Category: News You Need to Know

Physical Access Isn’t Necessarily Game Over

I swear Apple fanboys are some of the dumbest people on the planet. Quite a few of them have been saying, “If an attacker as physical access, it’s game over anyways,” as if that statement makes the root user exploit recently discovered in High Sierra a nonissue.

At one time that statement was true. However, today physical access is not necessarily game over. Look at all of the trouble the Federal Bureau of Investigations (FBI) has been having with accessing iOS devices. The security model of iOS actually takes physical access into account as part of its threat modeling and has mechanisms to preserve the integrity of the data contained on the device. iOS requires all code to be signed before it will install or run it, which makes it difficult, although far from impossible, to insert malicious software onto iOS devices. But more importantly iOS encrypts all of the data stored in flash memory by default. Fully encrypted disks protect against physical access by both preventing an attacker from getting any usable data from a disk and also by preventing them from altering the data on the disk (such as writing malware directly to the disk).

macOS has a boot mode called single user mode, which boots the computer to a root command prompt. However, if a firmware password is set, single user mode cannot be started without entering the firmware password. The firmware password can be reset on machines with removable RAM (resetting the password requires changing the amount of RAM connected to the mainboard) but most of Apple’s modern computers, some iMacs being the exception, have RAM modules that are soldered to the mainboard.

Physical access is especially dangerous because it allows an attacker to insert malicious hardware, such as a key logger, that would allow them to record everything you type, including your passwords. However, that kind of attack requires some amount of sophistication and time (at least if you want the malicious hardware to be difficult to detect), which is where the real problem with High Sierra’s root exploit comes in. The root exploit required no sophistication whatsoever. Gaining root access only required physical access (or remote access if certain services were enabled) to an unlocked Mac for a few seconds. So long as an attacker had enough time to open System Preferences, click one of the lock icons, and type in “root” for the user name a few times they had complete access to the machine (from there they could turn on remote access capabilities to maintain their access).

Attempting to write off this exploit as a nonissue because it requires physical access requires willful ignorance of both modern security features that defend against attackers with physical access and the concept of severity (an attack that requires no sophistication can be far more severe than a time consuming sophisticated attack under certain threat models).

The Fix for High Sierra’s Embarrassing Privilege Escalation Bug and the Fix for the Fix

Apple has already released a fix for its embarrassing privilege escalation bug. If you haven’t already, open the App Store, go to Updates, and install Security Update 2017-001. However, after installing that you may notice that file sharing no longer works. In order to fix this problem you need to perform the following steps:

  1. Open the Terminal app, which is in the Utilities folder of your Applications folder.
  2. Type sudo /usr/libexec/configureLocalKDC and press Return.
  3. Enter your administrator password and press Return.
  4. Quit the Terminal app.

In conclusion High Sierra is still a steaming pile of shit and you should stick to Sierra if you can.

What Could Have Been

The last presidential election is where third parties had a chance to shine. Both major parties were fielding the worst candidates that they could find. Unfortunately, the Libertarian Party threw away its chance of making itself known by once again nominating Gary Johnson when it had the chance to field this man:

There, naked but for an ammunition belt, was 71-year-old tech tycoon and former fugitive John McAfee, spraying bullets into the wall and ceiling of the living room.

That right there is the future libertarians want; a future where everybody has the freedom to wear nothing but an ammunition belt and fire rounds into their own damned property!

What’s really funny is the fact that this man has a better grasp of libertarian principles and is better at expressing them than the Libertarian Party’s nominee.

Adaptability is an Established Military’s Greatest Weakness

You may have heard the phrase, “The military is always preparing to fight the last war.” Any military that has been established for a length of time seems to get dragged down by entrenched ideologies and traditions. This leads them to become very rigid. The United States military is a great example of this. During its War on Terror it has clung to its usual tactics, which work well against other large national militaries but are more or less useless against asymmetrical tactics. It has also proven incompetent at information security, which is no a major component in warfare:

After uncovering a massive trove of social media-based intelligence left on multiple Amazon Web Services S3 storage buckets by a Defense Department contractor, the cloud security firm UpGuard has disclosed yet another major cloud storage breach of sensitive intelligence information. This time, the data exposed includes highly classified data and software associated with the Distributed Common Ground System-Army (DCGS-A), an intelligence distribution platform that DOD has spent billions to develop. Specifically, the breach involves software for a cloud-based component of DCGS-A called “Red Disk.”

