Month: March 2017

Taking Down the 911 System

911 is the go-to number for most people when there’s an emergency. But 911 is an old system and old systems are often vulnerable to distributed denial of service attacks:

For over 12 hours in late October, 911 lines across the country were ringing so much that they nearly went down. Nobody knew why this was happening, until Phoenix police discovered that 18-year-old Meetkumar Hitesbhai Desai tweeted a link that caused iPhones to repeatedly dial 911. Now, more details have emerged about how the Twitter prank spiraled out of control.

Desai claimed the attack was a joke gone wrong, telling police he only meant for the link to cause annoying pop-ups, The Wall Street Journal reports. However, he posted the wrong code. It started when, from his @SundayGavin Twitter account, he tweeted the link and wrote, “I CANT BELIEVE PEOPLE ARE THIS STUPID.” When clicked, the URL, which was condensed by Google’s link shortener, launched an iOS-based JavaScript attack that caused iPhones to dial 911 repeatedly. When users hung up, the phone would keep redialing until it was restarted.

This story touches on a lot of different topics. First, it shows how dangerous software glitches can be. Since most people only think to dial 911 when there’s an emergency, a software glitch that allows a section of the 911 system to be taken down could cost people their lives. Second, it shows why URL shorteners are a pet peeve of mine. You never know where they’re going to take you until you’ve already clicked them. Third, it shows how easily a distributed denial of service attack can be created. One tweet with a link to a malicious piece of JavaScript was enough to bring a section of the 911 system to its knees.

The lessons to take away from this story are don’t to click random links and have a backup plan in case 911 is overwhelmed.

Vault 7

WikiLeaks dropped a large archive of Central Intelligence Agency (CIA) leaks. Amongst the archive are internal communications and documents related to various exploits the CIA had or has on hand for compromising devices ranging from smartphones to smart televisions.

I haven’t had a chance to dig through the entire archive yet but there’s one thing that everybody should keep in mind.

The government that claims to protect you, that many people mistakenly believe protects them, has been hoarding vulnerabilities and that has put you directly in harm’s way. Instead of reporting discovered vulnerabilities so they could be patched, the CIA, like the NSA, kept them secret so it could exploit them. Since discovery of a vulnerability doesn’t grant a monopoly on its use, the vulnerabilities discovered by the CIA may very well have been discovered by other malicious hackers. Those malicious hackers could, for example, be exploiting those vulnerabilities to spread a botnet that can be used perform distributed denial of service attacks against websites to extort money from their operators.

Remember this the next time some clueless fuckstick tells you that the government is there to keep you safe.

While I haven’t had a chance to read through the archive, I have had a chance to read various comments and reports regarding the information in the archive. By doing this I’ve learned two things. First, the security advice posted by most random Internet denizens is reminiscent of the legal advice posted by most sovereign citizens. Second, the media remains almost entirely clueless about information security.

Case in point, a lot of comments and stories have said that the archive contains proof that the CIA has broken Signal and WhatsApp. But that’s not true:

It’s that second sentence that’s vital here: It’s not that the encryption on Signal, WhatsApp (which uses the same encryption protocol as Signal), or Telegram has been broken, it’s that the CIA may have a way to break into Android devices that are using Signal and other encrypted messaging apps, and thus be able see what users are typing and reading before it becomes encrypted.

There is a significant difference between breaking the encryption protocol used by a secure messaging app and breaking into the underlying operating system. The first would allow the CIA to sit in the middle of Signal or WhatsApp connections, collect packets being sent to and from Signal and WhatsApp clients, and decrypting the packets and reading the contents. This would allow the CIA to potentially surveil every WhatsApp and Signal user. The second would allow the CIA to target individual devices, compromise the operating system, and surveil everything the user is doing on that device. Not only would this compromise the security of Signal and WhatsApp, it would also compromise the security of virtual private networks, Tor, PGP, and every other application running on the device. But the attack would only allow the CIA to surveil specific targeted users, not every single user of an app.

The devil is in the details and a lot of random Internet denizens and journalists are getting the details wrong. It’s going to take time for people with actual technical knowhow to dig through the archive and report on the information they find. Until then, don’t panic.

The BBC was Reported for Producing Child Pornography

The BBC, the propaganda arm of the British government, was performing an investigation into supposed child pornography being hosted on Facebook. In the BBC’s zeal to break and scandalous story it inadvertently fell afoul with Britain’s laws against producing child pornography so Facebook reported it:

According to the CPS, extreme care must be taken with illegal material that shows children being sexually abused. Its guidelines state: “Investigation should not involve making more images, or more copies of each image, than is needed in all the circumstances.”

The BBC could have sought help from the NCA or ACPO on how to handle the material, which the CPS says “will give additional certainty to individuals and organisations who are likely to need, frequently, to ‘make’ indecent photograph or pseudo-photograph and, provided the conditions were adhered to, such activities would not be subject to a criminal investigation as it would not be in the public interest to prosecute.”

