Month: September 2017

Discarding the Veil of Legitimacy

Since their inception, government law enforcers here in the United States have pretended to be servants of the people. That facade is finally being discarded as more law enforcers begin to show their true colors. For example, in the past law enforcers might respond to questions about arresting protesters by citing their duty to protect the community. Now, at least in St. Louis, their responses are almost indistinguishable from statements one might expect from nongovernmental criminal gangs:

Gov. Eric Greitens is eager to show he’s not like a former governor whom he accused of tolerating looting and arson in Ferguson. So much so that his Facebook post Sunday about vandalism in the Delmar Loop dropped any claim to formality.

“Our officers caught ’em, cuffed ’em, and threw ’em in jail,” it said. “They’re gonna wake up and face felony charges.”

On Sunday night, as police officers marched downtown, a Post-Dispatch photographer heard them chant a refrain most often heard at Ferguson protests: “Whose streets? Our streets.”

Later, after St. Louis police made more than 100 arrests downtown on Sunday night, Acting Chief Lawrence O’Toole’s words seemed meme-ready: “Police owned tonight.”

“Whose streets? Our streets.” In other words, the streets are our turf. “Police owned tonight.” Put another way, law enforcers won the fight against a rival gang.

The lack of professionalism is refreshing because it reveals law enforcers’ true colors. However, it’s also disconcerting because the thin veil of legitimacy is probably the only thing that has restrained the behavior of law enforcers in any way. If they’re no longer concerned about appearing legitimate, they may begin acting even more viciously.

Making Open Access Less Open

Most states have a version of the federal government’s Freedom of Information Act (FOIA), which nominally allows mere peasants like myself to request records from the mighty government. While both the federal law and the various state versions do technically exist, they’ve become more and more useless as various barriers to entry have been raised between requesters and the documents they desire. Now various government bodies are throwing up yet another barrier, court cases:

Government bodies are increasingly turning the tables on citizens who seek public records that might be embarrassing or legally sensitive. Instead of granting or denying their requests, a growing number of school districts, municipalities and state agencies have filed lawsuits against people making the requests — taxpayers, government watchdogs and journalists who must then pursue the records in court at their own expense.

The lawsuits generally ask judges to rule that the records being sought do not have to be divulged. They name the requesters as defendants but do not seek damage awards. Still, the recent trend has alarmed freedom-of-information advocates, who say it’s becoming a new way for governments to hide information, delay disclosure and intimidate critics.

Even though the government bodies in question aren’t seeking damages, anybody who has been involved in a court case knows that they’re expensive regardless. At the very least you’re required to take time off of work so you can attend court. Much of the time lawyers are involved and they rack up a significant bill rapidly. You also have the other ancillary expenses like fuel to drive to the courthouse, parking fees, etc.

The law might say that government agencies are required to divulge specific records upon request but it doesn’t say that those agencies have to do it in the way more convenience for requesters, which was almost certainly by design. So while the laws may technically exist they are becoming more useless by the day in practice.

The EFF Resigns from the W3C

The World Wide Web Consortium (W3C) officially published its recommendation for a digital rights management (DRM) scheme. By doing so it put an end to its era of promoting an open web. After fighting the W3C on this matter and even proposing a very good compromise, which was rebuffed, the Electronic Frontier Foundation (EFF) has resigned from the W3C:

We believe they will regret that choice. Today, the W3C bequeaths an legally unauditable attack-surface to browsers used by billions of people. They give media companies the power to sue or intimidate away those who might re-purpose video for people with disabilities. They side against the archivists who are scrambling to preserve the public record of our era. The W3C process has been abused by companies that made their fortunes by upsetting the established order, and now, thanks to EME, they’ll be able to ensure no one ever subjects them to the same innovative pressures.

[…]

Effective today, EFF is resigning from the W3C.

Since the W3C no longer serves its intended purpose I hope to see many other principled members resign from the organization as well.

While content creators are interested in restricting the distribution of their products, the proposal put forth by the W3C will return us to the dark days of ActiveX. Since the proposal is really an application programming interface (API), not a complete solution, content creators can require users to install any DRM scheme. These DRM schemes will be native code. If you remember the security horrors of arbitrary native code being required by websites using Active X, you have an idea of what users are in for with this new DRM scheme. At this point I hope that the W3C burns to the ground and a better organization rises from its ashes.

iOS 11 Makes It More Difficult for Police to Access Your Device

One reason I prefer iOS over Android is because Apple has invested more heavily in security than Google has. Part of this comes from the fact Apple controls both the hardware and software so it can implement hardware security features such as its Secure Enclave chip whereas the hardware security features available on an Android device are largely dependent on the manufacturer. However, even the best security models have holes in them.

Some of those holes are due to improperly implemented features while others are due to legalities. For example, here in the United States law enforcers have a lot of leeway in what they can do. One thing that has become more popular, especially at the border, are devices that copy data from smartphones. This has been relatively easy to do on Apple devices if the user unlocks the screen because trusting a knew connection has only required the tapping of a button. That will change in iOS 11:

For the mobile forensic specialist, one of the most compelling changes in iOS 11 is the new way to establish trust relationship between the iOS device and the computer. In previous versions of the system (which includes iOS 8.x through iOS 10.x), establishing trusted relationship only required confirming the “Trust this computer?” prompt on the device screen. Notably, one still had to unlock the device in order to access the prompt; however, fingerprint unlock would work perfectly for this purpose. iOS 11 modifies this behaviour by requiring an additional second step after the initial “Trust this computer?” prompt has been confirmed. During the second step, the device will ask to enter the passcode in order to complete pairing. This in turn requires forensic experts to know the passcode; Touch ID alone can no longer be used to unlock the device and perform logical acquisition.