Don’t get me wrong, I’m all for government transparency and appreciate the military’s current, albeit accidental, dedication to it. However, from a strategy standpoint this is pretty damned pitiful.

macOS High Sierra is Still Terrible

macOS High Sierra may go down in the history books as Apple’s worst release of macOS since the initial one. Swapping the graphical user interface to use the Metal API wasn’t a smooth transition to say the least but the real mess is in regards to security. There was a bug where a user’s password could be displayed in the password hint field so logging in as a malicious user only requires entering a user’s password incorrectly to trigger the hint field. But yesterday it was revealed that the root account, which is normally disabled entirely, could be activated in High Sierra by simply typing root into the user name field in System Preferences:

The bug, discovered by developer Lemi Ergin, lets anyone log into an admin account using the username “root” with no password. This works when attempting to access an administrator’s account on an unlocked Mac, and it also provides access at the login screen of a locked Mac.

The only good news is that you can defend against this bug by enabling the root account and giving it a password.

The security mistakes in High Sierra are incredibly amateur. Automated regression testing should have caught both the password hint mistake and this root account mistake. I can only assume that Apple’s quality assurance department took the year off because both High Sierra and iOS 11 are buggy messes that should never have been released in the states they were released in.

They’re Just Teasing Us

Nobody likes a tease:

This week, the 78-year-old Koskinen began his third retirement. And he says the IRS is still a distressed organization. “When Eisenhower left office, his message was: Beware the military-industrial complex,” Koskinen said. “My message is: Beware the collapse of the IRS.”

The collapse of the Internal Revenue Service (IRS)? Why is he trying to get our hopes up so high? I think most of us know that there’s no way in hell that the federal government would allow its revenue generating arm to collapse. If anything, the IRS would be the last department that would be allowed to fall.

But can you imagine a world where the federal government didn’t take a huge chunk of our income? Not only would you have more money in you pocket to do with as you please but it would severely hamper the federal government’s law enforcement and military capabilities. Perhaps the Bureau of Alcohol, Tobacco, Firearms, and Explosives wouldn’t be able to run guns to Mexican drug cartels; the Federal Bureau of Investigations wouldn’t be able to radicalize random isolated individuals, give them a fake bomb, arrest them, and claim credit for thwarting a terrorist attack; the National Security Agency wouldn’t be able to continue its massive surveillance program against us; and the Drug Enforcement Agency wouldn’t be able to continue waging its lethal war on drugs. A world without the IRS could be a beautiful one indeed. Let’s all hope that Koskinen’s warning has some kernel of truth behind it and that someday the IRS could collapse.

Lies, Damned Lies, and Statistics

The older I get the more cynical I become towards statistics. Statistics can be a valuable tool for identifying trends. However, the trends revealed by statistics often have multiple possible explanations. Case in point, a lot of media outlets have been making a big deal about the supposed rise in hate crimes, especially against Muslims. They have been quick to blame the election of Trump. However, another cause of this trend could be methodology:

There were 271 more incidents deemed hate crimes in 2016 than the previous year, according to the latest Uniform Crime Reporting (UCR) data. There were also 257 more law enforcement agencies reporting last year, so that increase could largely or even entirely be a matter of getting more complete statistics. The higher numbers mostly represent small increases in incidents classified as anti-Hispanic, anti-Jewish, anti-Muslim, or anti-white.

[…]

Some will surely blame the beginning of Donald Trump’s political ascendancy, and that can’t be ruled out. But another explanation is as likely, if not more likely: The FBI changed how it classified certain hate-crime incidents in 2015.

Before this period, crimes based on someone’s ethnicity or national origin were simply sorted into Hispanic or non-Hispanic bias incidents, leaving us with a cache of uncountable incidents that could’ve been based on someone’s perceived Middle Eastern or Arabic status. But in 2015, ethnicity was lumped in with the racial-bias category. This means that some of the incidents previously attributed to a general sort of anti–Middle Eastern bias could either be categorized as anti-Arab racial/ethnic bias or anti-Muslim religious bias, possibly spiking the anti-Islamic incident stats.

More law enforcement agencies providing data may be influencing the results. Moreover, the category being mentioned most frequently by the media, hate crimes against Muslims, is a recent addition. Going from zero incidents before 2014 to incidents in 2015 will necessarily show an increase in incidents.

None of this is to say that Trump’s election hasn’t played a contributing factor. But there are also alternative explanations for the increase in hate crimes that cannot be ignored. Perhaps the increase in hate crimes is a combination of Trump’s election and changes to methodology. Statistics can reveal a trend of the methodology is solid. But even if a trend is revealed, statistics can seldom point to a specific cause or provide an effective solution.