But it’s unclear whether the corporation did this prior to taking the copied images to Facebook. Facebook’s policy director Simon Milner said in a statement:

We have carefully reviewed the content referred to us and have now removed all items that were illegal or against our standards. This content is no longer on our platform. We take this matter extremely seriously and we continue to improve our reporting and take-down measures.

It is against the law for anyone to distribute images of child exploitation. When the BBC sent us such images we followed our industry’s standard practice and reported them to CEOP [Child Exploitation & Online Protection Centre]. We also reported the child exploitation images that had been shared on our own platform. This matter is now in the hands of the authorities.

I guess the BBC figured that since it’s an arm of the British government that it was above the law. It’ll be interesting to see if the Child Exploitation and Online Protection Centre extends the BBC investigators professional courtesy or actually enforces the law as it is written.

The United States isn’t unique in having more laws on the books than any individual can realistically memorize. Britain has the same issue. This issue is often heartbreaking to witness because it leads to innocent people being kidnapped and tossed in a cage for years. But when employees of the government that wrote the laws encounters this issue it’s hilarious.

I Want Healthcare Coverage Against Parasites

Now that the Republicans have seized both houses of Congress and the presidency they are busy going through with their promise to repeal and replace Obamacare. The second word, replace, is the keyword because the Republicans are doing nothing more than putting a bandage on a severed limb so they can take credit for helping.

However, the rhetoric surrounding this repeal and replace process is hilarious. Supporters of Obamacare are pissed and already claiming that this new bill will basically kill everybody in the country. Supporters of the Republicans are split. Some of them are not happy with the replace aspect. Others are supportive of it. So far my favorite piece of rhetoric goes to this dumbass:

Rep. Jason Chaffetz (R-Utah) on Tuesday said Americans may have to choose between purchasing a new iPhone or paying for health insurance.

“You know what, Americans have choices. And they’ve got to make a choice,” the House Oversight Committee chairman told CNN’s “New Day,” one day after the House GOP unveiled its plan to replace ObamaCare.

“And so maybe, rather than getting that new iPhone that they just love and they want to spend hundreds of dollars on, maybe they should invest in their own healthcare.”

You have to love the fact that a parasite who lives entirely off of money extorted from tax payers is telling the people he’s been extorting how to spend what little money he and his ilk are allowing them to keep. It also shows how out of touch some of these parasites are. The price of an iPhone won’t even buy a month of healthcare coverage for many people. It certainly won’t buy a year for most people.

Perhaps if he and his ilk allowed us lowly serfs to keep more of our money we could afford better healthcare coverage. Surprisingly, that option apparently hasn’t crossed his mind.

Uber’s Self-Defense Strategy

Last week it was revealed that Uber developed a self-defense strategy against the State. Needless to say, this upset a lot of statists who were posting the #DeleteUber hashtag even harder than they were before. But those of us who don’t subscribe to the insanity that is statism can learn a lot from Uber’s example:

“SAN FRANCISCO — Uber has for years engaged in a worldwide program to deceive the authorities in markets where its low-cost ride-hailing service was being resisted by law enforcement or, in some instances, had been outright banned.

The program, involving a tool called Greyball, uses data collected from the Uber app and other techniques to identify and circumvent officials. Uber used these methods to evade the authorities in cities such as Boston, Paris and Las Vegas, and in countries like Australia, China, Italy and South Korea.

[…]

Uber’s use of Greyball was recorded on video in late 2014, when Erich England, a code enforcement inspector in Portland, Ore., tried to hail an Uber car downtown as part of a sting operation against the company.

[…]

But unknown to Mr. England and other authorities, some of the digital cars they saw in the app did not represent actual vehicles. And the Uber drivers they were able to hail also quickly canceled. That was because Uber had tagged Mr. England and his colleagues — essentially Greyballing them as city officials — based on data collected from the app and in other ways. The company then served up a fake version of the app populated with ghost cars, to evade capture.”

How brilliant is that? The company identified a significant threat, government goons who were working to extort the company, and then screwed with them, which made their job of extortion more difficult.

This is a strategy more companies need to adopt. Imagine a world where services such as Facebook, Gmail, Google Maps, iCloud, SoundCloud, and other online services identified government goons and refused to work for them. It would be a tremendous strike against the quality of life of many government employees. In fact, the hit might be powerful enough to convince them to seek productive employment.

Companies like Facebook and Google have built their fortunes on surveilling customers. Why not use that massive store of data for good by identifying government employees, or at least the regulators that make their lives difficult, and either screw with them or outright refusing to do business with them? There’s no reason anybody should be expected to do business with extortionists.

What What (In the Butt)

The Transportation Security Administration (TSA) has announced that it’s going to perform even more thorough acts of sexual assault against air travelers:

While few have noticed, U.S. airport security workers long had the option of using five different types of physical pat-downs at the screening line. Now, those have been eliminated, replaced instead with one universal approach. And this time, you will notice.

The new physical touching-for those selected to have a pat-down-will be more invasive in what the federal agency describes as a more “comprehensive” physical screening, according to a Transportation Security Administration spokesman.

