Month: May 2018

EFAIL

A vulnerability was announced yesterday that affects both OpenPGP and S/MIME encrypted e-mails. While this was initially being passed off as an apocalyptic discovery, I don’t think that it’s scope is quite as bad as many are claiming. First, like all good modern vulnerabilities, it has a name, EFAIL, and a dedicated website:

The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.

The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim’s email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.

The weakness isn’t in the OpenPGP or S/MIME encryption algorithms themselves but in how mail clients interact with encrypted e-mails. If your e-mail client is configured to automatically decrypt encrypted e-mails and allows HTML content to be displayed, the encrypted potion of your e-mail could be exfiltrated by a malicious attacker.

I generally recommend against using e-mail for secure communications in any capacity. OpenPGP and S/MIME are bandages applied to an insecure protocol. Due to their nature as a bolted on feature added after the fact, they are unable to encrypt a lot of data in your e-mail (the only thing they can encrypt is the body). However, if you are going to use it, I generally recommend against allowing your client to automatically decrypt your encrypted e-mails. Instead at least require that your enter a password to decrypt your private key (this wouldn’t defend against this attack if your client is configured to display HTML e-mail content but it would prevent malicious e-mails from automatically exfiltrating encrypted content). Better yet, have your system setup in such a manner where you actually copy the encrypted contents of an e-mail into a separate decryption program, such as the OpenPGP command line tools, to view the secure contents. Finally, I would recommend disabling the ability to display HTML e-mails in your client if you are at all concerned about security.

If you perform the above practices, you can mitigate this attack… on your system. The real problem is, as always, other people’s systems. While you may perform the above practices, you can’t guarantee that everybody with whom you communicate will as well. If an attacker can exploit one party, they will generally get the e-mails sent by all parties. This is why I’d recommend using a communication tool that was designed to be secure from the beginning, such as Signal, over e-mail with OpenPGP or S/MIME. While tools like Signal aren’t bulletproof, they are designed to be secure by default, which makes them less susceptible to vulnerabilities created by an improper configuration.

He Just Wanted to Go Home to His Fam… Oh

Another day, another bad apple:

MIAMI — A father is under arrest after allegedly beating his daughter at school.

The attack was caught on camera — and shows school employees going about their business and doing nothing to stop him.

The father, Raymond Emilio Rosario, is also a Miami-Dade police officer with a position at an airport.

This story is jam packed with terrible people. First you have the the father, a law enforcer, who beat his daughter. Then you have the school employees who just sat there and acted like nothing was happening while the father was beating his daughter in their presence. Finally you have his employer who will continue to pay him while he awaits his fate:

The Miami-Dade Police Department suspended him with pay.

A law enforcer beating his daughter isn’t a surprising story. Law enforcers have a notably high rate of domestic violence. However, it is a bit surprising to me that none of the school employees even reacted to the event. If you watch the video, they’re just sitting there and acting like nothing out of the ordinary is happening. I would’ve expected at least one employee to have enough courage to say to themselves that that wasn’t right and at least called 911 if they weren’t willing to intervene directly.

Make the Slaves Carry Their Tracking Devices

Mobile phones are useful for both us and government. For us they provide almost instant communications with any of our contacts across the globe as well as access to the collective knowledge base of humanity. For government they provide real-team location information and a potential goldmine of evidence, which is why one British judge thinks that there are benefits to forcing individuals to carry their cell phones at all times:

A senior British judge has highlighted the benefits of legislation that obliges people to carry their mobile phone at all times.

Sir Geoffrey Vos QC, Chancellor of the High Court and former head of the Bar Council, raised the prospect of compulsory mobe-carrying in a speech to the Law Society (PDF).

His speech hypothesized a future where everybody is required to carry their cell phone and how that would lead to easier criminal prosecutions. It’s also not an implausible future, especially in Britain. The island is already a surveillance state. Legally requiring individuals to carry a tracking device at all times probably wouldn’t even be noticed in the pile of other tracking technologies already being employed by Big Brother. Moreover, once everybody is legally required to carry their cell phone, another law could easily be passed that mandates that all cell phones have a “law enforcement mode” that allows law enforcers to secretly active a phone’s microphone and camera to collect evidence. That would, after all, make life easier for law enforcers, which seems to be what this judge is interested in.

We live in an time where Nineteen Eighty-Four is not only technologically feasible but is easily implementable thanks to the fact that most people already voluntarily carry around a device that can collect evidence against them.