Moreover, Apple has also included a way for users to quickly disable the fingerprint sensor:

In iOS 11, Apple has added an new emergency feature designed to give users an intuitive way to call emergency by simply pressing the Power button five times in rapid succession. As it turns out, this SOS mode not only allows quickly calling an emergency number, but also disables Touch ID.

These two features appear to be aimed at keeping law enforcers accountable. Under the legal framework of the United States, a police officer can compel you to provide your fingerprint to unlock your device but compelling you to provide a password is still murky territory. Some courts have ruled that law enforcers can compel you to provide your password while others have not. This murky legal territory offers far better protection than the universal ruling that you can be compelled to provide your fingerprint.

Even if you are unable to disable the fingerprint sensor on your phone, law enforcers will still be unable to copy the data on your phone without your password.

Let Them Eat Rabbit

Socialism has brought equality to Venezuelans! Everybody is equally hungry (except for members of the Party but they’re more important than the lowly proles) and it’s not sitting well. Probably hoping to keep his head firmly attached to his neck, President Maduro has offered a plan to deal with the country’s hunger. His plan? Let them eat rabbit:

That was basically the message from President Nicolas Maduro to Venezuelans starving and struggling through severe food shortages brought on by a spiraling economic crisis.

Maduro unveiled “Plan Rabbit” on Wednesday with his agriculture minister, Freddy Bernal, at a meeting that was broadcast on Periscope. (In the video, the announcement comes after the two-hour mark).

Unfortunately for the people of Venezuela, rabbit meat alone doesn’t fend off starvation:

Protein poisoning was first noted as a consequence of eating rabbit meat exclusively, hence the term, “rabbit starvation”. Rabbit meat is very lean; commercial rabbit meat has 50–100 g dissectable fat per 2 kg (live weight). Based on a carcass yield of 60%, rabbit meat is around 8.3% fat while beef and pork are 32% fat and lamb 28%.

Unless Venezuelans can find a source of fat to go with their rabbit meat, they’ll be in the same position they currently are.

New Levels of Incompetence

Equifax, one of the largest consumer credit report agencies, recently suffered a major database breech. Of course, you wouldn’t know it if the media wasn’t giving it heavy coverage because Equifax seems to want to keep things hush hush and I understand why. After reading this it would appear that Equifax implemented worse security than most college students in an introductory web development class:

It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

[…]

Each employee record included a company username in plain text, and a corresponding password that was obfuscated by a series of dots.

However, all one needed to do in order to view said password was to right-click on the employee’s profile page and select “view source,” a function that displays the raw HTML code which makes up the Web site. Buried in that HTML code was the employee’s password in plain text.

This is an impressive level of incompetence and I mean that sincerely. Most amateur websites have better security than this. The fact that a company as large as Equifax could implement worse security practices than even the most amateur of amateur web developers is no small feat. Unfortunately, its piss poor security practices has put a lot of people’s sensitive information in the hands of unknown parties.

Subscriptions for Everything

The Apple Watch Series 3 was announced. Its hot new feature is built-in LTE, which means uses no longer have to have it tethered to their phone for it to function. However, enabling LTE requires yet another subscription:

An Apple Watch Series 3 will cost you $10 per month on your cell plan, and it appears that all US carriers will offer three months of free service (a $30 credit). However, we’re still waiting for confirmation from Sprint.

AT&T and Verizon are also offering free activation (a $25 and $30 fee, respectively). T-Mobile will waive its $25 new SIM card kit fee. We’ve reached out to Sprint for their activation fee policies and will update when we have more. It’s interesting that the Apple Watch Series 3 is $10/month on Verizon, when other smartwatches cost $5 on their plan.

I’m starting to think that I’m the last person on Earth who doesn’t want a subscription plan tied to every damned thing I own.

This is a slight digression from yesterday’s post but it seems to be that more and more products are finding ways of tying subscriptions to them. Ulysses, a popular text editor, announced last month that it was changing to a subscription model. Several years before that Adobe announced that its products would change to a subscription model. We’re entering an era where ownership, even in a limited form, is being replaced by renting.

Don’t get me wrong, subscriptions make sense for some services. For example, cellular services rely on an infrastructure that needs constant maintenance. But we’re quickly approaching a point where every manufacturer is finding some way to attach a subscription plan to every product they sell. At this rate we’ll soon have to pay a subscription to keep our cars running.

Play Stupid Games, Win Stupid Prizes

On Tuesday night a security officer at St. Cathrine University was shot. The initial report said that an individual had shot the officer but it turns out that the officer shot himself and lied about it. Why did he do that? Because he played a stupid game:

Investigators continued working the case all day Wednesday. While interviewing Ahlers about 9:15 p.m. Wednesday, he told officers that he was in a wooded area of the campus about 9:30 p.m. Tuesday. He had brought his personal handgun from home and was handling it when it accidentally discharged, hitting him in the shoulder.

He told police he’d lied and said he made up the story because he was afraid of losing his job because he’d brought a gun to work with him.

One of the rules of carrying a firearm is that you should leave it in the holster unless you absolutely need to use it. A holstered gun won’t hurt anybody but the second a gun leaves its holster the possibility of it being fired increases from zero.

As an additional note, if the officer wanted to carry a gun he should have sought out an armed job. Then he wouldn’t have had to worry about losing his job for being armed. Now he’ll probably lose his job and find a tough time getting a new job as a security officer since he’s proven himself to be untrustworthy.