Denver International Airport, for example, notified employees and flight crews on Thursday that the “more rigorous” searches “will be more thorough and may involve an officer making more intimate contact than before.”

I guess the TSA hired Agent Flemming:

How much more “intimate” could they get? Current pat downs cover everything except grabbing junk and cavity searches. I wonder if TSA agents will at least inform you if they feel anything potentially cancerous in your colon.

Not surprisingly, the TSA is citing its abysmal failures as justification for performing even more grotesque acts of sexual assault. When government agencies fuck up they always punish the people.

Punishing Suspects without Proving Guilt

Federal prosecutors have a history of letting suspected child pornographers go free so it can keep the techniques it used to identify them secret. That history continues:

Rather than share the now-classified technological means that investigators used to locate a child porn suspect, federal prosecutors in Washington state have dropped all charges against a man accused of accessing Playpen, a notorious and now-shuttered website.

The case, United States v. Jay Michaud, is one of nearly 200 cases nationwide that have raised new questions about the appropriate limitations on the government’s ability to hack criminal suspects. Michaud marks just the second time that prosecutors have asked that case be dismissed.

Of course, the government left an out for itself. Double jeopardy is a concept under United States law that protects individuals from being prosecuted for the same crime twice. However, like all concepts that appear to protect the people from the government, there are loopholes that allow double jeopardy to be bypassed. A case can be dismissed with either with or without prejudice. If a case is dismissed with prejudice then it is done. If a case is dismissed without prejudice then it can be brought back into the courtroom at a later date.

“The government must now choose between disclosure of classified information and dismissal of its indictment,” Annette Hayes, a federal prosecutor, wrote in a court filing on Friday. “Disclosure is not currently an option. Dismissal without prejudice leaves open the possibility that the government could bring new charges should there come a time within the statute of limitations when and the government be in a position to provide the requested discovery.”

Dismissal without prejudice is often used when prosecutors screwed up procedurally. It gives them the option to correct their mistake and refile. But in this case the prosecution didn’t screw up procedurally. It simply didn’t want to reveal its evidence at this time but wants to reserve the ability to refile the charges at a time it finds more convenient. By using the ability to dismiss without prejudice in this manner the State has effectively nullified the concept of double jeopardy.

The government can recharge Jay Michaud when it decides that it wants to actually reveal its evidence. I think this move shows us how the government is planning to proceed. Instead of revealing the exploits it used to identify suspected child pornographers, the government will bring charged and dismiss them without prejudice and then recharge previous suspects after either the exploits have been discovered and patched or the statute of limitations is about to expire.

I’m sure this sounds like a great strategy to many people, especially considering the crime at hand. But it throws the entire concept of double jeopardy out the window. Instead of gathering enough evidence to bring charges and revealing that evidence to a jury, prosecutors can gather evidence, bring charges, dismiss the case without prejudice, and then bide their time until they decide to press charges again (where they may decide to just repeat the cycle or actually prosecute the suspect). Meanwhile, the suspect has to live with the charges looming over their head, which will almost certainly cause them a great deal of anxiety and mental anguish. It’s borderline mental torture. Dismissal without prejudice when used in this manner allows the State to inflict some punishment in the form of mental anguish without having to actually prove a suspect is guilty of a crime.

Forgetting a Bunch of Zeros

I’m lead to believe that the author of this article left off a bunch of zeros:

Capt. Troy Balcar of the San Antonio Fire Department said a family member found a sealed box with about 75 rounds of decades-old ammunition underneath the house. He said the rounds were about 40 years old, based on a date written on the box. Half a dozen nearby homes were evacuated for about three hours.

Perhaps the author meant 7,500,000 rounds of ammunition? Honestly, I’d expect less overreactions from Texas than this. That state seems to have its head mostly screwed on right when it comes to firearms.

Closing Loopholes

Politicians likes to talk about various loopholes that private individuals exploit. But what about the loopholes politicians exploit? Realizing that data stored on government systems is potentially accessible via Freedom of Information Act (FOIA) requests, some clever politicians have started storing their data on their private systems thinking that doing so will defend them against FOIA requests. The California Supreme Court decided to close that particular loophole:

The California Supreme Court ruled Thursday that state and local officials must disclose public records even if those “writings” are held on private devices or accounts. The City of San Jose and the County of Santa Clara had argued that such records could be exempted from the California Public Records Act.

The case dates back to 2009, when Ted Smith, a local environment activist, filed a public records request about various San Jose officials’ requests concerning local development efforts. When records came back that did not include materials from personal devices or accounts, he sued.

At one point it wasn’t uncommon for companies to forbid employees from brining private devices into the workplace. Perhaps government agencies should consider adopting such policies. Sure, it’ll make the lives of government employees a bit more miserable but I consider that an added bonus, not a detriment. It would make it more difficult for government employees to disappear information by storing it on personal devices and then wiping that data to guard it against FOIA requests (even if the law requires handing over that data one cannot hand over what no longer exists).