Category: News You Need to Know

Sending The Wrong Messages

Any decent self-defense instructor will point out that the most important aspect in self-defense is situational awareness. If you are aware of your surrounds you have a far better chance of avoiding a fight entirely, which is the best form of self-defense.

The rise of mobile phones has seemingly hampered a great many people’s situational awareness. It’s not uncommon to see people walking around entirely unaware of their surroundings because their faces are looking down at their phones. This phenomenon has become so prevalent that one city is experimenting with crosswalk signals embedded in the ground:

Foreign visitors frequently wonder why crowds of Germans wait for traffic lights to turn green when there are no cars in sight.

That is why officials in the city of Augsburg became concerned when they noticed a new phenomenon: Pedestrians were so busy looking at their smartphones that they were ignoring traffic lights.

The city has attempted to solve that problem by installing new traffic lights embedded in the pavement — so that pedestrians constantly looking down at their phones won’t miss them.

Part of me thinks this sends the wrong message. When people are walking around they should be paying attention to their surroundings. Not only is it important from a self-defense aspect but it’s important for not running into other pedestrians.

I’m not stupid enough to assume you can convince people to stop looking at their phones when they’re walking around but there may be some middle ground that encourages people to not be looking down. A better solution may be be a focus on developing heads-up displays for people to wear so they can somewhat keep their eye on the sidewalk as they read through their messages.

Dropping 10 Megabyte Cyberwarheads

I’ve been busy finishing up and editing my short story for the Agorist Writers Workshop so I don’t have much for you today… except stupidity.

The idiots that command the State have tried once again to use war as an analogy for hacking and it sounds just as stupid this time as it has every time before:

Defense Secretary Ashton B. Carter is among those who have publicly discussed the new mission, but only in broad terms, and this month the deputy secretary of defense, Robert O. Work, was more colorful in describing the effort.

“We are dropping cyberbombs,” Mr. Work said. “We have never done that before.”

Cyberbombs? Why not cyberclusterbombs? Isn’t the United States government dedicated to wiping out CyberISIS? How many megabytes are these cyberwarheads anyways? I hope we’re not using too little data to get the jobs done!

It’s hard to come up with new jokes at the State’s expense. The people working within it end up taking all of my good material by actually doing what I planned to joke about them doing.

The New Twenty Dollar Bill

The Treasury has announced that Andrew Jackson will be replaced with Harriet Tubman on the $20 bill. And this is hands down the best possible design for it.

hariet-tubman-twenty

Harriet Tubman holding one hand out as if to say, “Come on you son of a bitch, do you want to be free or not?” and holding a pistol in her other hand to demonstrate she will not be fucked with.

Too bad the Treasury won’t use this design in all likelihood.

Some Inspiration For You

Those of us living under the boot of the State — which is to say almost all of us — need a little inspiration from time to time. Fortunately, many animals seem less willing to accept their chains that humans. Last week two heroic animals reminded us that freedom is something to always be strived for.

First up was Inky the octopus:

By the time the staff at New Zealand’s National Aquarium noticed that he was missing, telltale suction cup prints were the main clue to an easily solved mystery.

Inky had said see ya to his tank-mate, slipped through a gap left by maintenance workers at the top of his enclosure and, as evidenced by the tracks, made his way across the floor to a six-inch-wide drain. He squeezed his football-sized body in — octopuses are very malleable, aquarium manager Rob Yarrall told the New Zealand website Stuff — and made a break for the Pacific.

Next up was Cha Cha the chimpanzee:

A chimpanzee named Cha Cha escaped from a zoo in Sendai, Japan, and led police and zoo staff on a dramatic two-hour chase through a residential neighborhood, according to NHK, Japan’s largest broadcaster.

cha-cha-vs-the-man

I have a similar reaction when somebody tries to cage me.

Unfortunately Cha Cha was recaptured. But failure usually precedes success so there’s still hope.

FBI Found Nothing Significant On Farook’s iPhone

After all that fuss over Farook’s iPhone the Federal Bureau of Investigations (FBI) finally managed to unlock it without conscripting Apple. So did the agency find information that will allow them to arrest the next terrorists before they can attack? Did the phone contain the secret to destroying the Islamic State? No and no. It turns out, as most people expected, there wasn’t anything significant on the phone:

A law enforcement source tells CBS News that so far nothing of real significance has been found on the San Bernardino terrorist’s iPhone, which was unlocked by the FBI last month without the help of Apple.

It was stressed that the FBI continues to analyze the information on the cellphone seized in the investigation, senior investigative producer Pat Milton reports.

All that hullabaloo over nothing. This is a reoccurring trend with the State. It makes a big stink about something to justify a demand for additional powers. Eventually it’s revealed that reason it needed the additional power was nothing more than fear mongering. Why anybody takes the State seriously is beyond me.

