like one of those bands that could grow on my in time.

Anatomy Of A Scam

Kickstarter is used to get some really cool projects off of the ground but it’s also packed with half-baked ideas and outright scams. What I present here is a case of the latter. Meet the first encryption software engineered to defeat hacking programs, granting impenetrable data protection, and cloud storage (their words, not mine).

I’m not even sure where to start with this one so I guess I’ll start with the most obvious red flag, impenetrable anti-hacking software. Before starting this Kickstarter I assume the team worked on a unicorn ranch because they apparently have a knack for delivering the impossible. And if designing impenetrable software is possible it certainly isn’t going to be done by this team. Pulling off such a feat would require a great deal of technical knowledge and this team doesn’t appear to have that as I will demonstrate. Let’s begin with their statement regarding the Advanced Encryption Standard (AES):

AES Hacking Solutions are readily available for sale on dark web.

In the late 1990’s, AES, while under ‘well-intentioned’ government oversight, somehow, a ‘back-door’ found its way into this ‘approved’ data security solution, — as has been widely reported. The unintended consequences of this back-door allows for complete access to your data, without your permission, to data monitoring, data-mining and active eavesdropping. Effectively, voiding your right to privacy and confidently. So common is this practice it has a name: Active Snooping.

There are known attacks against AES but none of them are practical. But the elite team of entrepreneurs (I’ll get to that in a bit) supposedly know of a backdoor. In fact this backdoor has supposedly been widely reported! Yet I’ve never heard of it, which I find odd because I follow the publications of quite a few computer security experts. I guess everybody from Bruce Schneier to Dan Kaminsky just missed that piece of news as well as this piece:

SSL is a Myth. Cybercriminals know about these flaws and back-door. They are stealing, compromising, and profiting from your data everyday.

SSL is a myth? Huh. As somebody who has spent many hours configuring it I would beg to differ. SSL, more accurately TLS, is a very real thing. It’s also secure so long as it’s configured correctly. Speaking of myths, or more accurately fiction:

You don’t have to be 007 to Use the DataGateKeeper Encryption Software…

I’m glad they mentioned 007 because this page reads like the “hacking” Q did in Skyfall. That is to say it’s nonsensical and entirely fictitious. Q gets a pass though because he’s a fictional character in a fictional universe where anything is possible. Even something as infeasible as a Walther PPK feeding reliably can happen in the James Bond’s universe.

Earlier I questioned DataGateKeeper’s team’s technical knowledge. This isn’t because they posted an incorrect minor detail about a complex mathematical factoid. It’s because they can’t even get basic units of measure correct:

so-many-kilobits

So. Many. Kilobits! Even if you’re only marginally aware of AES you’ve probably seen a mention of a 128-bit and a 256-bit mode. A kilobit is 1,000 bits so according to this chart DataGateKeeper has 512,000-bit encryption whereas services such as Dropbox and OneDrive lack even 128,000-bit AES encryption. Well that’s a no brainer since 128,000-bit AES doesn’t exist. Even if it did no consumer computer would have the processing power to use it. This chart should have added a row for unicorns. None of the competing services offer unicorns and I wouldn’t put it past the DataGateKeeper team to claim they offer unicorns.

Regardless of feasibility, DataGateKeeper is offering all of the kilobits:

  • 512kb Civilian – 50 Years of protection. Available on Kickstarter.
  • 768kb First Responders, Police, Retired & Active Duty Military – 73 years of protection. Donation of your choice.
  • 1024kb – Enterprise & SMB

That’s a lot of kilobits! But wait… now I’m confused. Earlier on the page it said:

MyDataAngel.com provides Impenetrable Civilian Data Protection plans beginning at 512-bit encryption.

So which is it? 512-bits or 512-kilobits? There’s literally a multiple of 1,000 difference. I’m sure that will be clarified at a future data. What we do know is that whatever algorithm they’re using is 6,000,000 times stronger than current data security:

We created a cipher that is 6,000,000 times stronger than current data security, as proven by algorithmic mathematics.

See? They proved it with algorithmic mathematics! That’s, like, the best kind of mathematics!

So how does this miraculous algorithm work? Who knows. The Kickstarter page, not surprisingly, doesn’t include any technical details. Okay, it does include a gif image with a calculator and some math-like stuff. It doesn’t actually explain anything but it’s there.

