A Geek With Guns

Chronicling the depravities of the State.

Archive for October, 2017

We Have Spain’s Answer

without comments

Last week Catalonia declared independence. I noted that what happens next will depend on Spain’s response. If Spain decided to ignore Catalonia, the country would realize its independence. If Spain decided to put the boot down on the Catalans’ throats, civil war could erupt. Now we know which direction Spain wants to go:

A Spanish judge has jailed two key members of the Catalan independence movement.

Jordi Sánchez and Jordi Cuixart, who lead prominent separatist groups, are being held without bail while they are under investigation for sedition.

I’m sure this is going to go over well with the Catalans. But I also suspect that Spain is eager to egg the Catalans into a violent response so it has an excuse to send its shock troops in to cleanse the region of any and all dissidents (and non-dissidents that happen to look at the shock troops in the wrong manner).

Once again we see the futility of democracy. If a group of people decide to vote for an option that isn’t approved by their rulers, their “voice” (which is what I’m told votes are) is stifled and, if necessary, the people who voted the wrong way are violently dealt with. There are few cases that I can think of where secession has been accomplished through a ballot box.

Written by Christopher Burg

October 17th, 2017 at 11:00 am

Counting People Killed by Law Enforcers isn’t Straight Forward

without comments

How many people have been killed in the United States by law enforcers? That question is actually more complicated than it appears because there is a lot of questionable data being used to establish that number:

Over half of all police killings in 2015 were wrongly classified as not having been the result of interactions with officers, a new Harvard study based on Guardian data has found.

The finding is just the latest to show government databases seriously undercounting the number of people killed by police.

“Right now the data quality is bad and unacceptable,” said lead researcher Justin Feldman. “To effectively address the problem of law enforcement-related deaths, the public needs better data about who is being killed, where, and under what circumstances.”

Feldman used data from the Guardian’s 2015 investigation into police killings, The Counted, and compared it with data from the National Vital Statistics System (NVSS). That dataset, which is kept by the Centers for Disease Control and Prevention (CDC), was found to have misclassified 55.2% of all police killings, with the errors occurring disproportionately in low-income jurisdictions.

This revelation isn’t new nor should it be surprising. Statistics is often an exercise in creating the conclusion and fitting the data to that conclusion. If, for example, the government wanted to make its law enforcers appear to be less lethal, it could massage the number of people killed by its officers by coming up with a creative definition of law enforcement interaction. And government agencies can’t even claim a monopoly on this practice. It seems that most individuals and organizations use statistics to prove an already established conclusion instead of using statistics to establish a conclusion.

Now we have at least two sets of statistics on the number of people killed by law enforcers. Which set of numbers is correct? Who knows. The government has an obvious motivation to massage the numbers so it appears that fewer people are killed by law enforcers but Feldman may be motivated to massage the numbers so it appears that more people are killed by law enforcers. Most people will likely pick the set that proves their conclusion and call it a day. And do you know what? I can’t blame somebody for choosing that strategy because realistically both sets of statistics are probably misleading in some manner.

Written by Christopher Burg

October 17th, 2017 at 10:30 am

A Grim Start to the Week

without comments

This week started on a low note as far as computer security is concerned. The first bit of new, which was also the least surprising, was that yet another vulnerability was discovered in Adobe’s Flash Player and was being actively exploited:

TORONTO (Reuters) – Adobe Systems Inc (ADBE.O) warned on Monday that hackers are exploiting vulnerabilities in its Flash multimedia software platform in web browsers, and the company urged users to quickly patch their systems to prevent such attacks.

[…]

Adobe said it had released a Flash security update to fix the problem, which affected Google’s Chrome and Microsoft’s Edge and Internet Explorer browsers as well as desktop versions.

If you’re in a position where you can’t possibly live without Flash, install the update. If you, like most people, can live without Flash, uninstall it if you haven’t already.

The next bit of bad security news was made possible by Infineon:

A crippling flaw in a widely used code library has fatally undermined the security of millions of encryption keys used in some of the highest-stakes settings, including national identity cards, software- and application-signing, and trusted platform modules protecting government and corporate computers.

The weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. The five-year-old flaw is also troubling because it’s located in code that complies with two internationally recognized security certification standards that are binding on many governments, contractors, and companies around the world. The code library was developed by German chipmaker Infineon and has been generating weak keys since 2012 at the latest.