This Is Why I Try To Wait For Proof

I’m fortunate in that I follow a lot of intelligent security professionals. When it was first announced that the Federal Bureau of Investigations (FBI) had hired a partner to break into Farook’s iPhone 5C the speculation was that the partner was Cellebrite. Note the key word, speculation. Most of the people initially speculating on the topic were careful to couch their terms as hypothetical but that didn’t stop media outlets from reporting speculation as fact. The problem with reporting speculation as fact is that it’s often wrong:

The FBI cracked a San Bernardino terrorist’s phone with the help of professional hackers who discovered and brought to the bureau at least one previously unknown software flaw, according to people familiar with the matter.

[…]

The bureau in this case did not need the services of the Israeli firm Cellebrite, as some earlier reports had suggested, people familiar with the matter said.

When the media reports something as fact do yourself a favor and dig into the story. You may find out that the fact is actually speculation.

Sometimes A Judge Displays Some Common Sense

Although the system of “checks and balances” that make up this nation’s various governmental bodies more commonly looks like a circlejerk, sometimes a judge displays some good, excuse the pun, judgement:

A west-central Minnesota judge has tossed out the Minnesota Department of Natural Resources’ highest-profile deer-poaching bust in recent memory, saying a GPS device that conservation officers attached to the suspect’s pickup was illegal.

[…]

Van Hon said in his ruling that had the DNR asked for a search warrant to place the tracking device on Liebl’s truck, the request probably would have been granted.

“Although the [tracking order] application provided sufficient basis for finding probable cause to issue a warrant, no finding of probable cause was requested or made,” Van Hon wrote in his decision. He added:

“The court cannot retroactively transform what is not a warrant into a warrant. The tracking order is not the equivalent of a warrant. … In the present case there was ample information to support a finding of probable cause for a warrant to issue for the GPS device.”

This cases falls under that legal category loathed by so many prosecutors: a technicality. In this case the Department of Natural Resources (DNR), according to the judge, likely had enough evidence get get a warrant. But the agency didn’t get a warrant so the judge threw the case out instead of bending the rules to favor his employer, the State.

So much of what people, especially law enforcers and prosecutors, see as bureaucratic red tape is often the only thing standing between a prosecutor desperate to get a guilty plea and an innocent person. Sometimes that red tape lets a guilty person walk free but, as William Blackstone once said, “It is better that ten guilty persons escape than that one innocent suffer.”

It’ll be interesting to see if the DNS chooses to appeal this case and, if so, whether the next judge will “transform what is not a warrant into a warrant.”

How The Government Protects Your Data

Although I oppose both public and private surveillance I especially loathe public surveillance. Any form of surveillance results in data about you being stored and oftentimes that data ends up leaking to unauthorized parties. When the data is leaked from a private entity’s database I at least have some recourse. If, for example, Google leaks my personal information to unauthorized parties I can choose not to use the service again. The State is another beast entirely.

When the State leaks your personal information your only recourse is to vote harder, which is the same as saying your only recourse is to shut up and take it. This complete lack of consequences for failing to implement proper security is why the State continues to ignore security:

FRANKFORT, Ky. (AP) — Federal investigators found significant cybersecurity weaknesses in the health insurance websites of California, Kentucky and Vermont that could enable hackers to get their hands on sensitive personal information about hundreds of thousands of people, The Associated Press has learned. And some of those flaws have yet to be fixed.

[…]

The GAO report examined the three states’ systems from October 2013 to March 2015 and released an abbreviated, public version of its findings last month without identifying the states. On Thursday, the GAO revealed the states’ names in response to a Freedom of Information request from the AP.

According to the GAO, one state did not encrypt passwords, potentially making it easy for hackers to gain access to individual accounts. One state did not properly use a filter to block hostile attempts to visit the website. And one state did not use the proper encryption on its servers, making it easier for hackers to get in. The report did not say which state had what problem.

Today encrypting passwords is something even beginning web developers understand is necessary (even if they often fail to property encrypt passwords). Most content management systems do this by default and most web development frameworks do this if you use their builtin user management features. The fact a state paid developers to implement their health insurance exchange and didn’t require encrypted passwords is ridiculous.

Filtering hostile attempts to visit websites is a very subjective statement. What constitutes a hostile attempt to visit a website? Some websites try to block all Tor users under the assumption that Tor has no legitimate uses, a viewpoint I strongly disagree with. Other websites utilize blacklists that contain IP addresses of supposedly hostile devices. These blacklists can be very hit or miss and often block legitimate devices. Without knowing what the Government Accountability Office (GOA) considered effective filtering I’ll refrain from commenting.

