When You’re Trying to Be Very Smart™ but End Up Looking Stupid

The announcement of the iPhone X was one of the biggest product announcements of the year. Not only is it the latest iPhone, which always captures headlines, but it includes a new facial recognition feature dubbed Face ID. With the popularity of the iPhone it’s inevitable that politicians will try to latch onto it to capture some headlines of their own. Al Franken, one of Minnesota’s congress critters, decided to try to latch onto the iPhone X by expressing concern about the privacy implications of the Face ID feature. This may appear to have been a smart political maneuver but the senator only managed to make himself appear illiterate since Apple had already published all of the technical information about Face ID:

Apple has responded to Senator Al Franken’s concerns over the privacy implications of its Face ID feature, which is set to debut on the iPhone X next month. In his letter to Tim Cook, Franken asked about customer security, third-party access to data (including requests by law enforcement), and whether the tech could recognize a diverse set of faces.

In its response, Apple indicates that it’s already detailed the tech in a white paper and Knowledge Base article — which provides answers to “all of the questions you raise”. But, it also offers a recap of the feature regardless (a TL:DR, if you will). Apple reiterates that the chance of a random person unlocking your phone is one in a million (in comparison to one in 500,000 for Touch ID). And, it claims that after five unsuccessful scans, a passcode is required to access your iPhone.

Franken should feel fortunate that Apple even bothered entertaining his concerns. Were I Tim Cook I would have directed a member of my staff to send Franken links to the technical publications with a request to have a member of his staff read them to him and not bothered giving him a TL;DR. After all, Apple’s time is worth far more money than Franken’s since it’s actually producing products and services that people want instead of being a parasite feeding off of stolen money.

Still I admit that it was pretty funny seeing Franken make an ass of himself yet again.

It’s a Feature, Not a Bug

A judge recently discovered that there is no backup for the evidence database used by the New York Police Department (NYPD):

As part of an ongoing legal battle to get the New York City Police Department to track money police have grabbed in cash forfeitures, an attorney for the city told a Manhattan judge on October 17 that part of the reason the NYPD can’t comply with such requests is that the department’s evidence database has no backup. If the database servers that power NYPD’s Property and Evidence Tracking System (PETS)—designed and installed by Capgemini under a $25.5 million contract between 2009 and 2012—were to fail, all data on stored evidence would simply cease to exist.

[…]

Last year, NYPD’s Assistant Deputy Commissioner Robert Messner told the City Council’s public safety committee that “attempts to perform the types of searches envisioned in the bill will lead to system crashes and significant delays during the intake and release process.” The claim was key to the department’s refusal to provide the data accounting for the approximately $6 million seized in cash and property every year. As of 2013, according to the nonprofit group Bronx Defenders, the NYPD was carrying a balance sheet of more than $68 million in cash seized.

Convenient. In fact this is convenient enough for me to suspect that the lack of a backup is a feature, not a bug. Government agencies always seem to find a way to design a system in such a way that it is difficult for it to comply with data requests that could reveal embarrassing information about it. I’m sure NYPD would rather not have everybody knowing just how much cash it has stolen from people over the years. If there is especially corrupt activity going on in NYPD, which wouldn’t surprise me, being able to trash the entire evidence database would also be handy if a thorough investigation into the agency was started.

Another Evolution of the 3D Printed Handgun

While politicians in Washington DC have been discussing gun control, denizens on the Internet have been busy evolving the 3D printed handgun. The WASHBEAR is a newly released 3D printed .22LR revolver:

It looks very similar to numerous Nerf guns. Like the Pepperbox handgun created by Hexen, the WASHBEAR has steel sleeves inserted into the chambers to reduce stress on the plastic. While this means that the entire gun isn’t 3D printable, steel inserts can be had at any hardware store.

Politicians and advocates of gun control can continue wasting their time but the truth is gun control is a fantasy. Granted, it has always been a fantasy but now we’re at the point where a person with even modest means can acquire everything necessary to build firearms. Gun control is dead. Technology killed it.

Safari 11, Multiline HTTP Headers, and NSPOSIXErrorDomain:100.

I was happy when Mozilla announced that it was going to take a serious stab at the browser market again and released Firefox Quantum, a beta version of Firefox that runs significantly faster than the current stable version. So far I’ve been mostly impressed by it. However, Firefox Quantum has one significant flaw, it hogs the CPU. Even when idling I’ve noticed Firefox Quantum processes taking anywhere from five to 20 percent of the available power on one of my CPU cores. I decide to compare this CPU usage against Chrome and Safari, which lead me down quite the rabbit hole.