Everybody Gets a Vote

Should people who are ignorant about a topic be given the ability to vote on it? If not, the United States should cease holding all elections because nobody has any idea what is going on:

Washington may be more secretive nowadays than at any time in recent decades. Federal policymakers have become accustomed to rationing what they release while citizens are assured that official secrecy makes them more secure. But American democracy cannot survive perpetual bipartisan coverups from the political ruling class.

Since 9/11, U.S. foreign policy has practically been governed by a Non-Disclosure Agreement. Did you know that U.S. troops are currently engaged in combat in 14 foreign nations fighting purported terrorists? That jolting fact is practically a state secret, though it did slip out in a recent New York Times editorial. After four U.S. soldiers were killed in Niger last October, Sen. Lindsey Graham (R-S.C.) and Sen. Charles Schumer (D-N.Y.) admitted they did not know that a thousand U.S. troops were deployed to that African nation. Graham, a member of the Senate Armed Services Committee, admitted, “We don’t know exactly where we’re at in the world militarily and what we’re doing.” Congress has utterly defaulted on its role as a check-and-balance on the Pentagon, thereby enabling a surge in deadly covert interventions abroad.

An informed electorate doesn’t exist in the United States because the government that is supposedly guided by the voice of the people has developed a fetish for secrecy.

I’m going to return to the question with which I opened this post. Most people would instinctively say that everybody should get a vote even if they’re ignorant about the topic up for vote. This response is the result of living life in a country where democracy is touted as the greatest governmental system of all time. However, few people tolerate such a philosophy in their private dealings. Would you let somebody who is entirely ignorant about automobiles vote on what is wrong with your vehicle? Would you let somebody who is compute illiterate vote on how to fix your computer? Would you let somebody who knows nothing about medicine vote on what drugs you should take? If you answered yes to any of these questions, you’re a damned fool. If any of these resulted in your problem being fixed, it would be by sheer luck. The most likely outcome would be that a lot of money would be spent for nothing. The result of the last situation could even be your death.

As the article notes, even the people elected to the government often have no idea what is going on. Graham and Schumer may not have been aware that there were thousands of troops deployed in Africa but they certainly got to vote on military matters. This really should strike everybody as a problem. Why are people who are ignorant about matters voting on them? Why should a senator who doesn’t even know how to use e-mail have a say on topics such as national computer security laws? Why should a senator who doesn’t know what a barrel shroud is have a say in what firearm features should be prohibited?

When nobody has any clue about what is happening, it’s not realistic to expect people to make good decisions.

Going from Smart to Stupid

Last year the National Rifle Association (NRA) appointed Pete Brownell, the CEO of Brownells Inc., as its president. It was a smart decision. Brownell comes off as a reasonable human being and is a strong advocate for gun rights. This year the NRA decided to perform a complete 180 degree turn and elected a public relations nightmare:

Oliver L. North, who became a household name in the 1980s for his role in the Iran-contra scandal, will become the next president of the National Rifle Association, the gun rights organization said Monday.

The gun control crowd is already having a field day with this decision and I don’t blame them. It looks a bit hypocritical when an organization that talks insistently about “responsible gun ownership,” “law-abiding citizens,” and “enforcing the laws that already exist” has a bona fide weapon smuggler as its president.

Supporters of the NRA are trying to spin this by pointing out that the Iran-contra fiasco happened a long time ago but that is irrelevant. Time tables don’t matter in the realm of public perception. All that matters is whether gun control advocates are able to convince enough people that North’s previous actions are still relevant in the context of gun politics. If they can accomplish that, the NRA will face even more opposition.

The Justice System Doesn’t Like Its Privilege to Commit Theft Curtailed

After decades of civil forfeiture laws being on the books, some states are finally deciding that giving law enforces the privilege to steal property without first convicting an individual of a crime makes government look bad. In the hopes of restoring a veneer of legitimacy, these states are either proposing or have passed laws that require law enforcers to actually convict an individual of a crime before they can keep their property. Needless to say, this isn’t going over well with either law enforcers or prosecutors:

Kunzweiler, the district attorney, said the extra level of protection was unnecessary and that raising the bar for forfeiture would effectively roll out a welcome mat to ruthless drug traffickers from Mexico.

“What we’re talking about is inviting some of the most violent people on the history of this planet,” he said on the Pat Campbell Show on KFAQ. “You see what goes on in Mexico, you see people’s bodies decapitated and hung from bridges. And if you want to bring that drug cartel ideology to Oklahoma, do exactly what Senator Loveless’ bill is suggesting,” he said.

“We have meth coming through here; it’s all coming from Mexico,” Kunzweiler continued, going on to say that Loveless was trying to remove “our incentive to take away their profit.”