After reading this Kickstarter page you’re left with the feeling that it was written by marketing people who have no knowledge about cryptography. Even the most basic of information is either wrong or nonsensical. It’s almost as if there are no cryptographers involved with this project. In fact, that may be exactly what the problem is:

Our management team is uniquely qualified to implement our plan of operations, with a combined 75+ years of entrepreneurial experience, at all levels of corporate gestation, from rank start-up through to publicly traded entities. Our experience spans multiple sectors, from entertainment and manufacturing to healthcare and technology. The management team resume includes names such as: PepsiCo, Colgate-Palmolive, Paramount Studios and Merv Griffin Productions. Our President and co-founder, Debra Towsley, oversaw the marketing plan for Universal Studio’s $1.5 billion theme park expansion, Islands of Adventure®, as VP of Marketing. Our Chief Strategy Officer, Frank Ruppen, graduated from Harvard Business School, and cut his teeth as the brand manager for Proctor & Gamble, before accepting positions at McKinsey & Co., Sterling Brands, and Consumer Dynamics; he relocated to work in cities like: Sydney, Caracas and Tokyo. Raymond Talarico, our CEO, has been involved in multiple roll-ups and consolidations. He is credited as having developed companies from a one-sentence mission statement in MEDirect Latino to publicly traded entities with market caps exceeding $160M. The youngest member of our team, Joshua Noel (21), is the Creative Director who is a literal ‘Jack of All Trades’ when it comes to content creation. Yes, they do exist. His talent is on display here in the videos, as well as the vlogs, the overall design of our branding, and iconization.

They have people experienced in entrepreneurship but not a single mention of a cryptographer anywhere on the page is made. That pretty much tells us everything we need to know and explains why this page reads like a marketing person was tasked with writing a sales pitch on a cryptographic service but wasn’t given access to anybody knowledgeable in cryptography to verify any of the claims.

This is what a scam looks like. The product being offered is not only impossible but the entire writeup makes no sense within the framework of the market they’re aiming at. Scam might not even be the correct word for this. I would hope a scam artist would put some effort into making their scam at least appear somewhat believable. The people involved in this page didn’t even accomplish that much! DataGateKeeper’s team are scam artists who couldn’t even create a convincing scam. They’re basically failures who failed at failing.

At this point, when social media backlash destroys any chance of this Kickstarter getting funded, I’m expecting them to claim that this was all an elaborate troll. It really is their only option.

Fear Is The Last Refuge Of A Scoundrel

Stingray is a product name for an IMSI-catcher popular amongst law enforcers. Despite the devices being trivial enough that anybody can build one for $1,500, law enforcers have been desperate to keep the devices a secret. The Federal Bureau of Investigations (FBI), for example, would rather throw out cases than disclose its Stingray usage.

Here in Minnesota law enforcers are also busy keeping tight wraps on Stingray usage:

A Fox 9 Investigation has revealed that tracking warrants for a surveillance device called StingRay have routinely been kept sealed, despite a law requiring them to become public with 90 days.

The StingRay device is used by the Bureau of Criminal Apprehension about 60 times a year, said BCA Superintendent Drew Evans. Hennepin County Sheriff also had a StingRay, but a spokesperson said they discontinued it after using it only four times.

Why the secrecy? If you were expecting a detailed legal defense you’re going to be left wanting. The only defense law enforcers can muster is fear. Whenever a law enforcement department is pressed about the secrecy of Stingray devices they respond with the scariest case they can think of that involved the device

“This technology has been absolutely critical in locating some of Minnesota’s most violent criminals, more quickly than we ever were before,” Evans said.

Photo State of surveillance: StingRay warrants sealed despite changes in Minnesota law
Law enforcement used the technology last month when a disgruntled client allegedly gunned down a clerk at a St. Paul law firm and then went on the run. Police had the suspect’s cell phone and tracked him down.

[…]

“Just this week we were able to locate a level 3 sexual offender that was non-compliant, a suspect in a series of serial rapes, and a homicide suspect, this week alone,” he explained.

This usually satisfies journalists and the general public but shouldn’t. Whenever a law enforcer brings up a scary case where they used a Stingray device the immediate response should be, “So what?”

So what if the devices were used in secrecy to find a suspected murderer or a level three sex offender? Will these devices suddenly cease working if they’re subjected to the same oversight as any other law enforcement technology? Will they power off forever the minute a warrant is unsealed? No.

Law enforcers have no legal justification for keeping these devices secret, which is why they’re resorting to fear tactics. The question everybody should be asking is why they’re so desperate to keep these devices in the shadows. I theorize that there is a known weakness in the technology that would make them potentially inadmissible in court. What other reason could there be to go so far as to throw out individual cases rather than unseal warrants and release technical details about the devices? It’s not like the devices are a novel technology that nobody knows how to make or defend against.

Drug Abuse Cannot Be Fixed Through Legislation

Every year we’re told about the hot new legal drug that people are abusing. Shortly afterward we’re told about the hot new legislation that is supposed to curtail the abuse. Nobody seems to recognize the pattern though. This year the new drug being abused appears to be Imodium:

They call it the poor man’s methadone.

