Month: December 2016

Russia

Russia hasn’t occupied this much airtime on American news channels since the Cold War. But everywhere you look it’s Russia this and Russia that. Russia is propping up the Assad regime in Syria! Russia rigged the election! Russia stole my lunch money!

Wait, let’s step back to the second one. A lot of charges are being made that Russia “hacked” the election, which allowed Trump to win. And there’s some evidence that shenanigans were taking place regarding the election:

Georgia’s secretary of state says the state was hit with an attempted hack of its voter registration database from an IP address linked to the federal Department of Homeland Security.

Well that’s embarrassing. Apparently the Department of Motherland Fatherland Homeland Security (DHS) is a Russian agency. Who would have guessed?

Could Russia have influenced the election? Of course. We live in an age of accessible real-time global communications. Anybody could influence anybody else’s voting decision. A person in South Africa could influence a voter in South Korea to opt for one choice over another. This global communication system also means that malicious hackers in one nation could compromise any connected election equipment in another country.

However, the biggest check against Russian attempts to rig the election is all of the other forces that would be trying to do the exact same thing. People have accused both the Federal Bureau of Investigations (FBI) and the Central Intelligence Agency (CIA) (admittedly, rigging elections is what the CIA does) of trying to rig the election. Likewise, there are some questions about what exactly the DHS was doing in regards to Georgia. Major media companies were working overtime to influence people’s voting decision. Countries in Europe had a vested interest in the election going one way or another as did pretty much every other country on Earth.

I have no evidence one way or another but that’s never stopped me from guessing. My guess as to why these accusations against Russia are being made so vehemently is that a lot of voters are looking for answers as to why Trump won but are unwilling to consider that their preferred candidate was terrible. When you convince yourself that the candidate you oppose is Satan incarnate then you lose the ability to objectively judge your own candidate because in your head it’s now a battle between evil and good, not a battle between two flawed human beings.

Security Implications of Destructive Updates

More and more it should be becoming more apparent that you don’t own your smartphone. Sure, you paid for it and you physically control it but if the device itself can be disabled by a third-party without your authorization can you really say that you own it? This is a question Samsung Galaxy Note 7 owners should be asking themselves right now:

Samsung’s Galaxy Note 7 recall in the US is still ongoing, but the company will release an update in a couple of weeks that will basically force customers to return any devices that may still be in use. The company announced today that a December 19th update to the handsets in the States will prevent them from charging at all and “will eliminate their ability to work as mobile devices.” In other words, if you still have a Note 7, it will soon be completely useless.

One could argue that this ability to push an update to a device to disable it is a good thing in the case of the Note 7 since the device has a reputation for lighting on fire. But it has rather frightening ownership and security implications.

The ownership implications should be obvious. If the device manufacturer can disable your device at its whim then you can’t really claim to own it. You can only claim that you’re borrowing it for as long as the manufacturer deems you worthy of doing so. However, in regards to ownership, nothing has really changed. Since copyright and patent laws were applied to software your ability to own your devices has been basically nonexistent.

The security implications may not be as obvious. Sure, the ability for a device manufacturer to push implicitly trusted software to their devices carries risks but the tradeoff, relying on users to apply security updates, also carries risks. But this particular update being pushed out by Samsung has the ability to destroy users’ trust in manufacturer updates. Many users are currently happy to allow their devices to update themselves automatically because those updates tend to improve the device. It only takes a single bad update to make those users unhappy with automatic updates. If they become unhappy with automatic updates they will seek ways of disabling updates.

The biggest weakness in any security system tends to be the human component. Part of this is due to the difficulty of training humans to be secure. It takes a great deal of effort to train somebody to follow even basic security principles but it takes very little to undo all of that training. A single bad experience is all that generally stands between that effort and having all of it undone. If Samsung’s strategy becomes more commonplace I fear that years of getting users comfortable with automatic updates may be undone and we’ll be looking at a world where users jump through hoops to disable updates.

The Planes Have Ears

While a bunch of nationalists continue to call Snowden a traitor and demand he return to the United States for execution the rest of us are looking at the material he provided about the criminal organization he worked for as a contractor. Through the information he provided we’ve learned a great deal about how the National Security Agency (NSA) has been abusing its power to surveil the American public. Whether on the ground, on the sea, or in the air the NSA is spying on you:

IN THE TROVE of documents provided by former National Security Agency contractor Edward Snowden is a treasure. It begins with a riddle: “What do the President of Pakistan, a cigar smuggler, an arms dealer, a counterterrorism target, and a combatting proliferation target have in common? They all used their everyday GSM phone during a flight.”