It all started when I tried to load my blog in Safari. Previous versions of Safari haven’t had any difficulty loading my site but when I tried to load it in Safari 11 I received the following error:

NSPOSIXErrorDomain:100 is about as useless as an error message can get. Unfortunately, Google didn’t provide me much insight. After a series of Google searches I did come across this article, which discusses some problems previous versions of Safari have had with Content Security Policies (CSP). Since I implemented a CSP for this site, I figured it was a good place to start. Low and behold, when I disabled my CSP the site loaded in Safari again.

This confused me since, as I mentioned earlier, my site, with its current CSP, loaded in previous versions of Safari. I thought that maybe one of the fields in my CSP had been deprecated or was misconfigured, which lead me to testing with a very simple one line CSP. When I tested with the simplified CSP my site loaded again. When I added an additional line to my CSP the site stopped loading again. That lead me to suspect the line feed characters. I split my CSP into multiple lines to make it easier to read and edit so it looked like this:

add_header Content-Security-Policy "default-src 'self';
  script-src 'self' 'unsafe-inline' 'unsafe-eval' https://s0.wp.com https://s1.wp.com https://s2.wp.com https://stats.wp.com;
  img-src 'self' https://secure.gravatar.com https://s0.wp.com https://s1.wp.com https://s2.wp.com https://chart.googleapis.com;
  style-src 'self' 'unsafe-inline' https://fonts.googleapi.com;
  font-src 'self' data: https://fonts.gstatic.com;
  object-src 'none';
  media-src 'self';
  child-src 'self' https://www.youtube-nocookie.com https://akismet.com;
  form-action 'self';";

I know it looks a little wonky since it includes unrecommended values like ‘unsafe-inline’ and ‘unsafe-eval’ for script-src but those, as well as a few other odd values such as the ‘data:’ font-src value, are needed by WordPress, which was developed before CSPs were a thing. But I digress. I decided to collapse the entire HTTP header value into a single line so it looked like this:

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://s0.wp.com https://s1.wp.com https://s2.wp.com https://stats.wp.com; img-src 'self' https://secure.gravatar.com https://s0.wp.com https://s1.wp.com https://s2.wp.com https://chart.googleapis.com; style-src 'self' 'unsafe-inline' https://fonts.googleapi.com; font-src 'self' data: https://fonts.gstatic.com; object-src 'none'; media-src 'self'; child-src 'self' https://www.youtube-nocookie.com https://akismet.com; form-action 'self';";

After I did that my site loaded in Safari again. Then I reverted my configuration to the original multiline version but changed the standard UNIX new line character \n to the Windows (which is also the standard for the web) \r\n. After I did that my site failed to load again. Safari simply didn’t like new line characters appearing in a header entry.

It seemed that Safari 11 was unhappy with something that every other browser, including its predecessors, are still perfectly happy with. I suspected this was a bug in Safari but decided to do some digging before submitting a bug report. This was a good choice because I was mistaken. Searching for information about multiline headers lead me to this entry on Stack Overflow, which lead me to RFC 7230. Amongst other things, RFC 7230 deprecated multiline header fields:

Historically, HTTP header field values could be extended over multiple lines by preceding each extra line with at least one space or horizontal tab (obs-fold). This specification deprecates such line folding except within the message/http media type (Section 8.3.1). A sender MUST NOT generate a message that includes line folding (i.e., that has any field-value that contains a match to the obs-fold rule) unless the message is intended for packaging within the message/http media type.

It turns out that Safari 11 is adhering strictly to RFC 7230. And as of this writing it’s the only browser doing so. It also turns out that I’ve been unknowingly writing my CSP against the HTTP standard all along.

The moral of the story is if Safari 11 throws an NSPOSIXErrorDomain:100 error, check your HTTP headers to ensure they don’t contain multiline values.

Oh, and if you’re wondering, Safari 11 uses significantly less CPU power than Firefox Quantum. Chrome also uses significantly less CPU power than Firefox Quantum. But it’s worth noting that Firefox Quantum is beta software and its CPU usage may improve before its final release.

What’s Mine is Mine. What’s Yours is Mine Too.

