Author: Christopher Burg

Just Drug ‘Em

The Minneapolis Police Department (MPD) can’t keep itself away from controversy. Fortunately, the latest controversy doesn’t involve another unarmed person being gunned down. Instead it involves people being drugged against their will, oftentimes without any crimes being committed:

Minneapolis police officers have repeatedly requested over the past three years that Hennepin County medical responders sedate people using the powerful tranquilizer ketamine, at times over the protests of those being drugged, and in some cases when no apparent crime was committed, a city report shows.

[…]

The number of documented ketamine injections during Minneapolis police calls increased from three in 2012 to 62 last year, the report found, including four uses on the same person. On May 18, around the time the draft report was completed, Minneapolis police Cmdr. Todd Sauvageau issued a departmental order saying that officers “shall never suggest or demand EMS Personnel ‘sedated’ a subject. This is a decision that needs to be clearly made by EMS Personnel, not MPD Officers.”

This story involves two groups of bad actors. The first group is the usual suspects, MPD officers. The second group are the Emergency Medical Services (EMS) personnel who administer the drugs simply because an MPD officer asked them.

Not surprisingly, both MPD and the EMS people involved have issued statements that absolve themselves of responsibility. MPD at least tried to smooth things over by announced that it has put a new policy in place. While new department policies seldom change actual behavior, it’s a step better than the shut up slaves statement given by Hennepin EMS Medical Director Jeffrey Ho:

The draft report prompted sharply different reactions among local officials. A statement included in the report from Hennepin EMS Medical Director Jeffrey Ho and Minnesota Poison Control System Medical Director Jon Cole dismissed the findings of the report as a “reckless use of anecdotes and partial snapshots of interactions with police, and incomplete information and statistics to draw uninformed and incorrect conclusions.”

“This draft report will prevent the saving of lives by promoting the concept of allowing people to exhaust themselves to death,” Cole and Ho wrote.

Pro tip: if you’re going to claim that a report is based on anecdotal and partial information and are in a position to provide the information that supports your claim, you should release that information. Failing to do so makes it look like your statement is nothing more than an attempt to cover your ass.

The fact that MPD requested the sedation of a subject isn’t the real red flag of this story. There are circumstances where sedating somebody is the best option for everybody involved, including the suspect. However, the rapid increase in the number of sedations is a red flag. Going from three in 2012 to 62 in 2017 is a drastic increase in just five years. Statements from officials and policy changes aren’t going to answer the important question of why was there such a dramatic increase?

Avoid E-Mail for Security Communications

The Pretty Good Privacy (PGP) protocol was created to provide a means to securely communicate via e-mail. Unfortunately, it was a bandage applied to a protocol that has only increased significantly in complexity since PGP was released. The ad-hoc nature of PGP combined with the increasing complexity of e-mail itself has lead to rather unfortunate implementation failures that have left PGP users vulnerable. A newly released attack enables attackers to spoof PGP signatures:

Digital signatures are used to prove the source of an encrypted message, data backup, or software update. Typically, the source must use a private encryption key to cause an application to show that a message or file is signed. But a series of vulnerabilities dubbed SigSpoof makes it possible in certain cases for attackers to fake signatures with nothing more than someone’s public key or key ID, both of which are often published online. The spoofed email shown at the top of this post can’t be detected as malicious without doing forensic analysis that’s beyond the ability of many users.

[…]

The spoofing works by hiding metadata in an encrypted email or other message in a way that causes applications to treat it as if it were the result of a signature-verification operation. Applications such as Enigmail and GPGTools then cause email clients such as Thunderbird or Apple Mail to falsely show that an email was cryptographically signed by someone chosen by the attacker. All that’s required to spoof a signature is to have a public key or key ID.

The good news is that many PGP plugins have been updated to patch this vulnerability. The bad news is that this is the second major vulnerability found in PGP in the span of about a month. It’s likely that other major vulnerabilities will be discovered in the near future since the protocol appears to be receiving a lot of attention.

PGP is suffering from the same fate as most attempts to bolt security onto insecure protocols. This is why I urge people to utilize secure communication technology that was designed from the start to be secure and has been audited. While there are no guarantees in life, protocols that were designed from the ground up with security in mind tend to fair better than protocols that were bolted on after the fact. Of course designs can be garbage, which is where an audit comes in. The reason you want to rely on a secure communication tool only after it has been audited is because an audit by an independent third-party can verify that the tool is well designed and provides effective security. And audit isn’t a magic bullet, unfortunately those don’t exist, but it allows you to be reasonably sure that the tool you’re using isn’t complete garbage.