I’m also not entirely sure what GOA means by using property encryption on servers. Usually I’d assume it meant a lack of HTTP connections secured by TLS. But that doesn’t necessarily impact a malicious hackers ability to get into a web server. But it’s not uncommon for government websites to either not implement TLS or implement it improperly, which puts user data at risk.

But what happens next? If we were talking about websites operated by private entities I’d believe the next step would be fixing the security holes. Since the websites are operated by government entities though it’s anybody’s guess what will happen next. There will certainly be hearings where politicians will try to point the finger at somebody for these security failures but finger pointing doesn’t fix the problem and governments have a long history of never actually fixing problems.

If You Can Rig The Lottery Only Do It Once

Most fraudsters are caught because they’re a combination of shortsighted and greedy. Take this block for example:

A lottery vendor for years manipulated drawings to enrich himself and associates by installing software code that allowed him to predict winning numbers on specific days of the year, Iowa investigators alleged Wednesday.

Authorities called the newly obtained forensic evidence a breakthrough in the investigation of alleged jackpot-fixing scheme by Eddie Tipton, former security director of the Multi-State Lottery Association. A jury convicted him last year of rigging a $16.5 million jackpot, and he’s awaiting trial on charges linking him to prizes in Colorado, Wisconsin, Oklahoma and Kansas.

Assuming Mr. Tipton is actually guilty, he will join the ranks of fraudsters who were in a position and had the ability to execute a great self-enriching scam and were caught because they pulled it more than once.

The odds of winning the lottery are astronomical so winning more than once raises all sorts of red flags. If you’re in a position to manipulate the lottery, only do it once. You can usually get away with winning once. But when you start winning in your home state, the neighboring state, and three states away people begin to get suspicious. And if your friends seem to be winning as well there’s going to be an investigation.

People like to attribute these scams purely to greed. If greed was the only factor in these scams the culprits would walk away after they accomplished their initial mission. After all, if you get caught you don’t get to keep the money so a truly greedy person will take the cash and run. These scams are usually uncovered because the culprits are both greedy and shortsighted. They fail to properly assess the risks involved in their scams and therefore continue to perpetrate them again and again. Eventually their “luck” becomes suspicious and their scam is uncovered.

FBI Claims Its Method Of Accessing Farook’s Phone Doesn’t Work On Newer iPhones

So far the Federal Bureau of Investigations (FBI) hasn’t given any specific details on how it was able to access the data on Farook’s phone. But agency’s director did divulge a bit of information regarding the scope of the method:

The FBI’s new method for unlocking iPhones won’t work on most models, FBI Director Comey said in a speech last night at Kenyon University. “It’s a bit of a technological corner case, because the world has moved on to sixes,” Comey said, describing the bug in response to a question. “This doesn’t work on sixes, doesn’t work on a 5s. So we have a tool that works on a narrow slice of phones.” He continued, “I can never be completely confident, but I’m pretty confident about that.” The exchange can be found at 52:30 in the video above.

Since he specifically mentioned the iPhone 5S, 6, and 6S it’s possible the Secure Enclave feature present in those phones thwarts the exploit. This does make sense assuming the FBI used a method to brute force the password. On the iPhone 5C the user password is combined with a hardware key to decrypt the phone’s storage. Farook used a four digit numerical password, which means there were only 10,000 possible passwords. With such a small pool of possible passwords it would have been trivial to bruce force the correct one. What stood in the way were two iOS security features. The first is a delay between entering passwords that increases with each incorrect password. The second is a feature that erases the decryption keys — which effectively renders all data stored on the phone useless — after 10 incorrect passwords have been entered.

On the 5C these features are implemented entirely in software. If an attacker can bypass the software and combine passwords with the hardware key they can try as many passwords they want without any artificial delay and prevent the decryption keys from being erased. On the iPhone 5S, 6, and 6S the Secure Enclave coprocessor handles all cryptographic operations, including enforcing a delay between incorrect passwords. Although this is entirely speculation, I’m guessing the FBI found a way to bypass the software security features on Farook’s phone and the method wouldn’t work on any device utilizing Secure Enclave.

Even though Secure Enclave makes four digit numerical passwords safer they’re still dependent on outside security measures to protect against bruce force attacks. I encourage everybody to set a complex password on their phone. On iPhones equipped with Touch ID this is a simple matter to do since you only have to enter your password after rebooting the phone or after not unlocking your phone for 48 hours. Besides those cases you can use your fingerprint to unlock the phone (just make sure you reboot the phone, which you can do at anytime by holding the power and home buttons down for a few seconds, if you interact with law enforcement so they can’t force you to unlock the phone with your fingerprint). With a strong password brute force attacks become unfeasible even if the software or hardware security enhancements are bypassed.