The United States is a nation of laws and in a nation of laws everybody is equal under the law! If I had a dollar for every time somebody has said that to me, I’d own my own private sovereign island. But I don’t receive a dollar for every time somebody says that to me and everybody isn’t equal under the law here in the United States. If you’re an employee of the government, you have some special legal privileges. For example, if you work for the Internal Revenue Service (IRS), you can confiscate somebody’s property even if they haven’t been found guilty of a crime:

Oh Suk Kwon, who left South Korea for America in 1976, served as a fleet mechanic in the U.S. Army. After four years in the military, decades of working in an electrical plant and as an auto mechanic, after raising the kids and seeing them off to their adult lives, Kwon finally bought a gas station in Ellicott City in 2007. It meant everything to him.

Just a few years after he opened it, zealous government investigators fishing for criminals seized all of the station’s money on a hunch — and wiped the family out.

No, they weren’t money launderers or terrorists or mobsters or tax evaders. The government found no evidence of criminal activity.

But after the investigation ended, after the gas station went under, and Kwon’s wife died amid the stress of it all, after he moved from his neighborhood in shame and the Internal Revenue Service changed its policy so no other small business would get steamrolled this way — the agency won’t give Kwon his money back.

That’s $59,117.47 the IRS is holding on to.

I’ve mentioned the IRS’s use of laws against structuring, breaking up single deposits greater than $10,000 into multiple deposits under $10,000, to attack small businesses. Structuring laws were supposedly passed to thwart tax evaders but most individuals accused of structuring were doing it because a bank teller told them that if they didn’t break up their large deposits, they would have to fill out a bunch of additional paperwork. In other words, they were accused of a crime they didn’t even know existed.

But the IRS hasn’t given a shit about intent. The letter of the law has allowed the agency to confiscate money from small businesses (large businesses can afford a dedicated legal team and are therefore more of a hassle for the IRS to go after) so it has done exactly that. When it is later revealed that the accused individual was committing structuring because they were unaware of the law and were even advised to do so by their bank teller, the IRS points to the letter of the law to avoid having to give the back.

If everybody was equal under the law, the people could steal money from the IRS just as it steals money from them. But everybody isn’t equal under the law. The IRS and other government bodies can steal from you but you cannot steal from them.

A Step in the Right Direction

The governments of the countries in the European Union aren’t known for their respect of gun rights. It seems like most of them would prefer if their citizens were completely disarmed. There is one exception though. The Czech Republic. While other governments in the European Union have been steadily disarming their citizens the government of the Czech Republic has been slowly expanding the gun rights of its citizens:

The lower house of the Czech parliament has agreed to alter the constitution so that firearms can be held legally when national security is threatened.

The amendment gives Czechs the right to use firearms during terrorist attacks.

It was passed by the lower house by a big majority, and is likewise expected to be approved by the upper house.

The move by parliament is a challenge to EU gun control rules which restrict civilians from possessing certain kinds of semi-automatic weapons.

While allowing firearms to be held legally when national security is threatened is such a vague standard that it could turn out to be useless, it’s a step in the right direction. It’s also nice to see some politicians realize that the solution to decentralized attackers is decentralized force.

Asymmetrical warfare is notable, in part, by the fact that there is no front line. Soldiers amassed on a border are fairly useless when the opposition is infiltrating individual fighters behind your front lines to commit isolated attacks. Under such circumstances the only solution is to have a good number of armed individuals behind enemy lines that aren’t easily identifiable by the infiltrating attackers (if they are easily identifiable, the infiltrators will be able to identify them and avoid them). While having a good number of armed unidentified individuals won’t necessarily dissuade the infiltrator, it will greatly reduce the time it takes for force to be brought against them, which can cut down the number of people they can kill.

We Have Spain’s Answer

Last week Catalonia declared independence. I noted that what happens next will depend on Spain’s response. If Spain decided to ignore Catalonia, the country would realize its independence. If Spain decided to put the boot down on the Catalans’ throats, civil war could erupt. Now we know which direction Spain wants to go:

A Spanish judge has jailed two key members of the Catalan independence movement.

Jordi Sánchez and Jordi Cuixart, who lead prominent separatist groups, are being held without bail while they are under investigation for sedition.

I’m sure this is going to go over well with the Catalans. But I also suspect that Spain is eager to egg the Catalans into a violent response so it has an excuse to send its shock troops in to cleanse the region of any and all dissidents (and non-dissidents that happen to look at the shock troops in the wrong manner).

Once again we see the futility of democracy. If a group of people decide to vote for an option that isn’t approved by their rulers, their “voice” (which is what I’m told votes are) is stifled and, if necessary, the people who voted the wrong way are violently dealt with. There are few cases that I can think of where secession has been accomplished through a ballot box.