If these really are some of the most violence people in the history of this planet, then prosecuting them for a crime should be the easiest case any attorney could take on. I don’t see why Kunzweiler is complaining. It sounds like these individuals are free money for him regardless since convicting them before keeping their property should be so simple that even a child could do it.

I have no sympathy for supporters of civil forfeiture laws. They’re advocating that the power to commit crime is necessary to fight crime, which is the entire basis of government come to think about it. But such advocacy necessarily states that crime in of itself isn’t bad but instead what determines whether a crime is good or bad is who commits it. If a private individual commits a crime, it’s bad. If a government agent commits a crime, it’s good. The entire premise is nonsensical.

Solve the Housing Shortage by Making Houses More Expensive

California is suffering from a decades long housing shortage. This shouldn’t surprise anybody. The regulatory burden in California has been increasing along with the population, which has made new construction more expensive than it otherwise would be. But instead of working to relieve the shortage by allowing homes to be built for less, the California bureaucrats have decided to make building new homes even more expensive:

On Wednesday, the California Energy Commission approved a set of standards that will require most new homes built in the state after 2020 to include solar panels on their roofs.

The standards (PDF) apply only to single-family homes and certain low-rise condos, townhomes, and apartments. Exceptions are made for homes with roofs that would receive excessive shade during the daytime or homes with roofs too small to benefit from a few solar panels.

The last two exemptions are interesting because they have the potential to change how houses are predominantly built in California. I foresee a trend in small roofs and heavy shading.

This legislation is also, rather obviously, aimed at coercing a preference for high-density residential. While that may make sense in an extremely dense urban area like Los Angeles, it doesn’t make sense to implement such a requirement statewide since much of California is actually rural and therefore space isn’t at a premium. However, bureaucrats are seldom aware that the existence they experience in their capital city isn’t the experience of everybody in their state, which is why centralized planning always turns into such a fiasco.

It’s Not the Badge You Wear, It’s the Badge in Your Heart

The brutal attitude held by man law enforcers isn’t instilled by the badge that they wear but by the badge that exists in their hearts:

An analysis by The Intercept, using data from the Fatal Encounters project, found that plainclothes cops play a role in such killings disproportionate to their relatively small numbers among the NYPD’s ranks. Plainclothes police have been involved in nearly a third of all fatal shooting incidents recorded since 2000, according to The Intercept study.

There have been at least 174 fatal shootings by on-duty New York City police officers since 2000, according to an analysis of data from Fatal Encounters, a website that tracks deaths involving police. Plainclothes or undercover police were involved in 54 of those deaths, while uniformed police were involved in 41 fatalities. Eleven cases involved both uniformed and plainclothes cops. (Three of the shootings were self-inflicted.)

There is a lot of speculation one could make about this but at this point I just find it to be an interesting statistic. The New York Police Department has a reputation for brutality and it appears that that reputation doesn’t cease when an officer exchanges his uniform for street clothes.

I Am Altering the Deal

When Obama was in office, he entered the United States into a nuclear nonproliferation deal with Iran. Yesterday Trump pulled the United States out of that deal:

With a stroke of his pen US President Donald Trump has jeopardised the one agreement – good or bad – that seeks to constrain Iran’s nuclear ambitions.

He launched a scathing assault on the deal and its deficiencies.

But he offered no alternative policy to put in its place. He has put US diplomacy on a collision course with some of Washington’s closest allies.

Trump’s detractors are claiming that this will ensure that Iran acquires nuclear weapons while his supporters are claiming that the deal was a terrible deal. I’m not going to argue the pros or cons of the previous deal. However, I do want to take a moment to discuss a facet of this issue that isn’t getting much attention.

It is notoriously difficult for foreign governments to deal with the United States. Every time the party in power switches hands between the Democrats and Republicans the rules seem to change. When the Democrats were in power, Iran was able to make a nonproliferation deal with the United States. Now that the Republicans are in power, it cannot. In the span of less than a decade the rules between Iran and the United States changed… again.

Imagine if business deals were as volatile as deals between foreign governments and the United States. Would anybody continue doing business with, say, Microsoft if every time a company made a deal to license the company’s operating system for five years it decided to cancel the deal after two years? No, because nobody can realistically do business in an entirely unpredictable environment. Contracts exist to ensure that there are consequences for violating a deal. Unfortunately, most foreign governments can’t punish the United States for breaking a deal because they lack the military might to do so.

It’s easy to blame Obama for making a bad deal or Trump for pulling the United States out of an existing deal. What seems to be more difficult for people to grasp is that the United States has developed a reputation for being unreliable and that reputation is going to hinder its ability to make any kind of deal with a foreign government.