This flaw impacts a lot of security devices including Estonia’s electronic identification cards, numerous Trusted Platform Modules (TPM), and YubiKeys shipped before June 6, 2017. In the case of YubiKeys, the flaw only impacts Rivest–Shamir–Adleman (RSA) keys generated on the devices themselves. Keys generated elsewhere and uploaded to the device should be fine (assuming they weren’t generated with a device that uses the flawed Infineon library). Moreover, other YubiKey functionality, such as Universal 2nd Factor (U2F) authentication, remains unaffected. If your computer has a TPM, check to see if there is a firmware update available for it. If you have an impacted YubiKey, Yubico has a replacement program.

The biggest security news though was the announcement of a new attack against Wi-Fi Protected Access (WPA), the security protocol used to secure wireless networks. The new attack, labeled key reinstallation attacks (KRACKs, get it? I wonder how long it took the researchers to come up with that one.), exploits a flaw in the WPA protocol itself:

The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.

Fortunately, KRACKs can be mitigated by backwards compatible client and router software updates. Microsoft already released a patch for Windows 10 on October 10th. macOS and iOS have features that make them more difficult to exploit but a complete fix is apparently in the pipeline. Google has stated that it will release a patch for Android starting with its Pixel devices. Whether or not your specific Android device will receive a patch and when will depend on the manufacturer. I suspect some manufacturers will be quick to release a patch while some won’t release a patch at all. Pay attention to which manufacturers release a patch in a timely manner. If a manufacturer doesn’t release a patch for this or doesn’t release it in a timely manner, avoid buying their devices in the future.

Written by Christopher Burg

October 17th, 2017 at 10:00 am

Monday Metal: Ritual And Redemption by Tengger Calvary

without comments

Written by Christopher Burg

October 16th, 2017 at 10:00 am

Posted in Media

Tagged with

Updating the Propaganda

with 2 comments

The current administration, just like the previous administration, doesn’t like the fact that the plebs have the ability to keep secrets from it. When the previous administration pushed prohibit effective cryptography, it was met with a great deal of resistance. Hoping to avoid the same failure, the current administration is updating its propaganda. It’s not seeking to prohibit effective cryptography, it’s seeking to promote responsible cryptography:

A high-ranking Department of Justice official took aim at encryption of consumer products today, saying that encryption creates “law-free zones” and should be scaled back by Apple and other tech companies. Instead of encryption that can’t be broken, tech companies should implement “responsible encryption” that allows law enforcement to access data, he said.

“Warrant-proof encryption defeats the constitutional balance by elevating privacy above public safety,” Deputy Attorney General Rod Rosenstein said in a speech at the US Naval Academy today (transcript). “Encrypted communications that cannot be intercepted and locked devices that cannot be opened are law-free zones that permit criminals and terrorists to operate without detection by police and without accountability by judges and juries.”

Encrypted communications that cannot be intercepted and locked devices that cannot be opened are law-free zones? He just made effective cryptography sound even more awesome!

Once again this administration is telling the plebs that they have no right to privacy, which tends to go over about as well as a lead balloon with the plebs. Moreover, this recommendation is one way. Notice how under these proposals the plebs aren’t allowed to have any privacy from the government but the government gets to maintain its privacy from the plebs by having legal access to effective cryptography? If the United States government is supposed to be accountable to the people, then by the government’s logic the people should have a means of breaking the government’s encryption as well.

There are two facts about the United States of America. Anybody can sue anybody else for any reason and high ranking officials can make any demands they want. Just as many lawsuits get tossed out due to lack of merit, many demands from high ranking officials are technically impossible. “Responsible encryption,” to use the euphemism, is not technically possible. Encryption is either effective or ineffective. If there is an intentional weakness added to an encryption algorithm then it will be exploited by unintended actors, not just intended actors.

Written by Christopher Burg

October 13th, 2017 at 11:00 am

Political Favors for Favored Businesses

without comments

In celebration of the country’s favorite annual religious festival being held in Minneapolis this year, the Minneapolis City Council has announce that it will magnanimously allow bars to stay open until 4AM between February 2nd and 4th. But not every bar. Only those close enough to the Temple of Football:

Last week, Minneapolis City Council approved a resolution that will let bars near U.S. Bank Stadium stay open until 4 a.m. for the weekend of the Super Bowl, February 2–4.