Counting People Killed by Law Enforcers isn’t Straight Forward

How many people have been killed in the United States by law enforcers? That question is actually more complicated than it appears because there is a lot of questionable data being used to establish that number:

Over half of all police killings in 2015 were wrongly classified as not having been the result of interactions with officers, a new Harvard study based on Guardian data has found.

The finding is just the latest to show government databases seriously undercounting the number of people killed by police.

“Right now the data quality is bad and unacceptable,” said lead researcher Justin Feldman. “To effectively address the problem of law enforcement-related deaths, the public needs better data about who is being killed, where, and under what circumstances.”

Feldman used data from the Guardian’s 2015 investigation into police killings, The Counted, and compared it with data from the National Vital Statistics System (NVSS). That dataset, which is kept by the Centers for Disease Control and Prevention (CDC), was found to have misclassified 55.2% of all police killings, with the errors occurring disproportionately in low-income jurisdictions.

This revelation isn’t new nor should it be surprising. Statistics is often an exercise in creating the conclusion and fitting the data to that conclusion. If, for example, the government wanted to make its law enforcers appear to be less lethal, it could massage the number of people killed by its officers by coming up with a creative definition of law enforcement interaction. And government agencies can’t even claim a monopoly on this practice. It seems that most individuals and organizations use statistics to prove an already established conclusion instead of using statistics to establish a conclusion.

Now we have at least two sets of statistics on the number of people killed by law enforcers. Which set of numbers is correct? Who knows. The government has an obvious motivation to massage the numbers so it appears that fewer people are killed by law enforcers but Feldman may be motivated to massage the numbers so it appears that more people are killed by law enforcers. Most people will likely pick the set that proves their conclusion and call it a day. And do you know what? I can’t blame somebody for choosing that strategy because realistically both sets of statistics are probably misleading in some manner.

A Grim Start to the Week

This week started on a low note as far as computer security is concerned. The first bit of new, which was also the least surprising, was that yet another vulnerability was discovered in Adobe’s Flash Player and was being actively exploited:

TORONTO (Reuters) – Adobe Systems Inc (ADBE.O) warned on Monday that hackers are exploiting vulnerabilities in its Flash multimedia software platform in web browsers, and the company urged users to quickly patch their systems to prevent such attacks.

[…]

Adobe said it had released a Flash security update to fix the problem, which affected Google’s Chrome and Microsoft’s Edge and Internet Explorer browsers as well as desktop versions.

If you’re in a position where you can’t possibly live without Flash, install the update. If you, like most people, can live without Flash, uninstall it if you haven’t already.

The next bit of bad security news was made possible by Infineon:

A crippling flaw in a widely used code library has fatally undermined the security of millions of encryption keys used in some of the highest-stakes settings, including national identity cards, software- and application-signing, and trusted platform modules protecting government and corporate computers.

The weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. The five-year-old flaw is also troubling because it’s located in code that complies with two internationally recognized security certification standards that are binding on many governments, contractors, and companies around the world. The code library was developed by German chipmaker Infineon and has been generating weak keys since 2012 at the latest.

This flaw impacts a lot of security devices including Estonia’s electronic identification cards, numerous Trusted Platform Modules (TPM), and YubiKeys shipped before June 6, 2017. In the case of YubiKeys, the flaw only impacts Rivest–Shamir–Adleman (RSA) keys generated on the devices themselves. Keys generated elsewhere and uploaded to the device should be fine (assuming they weren’t generated with a device that uses the flawed Infineon library). Moreover, other YubiKey functionality, such as Universal 2nd Factor (U2F) authentication, remains unaffected. If your computer has a TPM, check to see if there is a firmware update available for it. If you have an impacted YubiKey, Yubico has a replacement program.

The biggest security news though was the announcement of a new attack against Wi-Fi Protected Access (WPA), the security protocol used to secure wireless networks. The new attack, labeled key reinstallation attacks (KRACKs, get it? I wonder how long it took the researchers to come up with that one.), exploits a flaw in the WPA protocol itself:

The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.

Fortunately, KRACKs can be mitigated by backwards compatible client and router software updates. Microsoft already released a patch for Windows 10 on October 10th. macOS and iOS have features that make them more difficult to exploit but a complete fix is apparently in the pipeline. Google has stated that it will release a patch for Android starting with its Pixel devices. Whether or not your specific Android device will receive a patch and when will depend on the manufacturer. I suspect some manufacturers will be quick to release a patch while some won’t release a patch at all. Pay attention to which manufacturers release a patch in a timely manner. If a manufacturer doesn’t release a patch for this or doesn’t release it in a timely manner, avoid buying their devices in the future.