The epidemic of opioid addiction sweeping the country has led to another form of drug abuse that few experts saw coming: Addicts who cannot lay hands on painkillers are instead turning to Imodium and other anti-diarrhea medications.

The active ingredient, loperamide, offers a cheap high if it is consumed in extraordinary amounts. But in addition to being uncomfortably constipating, it can be toxic, even deadly, to the heart.

Now we just need to wait for the legislation that orders Imodium to be treated the same way as all drugs containing pseudoephedrine.

The cycle of abuse and legislation is counterintuitive. At first glance it seems sensible to restrict access to drugs people abuse. But looking at the cycle with a critical eye reveals a major problem: when one drug is restricted addicts find a substitute.

Restricting opioids didn’t stop addicts from being addicts. It merely pushed them to abuse Imodium instead just as restricting heroine lead to the substitute of easier to produce krokodil. Addiction is a medical issue. It cannot be legislated away. So long as politicians continue to treat addiction as a legal issue addicts will be pushed into finding, often more dangerous, substitutes.

Everybody Is Sick Of The TSA

This week I had to fly to another state for work. Unfortunately, that meant having to submit myself to the jack booted thugs at the Transportation Security Administration (TSA). The Minneapolis-Saint Paul International Airport (MSP) has been in the news as of late for having even more miserable security lines than other airports. This is due to the airport closing all but three of the security lines (the airport use to have more open gates but for reasons unknown — that totally have nothing at all to do with the TSA wanting flyers to buy its PreCheck scam — it closed all but three of them).

My flight was very early in the morning so I actually got through security in about half an hour. I didn’t even have to opt out of the slave scanner since they only ran me through the metal detector. In fact I didn’t even have to pull out my liquids, laptop, or remove my shoes. The goons working the airport were actually being reasonable for once.

Returning to the Twin Cities wasn’t as nice. The TSA goons there wanted me to go through the slave scanner so I had to waste time opting out and getting sexually assaulted. They also pulled my carryon off of the scanner, dug through it, and swabbed everything in it (I didn’t win an unlucky drawing, they were doing this to almost every piece of luggage). All in all I probably spent forty five minutes going through security.

The TSA is the epitome is government idiocy. It’s cumbersome, doesn’t fulfill its purpose, and inconsistent. I think the inconsistency is the most annoying part. When I go through security I’m not sure whether I’ll have to take off my shoes, belt, and wristwatch or be barked at for doing so. Will I have to remove the liquids from my bag? Will I have to pull my laptop out of its bag? I have no idea because the TSA agents seem to make up the rules on the spot. This means the lines end up being even longer because people have no idea what the fuck they’re supposed to do. If they take their shoes off before getting to the scanners they may get barked at and have to waste time putting them back on. The same goes for removing liquids and laptops from bags. There’s no way to speed up the line by planning ahead because you have no idea what you’ll be required to do before you get to the scanners.

It seems that my frustrations aren’t unique. New York City is now talking about replacing the TSA with private security agencies:

Management of the New York City area’s three major airports is fed up with long lines at security check points, and they have given the Transportation Security Administration an ultimatum: Either shorten the lines or we’ll find someone else to do it.

The Port Authority of New York and New Jersey, tasked with running John F. Kennedy, LaGuardia and Newark airports, is threatening to privatize the process of screening passengers before boarding their flight, according to a document sent from the Port Authority to TSA Administrator Peter Neffenger.

“We can no longer tolerate the continuing inadequacy of the TSA passenger services,” the letter obtained by ABC News reads.

Although this would be a move in the right direction I doubt it will have a major impact. Any private security agency would still have to abide by the TSA’s security policies. Privatization is of little value when the State restricts any possible innovation with regulatory burdens. However, if enough airports replaced the TSA it would help shake the agency’s iron grip over airport “security” (quotes used because the agency doesn’t actually provide security). If the iron grip was removed there would be a chance that some actual innovation could take place that would make airport security a less annoying experience.

The State Sucks At Language

Under any sane legal system the label criminal would be reserved for those who victimize others. But the legal systems of most modern developed countries use the label to describe anybody who has violated any of the State’s decrees, regardless of how arbitrary they may be. Because of this we have people walking around who have been labeled criminals but have never victimized anybody. Fortunately the Department of Justice (DoJ) is finally recognizing this fact, although I doubt it’s intentionally, and is moving away from the term criminal to describe the people it targets:

The Department Of Justice has been phasing out the use of the word “criminal” to describe criminals. On the DOJ website the newer term, “justice-involved individual,” can be traced back to 2009. However, the term has seen more and more daylight over the last couple of years.