The good news is, the chaos will probably be confined to downtown. As GoMN notes, only bars within the “designated area” can apply for the honor of serving the beer-pounding, pigskin-loving, out-of-town masses until the wee hours of the morning — meaning no, you won’t be able to meet up for super late drinks at the CC Club. Bars will also need to pony up a $250 fee for the special permit. (Gee, wonder if that will pay for itself.)

Excellent news for the bars who are fortunate enough to be situated next to The People’s Stadium but not so good news for every other bar.

Why shouldn’t bars elsewhere in the city also be allowed to stay up until 4AM during the Super Bowl? Better yet, why should any restrictions be placed on how late a bar can stay open? Why can’t bar owners decide for themselves how late they’ll keep their establishments open? And why are these special privileges only bestowed when the city will be packed with people from out of town (because, let’s face it, the Vikings aren’t going to be playing in the Super Bowl)? Are the people living in Minneapolis not good enough to deserve these special privileges?

Written by Christopher Burg

October 13th, 2017 at 10:30 am

Catalonia Declared Independence

without comments

Yesterday the region of Catalonia declared its independence from Spain:

BARCELONA (Reuters) – Catalan leader Carles Puigdemont and other regional politicians signed a document declaring Catalonia’s independence from Spain, but it was unclear if the document would have any legal value.

“Catalonia restores today its full sovereignty,” says the document, called “declaration of the representatives of Catalonia.”

“We call on all states and international organizations to recognize the Catalan republic as an independent and sovereign state. We call on the Catalan government to take all necessary measures to make possible and fully effective this declaration of independence and the measures contained in the transition law that founds the republic.”

I’m amused by the article noting that it’s unclear if the document has any legal value. Legal value to who? If the question is in regards to Spain, then the document has no legal value because as far as Spain is concerned it is illegal for any territory within its realm to leave. If the question is in regards to Catalonia, then the document has legal value because the Catalans believe that they have a right to secede from Spain.

The actual question of importance is, what will Spain’s response be? Spain must decide to either recognize Catalonia’s independence (officially or unofficially) or forcefully prevent Catalonia from operating independently. If Spain chooses the former, Catalonia becomes independent regardless of legality. If Spain chooses the latter, there very well could be a civil war.

Written by Christopher Burg

October 13th, 2017 at 10:00 am

The Sorry State of Electronic Voting Machine Security

with 4 comments

A lot of people from different backgrounds have expressed concerns about the integrity of electronic voting machines. It turns out that those concerns were entirely valid:

It’s no secret that it’s possible to hack voting systems. But how easy is it, really? Entirely too easy, if you ask researchers at this year’s DefCon. They’ve posted a report detailing how voting machines from numerous vendors held up at the security conference, and… it’s not good. Every device in DefCon’s “Voting Machine Hacking Village” was compromised in some way, whether it was by exploiting network vulnerabilities or simple physical access.

Multiple systems ran on ancient software (the Sequoia AVC Edge uses an operating system from 1989) with few if any checks to make sure they were running legitimate code. Meanwhile, unprotected USB ports and other physical vulnerabilities were a common sight — a conference hacker reckoned that it would take just 15 seconds of hands-on time to wreak havoc with a keyboard and a USB stick. And whether or not researchers had direct access, they didn’t need any familiarity with the voting systems to discover hacks within hours, if not “tens of minutes.”

Just put those voting machines in the cloud! Everything is magically fixed when it’s put in the cloud!

Anonymous ballots are notoriously difficult to secure but it’s obvious that the current crop of electronic voting machines were developed by companies that have no interest whatsoever in even attempting to address that problem. Many of the issues mentioned in the report are what I would call amateur hour mistakes. There is no reason why these machines should have any unprotected ports on them. Moreover, there is no reason why the software running on these machines isn’t up to date. And the machines should certainly be able to verify the code they’re running. If the electronic voting machine developers don’t understand how code signing works, they should contact Apple since the signature of every piece of code that runs on iOS is verified.