This riddle appeared in 2010 in SIDtoday, the internal newsletter of the NSA’s Signals Intelligence Directorate, or SID, and it was classified “top secret.” It announced the emergence of a new field of espionage that had not yet been explored: the interception of data from phone calls made on board civil aircraft. In a separate internal document from a year earlier, the NSA reported that 50,000 people had already used their mobile phones in flight as of December 2008, a figure that rose to 100,000 by February 2009. The NSA attributed the increase to “more planes equipped with in-flight GSM capability, less fear that a plane will crash due to making/receiving a call, not as expensive as people thought.” The sky seemed to belong to the agency.

In a 2012 presentation, Government Communications Headquarters, or GCHQ, the British equivalent of the NSA, in turn disclosed a program called “Southwinds,” which was used to gather all the cellular activity, voice communication, data, metadata, and content of calls on board commercial aircraft. The document, designated “top secret strap,” one of the highest British classification levels, said the program was still restricted to the regions covered by satellites from British telecommunications provider Inmarsat: Europe, the Middle East, and Africa.

I vaguely remember something about some bill listing some supposed rights. If I remember correctly one of the items on that list mentioned something about a right to being protected from unwarranted searches.

Anybody who is even moderately well read on history knows that national surveillance apparatuses are generally developed under the guise of surveilling external threats but always end up being used to surveil the nation’s own people. This is why privacy advocates tend to have a zero tolerance policy in regards to national surveillance efforts. It is also why only a fool would support such efforts.

What Snowden did wasn’t traitorous, it was an attempt to bring some accountability to the unaccountable. The NSA has been performing untargeted searches. Untargeted searches necessarily means no warrants have been issued, which means these searches of the American people are in violation of the language of the Fourth Amendment. This is why it amuses me when self-proclaimed constitutionalists call for Snowden’s head. It is also why I’m amused by people who claim that the Constitution is a protection against the government’s power. To quote Lysander Spooner, “But whether the Constitution really be one thing, or another, this much is certain – that it has either authorized such a government as we have had, or has been powerless to prevent it. In either case it is unfit to exist.”

History Repeats Itself

I swear that the United States government is hellbent on repeating all of its dumbest mistakes over and over again. One mistake that the United States loves to repeat is handing out weapons to groups that will eventually use those weapons against it. This strategy was a staple of the Cold War. During that period the United States would hand weapons out like candy to anybody who declared themselves in opposition to the Soviet Union. Today the same strategy is being used although the weapons are being handed to anybody who declares themselves in opposition to whatever particular nation or organization is the flavor of the day. Right now the flavor is Syria:

Washington, D.C. – Congress for the first time authorized the Department of Defense to provide vetted-Syrian rebels with anti-aircraft missiles.

The provision is contained within the $619 billion Fiscal Year 2017 National Defense Authorization Act, which passed the Senate on Dec. 8 and the House on Dec. 2.

Under the bill, the Secretaries of Defense and State must submit a report to Congress explaining why they determined Syrian groups need man-portable air defense systems (MANPADS).

We keep hearing that it’s impossible to vet Syrian refugees but apparently it’s not too much trouble to vet entire Syrian rebel groups.

If you’ve read any history, even badly, of the proxy wars that were waged by the Soviet Union and the United States you know how this will play out. The Secretaries of Defense and State will submit a report to Congress, which will give Congress the ability to cover its ass. Congress will authorize the transfer of weapons to the Syrian rebel groups. Those weapons will then eventually be used to shoot down a commercial airliner or some such nonsense and Congress will act shocked and demand to know where this terrorist organization (they cease being a rebel group when they no longer serve the United States’ interests) obtained such weaponry.

Everything Old is New Again

During the Cold War Senator Joe McCarthy believed that the Soviets had infiltrated every branch of the United States government. Unhappy by the prospect of evil communists infiltrating his beloved fascist government, McCarthy decided to do the only thing he knew how to do, perform witch hunts. He made the lives of many people miserable all because he didn’t want international socialists in his national socialist government.