No Government Choo Choo for You

While the Super Bowl itself won’t provide me any entertainment, the National Football League’s (NFL) decision to bring it to Minneapolis has provided me a significant amount of entertainment. Between turning the city into a prison and the possibility of mass transit being unavailable during the big game I’ve already been giving a great deal of entertainment. But the real icing on the cake is that even if the Amalgamated Transit Union doesn’t strike, the government choo choo will only be available to people who have purchased a Super Bowl ticket [PDF]:

Gameday Pass: $30
Only those holding one of these tickets and an official Super Bowl ticket will be able to ride the METRO Light-Rail on game day. This pass is also valid on all bus, Light-Rail and Northstar service on game day and Monday, February 5. Available only from the Metro Transit app.

There are a lot of people who mistakenly believe that “public” transport is owned by the people. “Public” transport is actually owned by the government. If the government decides that it wants to make its transportation system exclusively available to a certain segment of people, there’s not a damn thing “the public” can do about it.

If you rely on the government choo choo, don’t despair. More buses will be made available. They’ll just be slower so plan to leave much earlier than you otherwise would, you fucking pleb:

Buses: For non-ticket holders, buses will replace light-rail trains on the entirety of the Blue Line throughout the day on February 4, 2018. Replacement buses will operate between Target Field Station and Stadium Village Station on the Green Line. Buses run on similar schedules to trains but can take longer; please plan accordingly.

With all of the streets that will be shutdown in Minneapolis during the big game as well as all the additional traffic that will be flooding the remaining streets, the buses are going to end up taking a lot longer. But sacrifices must be made. Just because you paid tax dollars to build and maintain the choo choo doesn’t mean you have the highest priority. The highest priority goes to those who have enriched the NFL, which contributed absolutely nothing to the construction and maintenance of the choo choo. Isn’t it fun being a lowly pleb?

They’ll Let Anybody in the Military

The Army is in a precarious position. It has been tasked with waging a war on terror. Since terror is such a nebulous term the Army has no defined condition for declaring victory. That being the case, the war it was been tasked with fighting has continued to grind on for almost more than one and a half decades. The problem with a grinder is that you need to constantly feed it fresh meat and the Army is having a difficult time finding enough meat.

Who wants to join the Army only to be deployed to the Middle East to get maimed or killed by an improvised explosive or a child with an AK-47? Not only is the work dangerous but the pay sucks too. The Army is offering a lot of risk with little reward, a situation most investors would run away from.

So how does the Army fill its ranks without offering better pay? By lowering its standards, of course:

The Army wants to widen the pool of recruits.

Facing low recruitment levels, the U.S. Army quietly lifted its ban on allowing people with a history of mental illness, self-mutilation and drug abuse to serve in the military – despite warnings from the industry about the risks involved.

The new rules green-light recruits who have bipolar disorder, depression and issues with cutting – a process in which a person takes a knife or razor to his or her own skin – along with those who bite, hit or bruise themselves intentionally.

If you suffer from certain mental illnesses, Uncle Sam won’t let you buy gun. Likewise, if you use illegal drugs, Uncle Sam won’t let you buy a gun. But now he’ll happily hand you a gun!

I’d make a smart ass remark about the deplorable state of education in the United States making this necessary but the decision to lower military recruitment standards is a necessity of any country fighting a decade and a half old war against an undefined enemy.

Let the Games Being

I’m sure I’ve made my feelings about the Super Bowl coming to Minneapolis obvious. However, I do believe that people should get what they wants and they should get it good and hard. That being the case, I do take some pleasure in the fact that Minneapolis will be turned into a prison for the duration of the Super Bowl. But the icing on the cake could be the Amalgamated Transit Union (ATU), which has declared its intent to strike during the Super Bowl:

Unionized bus drivers, LRT operators and others at Metro Transit voted overwhelmingly to reject a final contract offer and authorize a strike during Super Bowl festivities next year.

The Amalgamated Transit Union (ATU) Local 1005, which represents about 2,500 workers at Metro Transit, voted 93 percent in favor of rejecting the Metropolitan Council’s last contract offer and authorizing a strike during the period leading up to the Super Bowl.

The City of Minneapolis will be relying heavily on its public transportation system during the Super Bowl since traffic there is a clusterfuck at the best of times and will be worse with the combination of tourists and closed streets. Either the Metropolitan Council gives into the ATU’s demands or the ATU follows through with its threat to strike and the public transportation system is unavailable during the Super Bowl.

I’m expecting the Metropolitan Council to give the ATU whatever it wants but I’m really hoping it won’t and the strike will occur.