I’ve seen quite a few neocons flipping their shit about this but it really is a good move. The DoJ spends a great deal of its time harassing drug buys and sellers, tax evaders, unlicensed firearm dealers, and other people who haven’t actually victimized anybody. That being the case, it makes sense to refer to its targets by something other than criminals.

With that said, the DoJ, like every other government agency, sucks at language. Justice-involved individual is also a misnomer for the same reason the agency’s name is a misnomer; the word justice implies a wrong being righted. Without a victim there is no wrong to right and therefore no justice to be had. A better label would be a legal-involved individual.

Nothing To See Here

I’ve spent the last two days on a trip for work. I ended up on the red eye flight back home so I didn’t have the energy to get anything posted for today. To entertain yourselves I’ll leave you with a son off of Perturbator’s new album (not everything I listen to is metal, I also enjoy retro-style electronic music):

Traditional Cigarette Industry Finally Receives The Protection It Paid For

E-cigs have become a tremendous problem for traditional cigarette manufacturers. Like traditional cigarettes, e-cigs deliver the nicotine people want. Unlike traditional cigarettes, e-cigs don’t include the massive list of harmful additional materials. Not only is vaping healthier, it’s cheaper to boot. There is also a taboo around smoking these days whereas vaping is seen as the new cool thing to do. These benefits are allowing the e-cig industry to eat the traditional cigarette industry’s lunch.

What’s the last refuge of a dying industry? The State, of course. Fortunately, for the traditional tobacco industry, the Food and Drug Administration (FDA) is stepping in to stomp down the blossoming e-cig industry:

As the debate over the health risks of e-cigarettes rages on, the FDA is stepping in to “improve public health and protect future generations.” To do that, the US government will regulate e-cigs and vaping gear like it does any other tobacco product. Until now, these products haven’t been subject to government oversight. With the FDA’s changes, the federal law that already forbids tobacco sales to people under 18 will now apply to vaping as well. Sure, this age limit was already being enforced in some places, but this more formal announcement makes it a nation-wide law.

What’s more, vaping products will be subject to the same regulations in terms of packaging and production. Manufacturers will have to register with the FDA and provide a list of products to the agency. Companies will also be required to disclose ingredients, including any harmful or potentially harmful substances, and they’ll have to get approval before putting new tobacco products on the market. In terms of packaging and advertising, e-cigarette and vaping products must also feature a health warning label — just like the brands selling regular cigarettes.

There’s nothing as fun as good old protectionism. The e-cig market has thrived because the lack of government regulations allows new entrepreneurs to enter the market with little startup capital. Since the e-cig industry is fairly new and the products are highly customizable there is a lot of room for new, innovative entrepreneurs. By putting e-cigs in regulatory parity with traditional cigarettes the FDA has ensured that innovation within the industry will drop and that the entire industry will slowly be monopolized into a handful of large companies.

The slowdown in innovation, restrictions from advertising, and other regulatory burdens will allow traditional cigarette companies to stand a good chance of competing successfully again.

“But Chris,” I hear somebody say, “what about the longterm health effects of e-cigs?” To that I say, what about them? All of the concerns about health effects are unrealized at this point so they can’t even been addressed. Entirely hypothetical threats are not a good foundation for policies. Besides, what a person puts into their body is their own business regardless of health side effects. To quote Ludwig von Mises, “If a man drinks wine and not water I cannot say he is acting irrationally. At most I can say that in his place I would not do so. But his pursuit of happiness is his own business, not mine.” If you want to inject some krokodil into your eyeball, inject some heroine between your toes, and vape all at the same time that should be your right.

There is no sound reason for the FDA’s declaration here except to provide the traditional cigarette companies the protections they paid, err, lobbied for.

Performing Denial Of Service Attacks Against Airliners Is Ridiculously Simple

How can you shutdown an airline service? By setting your Wi-Fi hotspot’s Service Set Identifier (SSID) to something quippy:

According to The West Australian, a passenger on QF481 spotted a Wi-Fi hotspot titled “Mobile Detonation Device” and advised a crew member. It wasn’t clear what mobile device it was linked to or where the device was located.

The crew member informed the captain, who then broadcast a message to passengers. Passenger John Vidler told the publication the pilot said the device needed to be located before the flight could depart.

If somebody put a bomb on board would they use Wi-Fi to detonate it? Probably not. That would require being in close proximity to the device whereas a cellular device, which are commonly used as remote detonators, allow the perpetrator to be somewhere else in the world. If a bomber did use a Wi-Fi detonator would they set it to broadcast an SSID that indicated it was a detonator? Most likely not. That would increase the chances of the device being discovered before it could be detonated. Holding the flight until the device was located was an overreaction.

In addition to being an overreaction it also gives individuals interested in interfering with airline service a cheap and effective means of accomplishing their goals. With little more than a Wi-Fi access point you can perform a denial of service attack against an airplane.