When Your Smart Lock Isn’t Smart

My biggest gripe with so-called smart products is that they tend to not be very smart. For example, the idea of a padlock that can be unlocked with your phone isn’t a bad idea in of itself. It would certainly be convenient since most people carry a smartphone these days. However, if it’s designed by people who paid no attention to security, the lock quickly because convenient for unauthorized parties as well:

Yes. The only thing we need to unlock the lock is to know the BLE MAC address. The BLE MAC address that is broadcast by the lock.

I was so astounded by how bad the security was that I ordered another and emailed Tapplock to check the lock and app were genuine.

I scripted the attack up to scan for Tapplocks and unlock them. You can just walk up to any Tapplock and unlock it in under 2s. It requires no skill or knowledge to do this.

I wish that this was one of those findings that is so rare that it’s newsworthy. Unfortunately, a total lack of interest in security seems to be a defining characteristic for developers of “smart” products. While this lack of awareness isn’t unexpected for a company developing, say, a smart thermostat (after all, I wouldn’t expect somebody who is knowledgeable about thermostats to necessarily be an expert in security as well), it’s an entirely different matter when the product being developed is itself a security product.

The problem with this attack is how trivial it is to perform. The author of the article notes that they’re porting the script they developed to unlock these “smart” locks to Android. Once the attack is available for smartphones, anybody can potentially unlock any of these locks with a literal tap of a button. This makes them even easier to bypass than those cheap Masterlock padlocks that are notorious for being insecure.

Some Days Aren’t Your Days

Some days are destined to not be your days. That’s probably how Christopher Raymond Hill felt a few days ago:

JACKSONVILLE, Fla. (WSVN) — Police say a man who tried to carjack two people was thwarted after the victims both pulled out guns to protect themselves.

What kind of America do I want to live in? One where a carjacker tries to carjack two separate vehicles and gets a gun pulled on him by both would-be victims.

It’s also worth noting that Florida has castle doctrine. According to gun control advocates, castle doctrine leads to the streets overflowing with blood due to all of the people legally shooting each other. Even though Hill was posing an immediate threat to the lives of the people he was trying to carjack, neither one of them gunned him down. Despite what gun control advocates often claim, most people aren’t looking for an excuse to gun another human being down. In fact most people seem to prefer avoiding violence if necessary. It is only when pushed into a corner that most people are likely to retaliate violently and even then the general preference appears to be avoiding violence is possible.

The Best Timeline

This timeline that I find myself in just gets better and better. While one might think that a retired eccentric basketball star buddying up with a former reality television show host to make peace with the pudgy dictator of a small isolated nation is the story for an awful summer comedy movie, it actually happened. Likewise, if I told you that a pimp won the primary for a political party that is most known for being neopuritanical, you’d probably think that it was also the story of a terrible summer comedy movie. But once again it actually happened:

LAS VEGAS — Pimp Dennis Hof, owner of half a dozen legal brothels in Nevada and star of the HBO adult reality series “Cathouse,” won a Republican primary for the state Legislature on Tuesday, ousting a three-term lawmaker.

Hof defeated hospital executive James Oscarson. He’ll face Democrat Lesia Romanov in November, and will be the favored candidate in the Republican-leaning Assembly district.

We’re well on our way to a President Camacho.

Your Corporate Overlords

When people think gun control, they usually think of legislators passing laws to prohibit gun sales and ownership. But legislation is just one of many ways to control commerce. Intuit, the company that makes QuickBooks, has thrown a wrench into the operations of several gun stores:

A number of businesses were recently interrupted, without warning, after the company refused to process orders of gun-related sales, according to the New York Post.

Intuit is claiming that it hasn’t purposely cancelled any transactions, its service can be used to purchase firearms, and it is working diligently to get to the bottom of this. Who knows what the truth is? But I do want to take this opportunity to once again reiterate my belief that gun companies need to consider starting their own bank. Several banks have attempted to wield their influence by interfering with the firearm market. The only way to guard against such interference is to cut third-party banks out of the equation.

Corporations aren’t strangers to interfering with matters outside of their business. Large corporations can wield a tremendous amount of control. The silver lining is that, unlike government, corporations can be cut out of business markets.

Play Stupid Games, Win Stupid Prizes

Remember the Federal Bureau of Investigations (FBI) agent who became separated from his weapon while dancing and ended up shooting somebody he attempted to retrieve his weapon in a panic? In a surprise twist, he has been arrested:

An off-duty FBI agent whose gun accidentally fired after it dropped out of its holster while he was doing a backflip at a Denver nightclub was taken into custody on Tuesday, jail records showed.

Chase Bishop, 29, turned himself in to the Denver County Sheriff’s Department Tuesday morning and was being held in a detention center in downtown Denver. He was charged Tuesday with one count of second-degree assault, the Denver County District Attorney’s Office said.