Those who don’t remember history are doomed to repeat it. Those who do remember history are doomed to watch everybody else repeat it:

On Tuesday, Democratic Whip Steny Hoyer (D-Md.) and six ranking members of major House committees sent President Obama a letter declaring, “We are deeply concerned by Russian efforts to undermine, interfere with, and even influence the outcome of our recent election.”

A prominent signer of the letter — Rep. Adam Schiff (D-Calif.), the ranking member of the House Intelligence Committee — is among the Democrats most eager to denounce Russian subversion.

A week ago, when the House approved by a 390-30 margin and sent to the Senate the Intelligence Authorization Act for fiscal 2017, Schiff praised “important provisions aimed at countering Russia’s destabilizing efforts — including those targeting our elections.” One of those “important provisions,” Section 501, sets up in the executive branch “an interagency committee to counter active measures by the Russian Federation to exert covert influence.”

The only difference between the beginning of this story and the beginning of McCarthy’s story is that in this revision Russia isn’t a communist nation anymore.

If you read the document you’ll see that it tasks the committee with nebulous responsibilities that are vague enough to mean anything. My favorite responsibility is probably dealing with media manipulation. It must be noted that the document is tasking the committee with specifically countering Russian media manipulation, not manipulation performed by the United States government because that form of manipulation is doubleplusgood. What this requirement will boil down to is any media reports that aren’t favorable to the interests of the United States will likely be called Russian influence and dealt with accordingly. I’m sure there are a lot of journalists out there that will find themselves under federal investigation, probably of the secret variety, because they reported the wrong side of a story.

After the conclusion of the Cold War you might have expected the United States to chill the fuck out. With its only credible adversary out of the picture the United States could stop living in a constant state of fear. Instead it sought high and low for a new threat. Many were tried; Iran, al Qaeda, Iraq, etc.; but it quickly became obvious that the hole in the United States’ heart could only be filled by Russia. So here we are, decades after the fall of the Soviet Union, still looking to hold witch trails on account of Russia.

Nothing changes.

Conservative Political Correctness

If you mention the words “political correctness” to a conservative they’ll often respond by acting as seemingly offensive as possible. You’ll also listen to them scream about how everything is terrible because of liberal political correctness. But cognitive dissonance is the staple of any political diet. Conservatives love political correctness, they just love a different form of it:

But conservatives have their own, nationalist version of PC, their own set of rules regulating speech, behavior and acceptable opinions. I call it “patriotic correctness.” It’s a full-throated, un-nuanced, uncompromising defense of American nationalism, history and cherry-picked ideals. Central to its thesis is the belief that nothing in America can’t be fixed by more patriotism enforced by public shaming, boycotts and policies to cut out foreign and non-American influences.

If you want to “trigger” a conservative try sitting for the national anthem. When they start complaining double down by telling them that it’s a shitty song. If you invite your conservative friends over for dinner keep in mind that it’s acceptable to wipe your mouth with American flag napkins but if you have a flag outside and it touches the ground you’ll be getting an ear full. The next time a white cop shoots a unarmed black man under very questionable circumstances bring up the topic of racism as it pertains to policing. Just make sure to have a handkerchief on hand to wipe their spittle off of your face as they’re screaming incoherently at you.

Everything conservatives make fun of liberals for, such as political correctness and safe spaces, is something they also tend to exhibit.

Degrees of Anonymity

When a service describes itself as anonymous how anonymous is it? Users of Yik Yak may soon have a chance to find out:

Yik Yak has laid 70 percent of employees amid a downturn in the app’s growth prospects, The Verge has learned. The three-year-old anonymous social network has raised $73.5 million from top-tier investors on the promise that its young, college-age network of users could one day build a company to rival Facebook. But the challenge of growing its community while moving gradually away from anonymity has so far proven to be more than the company could muster.

[…]

But growth stalled almost immediately after Sequoia’s investment. As with Secret before it, the app’s anonymous nature created a series of increasingly difficult problems for the business. Almost from the start, Yik Yak users reported incidents of bullying and harassment. Multiple schools were placed on lockdown after the app was used to make threats. Some schools even banned it. Yik Yak put tools in place designed to reduce harassment, but growth began to slow soon afterward.

Yik Yak claimed it was an anonymous social network and on the front end the data did appear anonymous. However, the backend may be an entirely different matter. How much information did Yik Yak regularly keep about its users? Internet Protocol (IP) addresses, Global Positioning System (GPS) coordinates, unique device identifiers, phone numbers, and much more can be easily collected and transmitted by an application running on your phone.