And therein lies the insult to injury. The types of security exploits used to compromise the sample voting machines weren’t new or novel. They were exploits that have been known about and addressed for years. A cynical person might believe that the companies making these voting machines are just trying to make a quick buck off of a government contract and not interested in delivering a quality product. A cynical man might even feel the need to point out that this type of behavior is common because the government seldom holds itself or contractors accountable.

Written by Christopher Burg

October 12th, 2017 at 11:00 am

Posted in Technology

Tagged with , ,

Why Government Licensing is a Bad Idea

without comments

Everybody seems to be a fan of government licensing until a politician they don’t like abuses it or threatens to abuse it. Donald Trump became upset with NBC because it reported that he said that he wanted a tenfold increase in nuclear weaponry. I wasn’t at the meeting so I can’t say one way or another whether he said that. However, in response to the report, Trump threatened to bring the weight of federal regulations down on NBC:

WASHINGTON — President Trump threatened on Wednesday to use the federal government’s power to license television airwaves to target NBC in response to a report by the network’s news division that he contemplated a dramatic increase in the nation’s nuclear arsenal.

In a story aired and posted online Wednesday morning, NBC reported that Mr. Trump said during a meeting in July that he wanted what amounted to a nearly tenfold increase in the nation’s nuclear weapons stockpile, stunning some members of his national security team. It was after this meeting that Secretary of State Rex W. Tillerson reportedly said Mr. Trump was a “moron.”

Mr. Trump objected to the report in a series of Twitter messages over the course of the day and threatened to use the authority of the federal government to retaliate.

Libel and slander are usually dealt with in court. Normally if somebody believes that they have grounds to retaliate over what somebody else said or wrote, the courts would be the place where they would take their case. But most of us aren’t high ranking members of the State. Those that are have access to other forms of retaliation that doesn’t involve potential roadblocks like juries. One such form of retaliation is licensing. If you’re involved in a business that is required to be licensed by a governmental body, pissing off any petty bureaucrat could result in your licensed being revoked without so much as a bench trial.

I’ve seen a lot of self-declared leftists decry Trump’s threat. A few of them have even recognized that this form of licensing can allow the government to violate the First Amendment. Unfortunately, I expect this recognition to disappear once one of their guys is in power again. At that point self-declared rightists will again recognize the dangers of government licensing and the cycle will continue. Until enough people can recognize the dangers of government licensing for longer than their opponent is in power we’ll never see this practice dismissed.

Written by Christopher Burg

October 12th, 2017 at 10:30 am

Everything is a Big Ol’ Conspiracy

without comments

Can anything occur this day and age without people claiming that it’s part of a conspiracy? Almost immediately after the shooting in Las Vegas, before any investigation had a chance to even begin, people were claiming that the event was part of some conspiracy. As with most conspiracy theories, this conspiracy theory is based on spurious evidence. So far the dumbest “evidence” that “doesn’t add up” is news that the shooter used the freight elevator at Mandalay Bay:

Law enforcement sources told CBS News that Las Vegas shooter Stephen Paddock is believed to have used the freight elevator at the Mandalay Bay hotel casino in the days leading up to last week’s deadly attack.

It wasn’t clear what Paddock used the freight elevator for or how often he used it.

How could the shooter have accessed a restricted freight elevator without help from the inside? Obviously this is proof that he had help!

Anybody who claims that doesn’t realize just how poor building security generally is. I’ve used freight elevators on numerous occasions, including in casinos, without authorization. They’re usually “hidden” behind a nondescript door or one with a sign that says “Employees Only.” In almost every case the door is unlocked and the elevator lacks any form of access control. If the owners of the building are really concerned about security, there might be cameras that aren’t monitored by anybody facing the freight elevator doors although even that’s pretty rare.

Another way of gaining access to a freight elevator is to ask the person working at the front desk if you can use it to haul up a bunch of luggage. As it turns out, the person at the front desk who is tasked with making the customer happy will often let you use the freight elevator if it makes you happy. Humans are often wonderfully helpful creatures.

So I’m sorry to report that using a freight elevator isn’t evidence that “doesn’t add up.” It adds ups quite cleanly. Although I suspect that access control on freight elevators will become more common now that this information has been released.

Written by Christopher Burg

October 12th, 2017 at 10:00 am