I feel the need to point out the verbiage used here. Notice how the report says that the FBI agent “accidentally” fired his firearm. While his actions were almost certainly accidental, it would have been better to use the word “negligently” since his negligence lead to the gun being fired. But negligence is when nongovernmental individuals unintentionally shoot somebody. When government agents unintentionally shoot somebody, it’s accidental.

As far as the charges go, I’d put money on the agent not being convicted. Law enforcers tend to enjoy a great deal of leeway when it comes to shooting bystanders, whether intentionally or accidentally. But it is nice to see that charges were actually filed and an arrest was made.

That’s a Shame

The 34th Ferengi Rule of Acquisition states that war is good for business. However, the 35th rule states that peace is good for business. However, peace isn’t good for some businesses:

While the broad U.S. stock market reaction to the historic agreement between President Trump and North Korean leader Kim Jong Un to establish a new relationship committed to “peace and prosperity” was muted, shares of defense contractors took a dive.

Shares of Raytheon, which makes Patriot and Tomahawk missiles, closed 2.8% lower. Lockheed Martin, which supplies the Pentagon with air and missile defense systems as well as the F-35 Stealth fighter jet, tumbled 1.3%. And Northrop Grumman, which has increased its focus on cyber warfare and missile defense systems more recently, declined 1.5%. Boeing, which makes Apache helicopters and aerial refueling aircraft, dipped 0.1%. General Dynamics, a Navy shipbuilder, fell 1.6%.

That’s a shame.

If you own stocks in these companies, fear not! This “dive” is almost certainly temporary. The United States enjoys involving itself in wars far too much for peace to remain in the public’s eye for long.

The End of Enforceable Prohibitions

I’m fond of pointing out to prohibitionists that the era of enforceable prohibitions is over:

In the very near future, governments will lose the ability to keep guns, drones, and other forbidden goods out of the hands of their subjects. They’ll also be rendered impotent to enforce trade and technology embargoes. Power is shifting from the state to individuals and small groups courtesy of additive manufacturing—aka 3D printing—technology.

Additive manufacturing is poised to revolutionize whole industries—destroying some jobs while creating new opportunities. That’s according to a recent report from the prestigious RAND Corporation, and there’s plenty of evidence to support the dynamic and “disruptive” view of the future that the report promises.

Throughout history power has ebbed and flowed. At times centralized authorities are able to wield their significant power to oppress the masses. At other times events weaken those centralized authorities and the average person once again finds themselves holding a great deal of power.

Technological advancements are quickly weakening the power of the centralized nation-states. Encryption technology is making their surveillance apparatus less effective. Cryptocurrencies are making it difficult for nation-states to monitor and block transactions. Manufacturing technology is allowing individuals to make increasingly complex objects from the comfort of their own homes. The Internet has made freely trading information so easy that censorship is quickly becoming impossible.

We live in exciting times.

Bizzaro Earth

At some point in the past I must have fallen through an interdimensional portal because the universe I’m currently occupying is rather bizarre.

The good news is that Donald Trump can finally claim an accomplishment during his time in office. He actually met Kim Jong-un and had an apparently friendly talk with the North Korean leader that concluded with an agreement:

US President Donald Trump says his historic talks with North Korean leader Kim Jong-un that ended in a joint agreement were “tremendous”.

The signed document includes a pledge from Mr Kim to rid the Korean peninsula of nuclear weapons.

But in an extraordinary media conference later, Mr Trump announced details not in the paper.

He said he would halt US military exercises in South Korea, something widely seen as a concession.

Of course the hawks have to shit all over this by claiming that agreeing not to hold military exercises in South Korea is capitulating. But agreements are about giving and taking and if agreement not to play war games in South Korea leads to a potential reduction in nuclear weapons, that’s not a bad trade off.

Now for the more bizarre, Dennis Rodman:

NBA Hall of Famer Dennis Rodman gave an emotional, bizarre TV interview on Tuesday reacting to the highly anticipated summit between President Trump and North Korean leader Kim Jong Un.

Wearing a red “Make America Great Again” hat and sunglasses, Rodman, who has personally visited North Korea multiple times, spoke for roughly 20 minutes about his relationship with Kim and his expectations for the historic meeting between the two leaders as it got underway in Singapore. He began to cry about halfway through the interview, periodically dabbing his nose with a tissue.

Who would have thought that the most public American to meet with Kim Jong-un until the recent South Korean and United States summits would be a basketball star knowing for his eccentricities? In all likelihood, his meetings with Kim Jong-un played a not insignificant part in building the foundation for both summits.

While this universe is bizarre, it is damn interesting.