Bankruptcy is looking like a very real possibility for Yik Yak. If the company ends up filing then its assets will be liquidated. In this day and age user data is considered a valuable asset. Somebody will almost certainly end up buying Yik Yak’s user data and when they do they may discover that it wasn’t as anonymous as users may have thought.

Not all forms of anonymity are created equal. If you access a web service without using some kind of anonymity service, such as Tor or I2P, then the service has some identifiable information already such as your IP address and a browser fingerprint. If you’re access the service through a phone application then that application may have collected and transmitted your phone number, contacts list, and other identifiable information (assuming, of course, the application has permission to access all of that data, which it may not depending on your platform and privacy settings). While on the front end of the service you may appear to be anonymous the same may not hold true for the back end.

This issue becomes much larger when you consider that even if your data is currently being held by a benevolent company that does care about your privacy that may not always be the case. Your data is just a bankruptcy filing away from falling into the hands of somebody else.

Secure E-Mail is an Impossibility

A while back I wrote a handful of introductory guides on using Pretty Good Privacy (PGP) to encrypt the content of your e-mails. They were well intentioned guides. After all, everybody uses e-mail so we might as well try to secure it as much as possible, right? What I didn’t stop to consider was the fact that PGP is a dead end technology for securing e-mails not because the initial learning curve is steep but because the very implementation itself is flawed.

I recently came across a blog post by Filippo Valsorda that sums up the biggest issue with PGP:

But the real issues I realized are more subtle. I never felt confident in the security of my long term keys. The more time passed, the more I would feel uneasy about any specific key. Yubikeys would get exposed to hotel rooms. Offline keys would sit in a far away drawer or safe. Vulnerabilities would be announced. USB devices would get plugged in.

A long term key is as secure as the minimum common denominator of your security practices over its lifetime. It’s the weak link.

Worse, long term keys patterns like collecting signatures and printing fingerprints on business cards discourage practices that would otherwise be obvious hygiene: rotating keys often, having different keys for different devices, compartmentalization. It actually encourages expanding the attack surface by making backups of the key.

PGP, in fact the entire web of trust model, assumes that your private key will be more or less permanent. This assumption leads to a lot of implementation issues. What happens if you lose your private key? If you have an effective backup system you may laugh at this concern but lost private keys are the most common issue I’ve seen PGP users run into. When you lose your key you have to generate a new one and distribute it to everybody you communicate with. In addition to that, you also have to resign people’s existing keys. But worst of all, without your private key you can’t even revoke the corresponding published public key.

Another issue is that you cannot control the security practices of other PGP users. What happens when somebody who signed your key has their private key compromised? Their signature, which is used by others to decide whether or not to trust you, becomes meaningless because their private key is no longer confidential. Do you trust the security practices of your friends enough to make your own security practices reliant on them? I sure don’t.

PGP was a jury rigged solution to provide some security for e-mail. Because of that it has many limitations. For starters, while PGP can be used to encrypt the contents of a message it cannot encrypt the e-mail headers or the subject line. That means anybody snooping on the e-mail knows who the parties communicating are, what the subject is, and any other information stored in the headers. As we’ve learned from Edward Snowden’s leaks, metadata is very valuable. E-mail was never designed to be a secure means of communicating and can never be made secure. The only viable solution for secure communications is to find an alternative to e-mail.

With that said, PGP itself isn’t a bad technology. It’s still useful for signing binary packages, encrypting files for transferring between parties, and other similar tasks. But for e-mail it’s at best a bandage to a bigger problem and at worst a false sense of security.

Time Urges Readers to Stop Paying Taxes

You know we’ve all been sucked into a wormhole and dumped out into Bizarro World when statist rags like Time start sounding more like me:

The approximately 65 million Democrats who voted for Hillary Clinton should pledge that in the future if a Republican wins the presidency with fewer votes than a Democrat for the third time in our era, we won’t pay taxes to the federal government. No taxation without representation!

Admittedly, I didn’t really care which of the two crooks was elected president but watching the Democrats suddenly become more anti-state has been filling with me no minor amount of joy. The anti-war left is starting to come back out of the woodwork, Democrats are suddenly outraged by the expansive surveillance powers the State has granted itself, Californians are talking about secession, and Time is urging their readers to stop paying taxes. Of course they will revert to their old selves as soon as their guy gets back in power but for at least four years I’ve got some really good entertainment to watch.