News You Need to Know – Page 47

Don’t Stick Just Anything In Your Port

Universal Serial Bus (USB) flash drives are ubiquitous and it’s easy to see why. For a few dollars you can get a surprising amount of storage in a tiny package that can be connected to almost any computer. Their ubiquity is also the reason they annoy me. A lot of people wanting to give me a file to work on will hand me a USB drive to which I respond, “E-mail it to me.” USB drives are convenient for moving files between local computers but they’re also hardware components, which means you can do even more malicious things with them than malicious software alone.

The possibility of using malicious USB drives to exploit computers isn’t theoretical. And it’s a good vector for targeted malware since the devices are cheap and a lot of fools will plug any old USB drive into their computer:

Using booby-trapped USB flash drives is a classic hacker technique. But how effective is it really? A group of researchers at the University of Illinois decided to find out, dropping 297 USB sticks on the school’s Urbana-Champaign campus last year.

As it turns out, it really works. In a new study, the researchers estimate that at least 48 percent of people will pick up a random USB stick, plug it into their computers, and open files contained in them. Moreover, practically all of the drives (98 percent) were picked up or moved from their original drop location.

Very few people said they were concerned about their security. Sixty-eight percent of people said they took no precautions, according to the study, which will appear in the 37th IEEE Symposium on Security and Privacy in May of this year.

Leaving USB drives lying around for an unsuspecting sucker to plug into their computer is an evolution of the old trick of leaving a floppy drive labeled “Payroll” lying around. Eventually somebody’s curiosity will get the better of them and they’ll plug it into their computer and helpfully load your malware onto their network. The weakest link in any security system is the user.

A lot of energy has been invested in warning users against opening unexpected e-mail attachments, visiting questionable websites, and updating their operating systems. While it seems this advice has mostly fallen on deaf ears it has at least been followed by some. I think it’s important to spend time warning about other threats such as malicious hardware peripherals as well. Since it’s something that seldom gets mentioned almost nobody thinks about it and that helps ensure experiments like this will show disappointing results.

But They’ll Keep A Master Key Safe

We’re constantly being told by the State and its worshippers that cryptographic backdoors are necessary for the safety and security of all. The path to security Nirvana, we’re told, lies in mandating cryptographic backdoors in all products that can be unlocked by the State’s master key. This path is dangerous and idiotic on two fronts. First, if the master key is compromised every system implementing the backdoor is also compromised. Second, the State can’t even detect when its networks are compromised so there’s no reason to believe it can keep a master key safe:

The feds warned that “a group of malicious cyber actors,” whom security experts believe to be the government-sponsored hacking group known as APT6, “have compromised and stolen sensitive information from various government and commercial networks” since at least 2011, according to an FBI alert obtained by Motherboard.

The alert, which is also available online, shows that foreign government hackers are still successfully hacking and stealing data from US government’s servers, their activities going unnoticed for years.

[…]

This group of “persistent cyber criminals” is especially persistent. The group is none other than the “APT6” hacking group, according to sources within the antivirus and threat intelligence industry. There isn’t much public literature about the group, other than a couple of old reports, but APT6, which stand for Advanced Persistent Threat 6, is a codename given to a group believed to be working for the Chinese government.

Even if somebody believes the United States government is a legitimate entity that can be trusted with a cryptographic master key, they probably don’t believe the likes of Iran, China, and North Korea are as well. But those are the governments that would likely get the master key and enjoy exploiting it for years before anybody became the wiser.

And the impact of such a master key being leaked, even if you mistakenly believe the United States government can be trusted to only use it for good, is hard to overstate. Assuming a law was passed mandating all devices manufactured or sold in the United States had to implement the backdoor, a leak of the master key would effective render every American device unencrypted.

So the real question is, do you trust a government that cannot detect threats within its network for years on end to secure a master key that can unlock all of your sensitive information? Only a fool would answer yes.

If You Don’t Own It, It’s Not Yours

If you don’t own it, it’s not yours. A lot of people are learning that lesson today after Google announced that it would be disabling customers’ Revolv smart-home hub in spite of the promised lifetime subscription:

As we reported on Tuesday, shutting down the Revolv smart-home hubs does not mean Nest is ceasing to support its products, leaving them vulnerable to bugs and other unpatched issues. It means that the $300 (£211) devices and accompanying apps will stop working completely.

[…]

And the decision to deliberately disable the smart-home hubs comes despite the fact they were previously advertised as having a “lifetime subscription.”

Do you own the devices you purchase? If you read most license agreements, which you usually can’t read until you’ve purchased and opened the product, you’re not buying the product but a license to use the product. This is especially true with products that include software, which are regulated under easily abused copyright laws. John Deere, for example, claims you don’t own your tractor, you’re merely licensing it. Because of that John Deere argues that you’re not allowed to fix the tractor as that is a violation of the license you agreed to.

The problem with licenses is that they can be revoked. In this case Google is not only ceasing online services for the Revolv but is entirely bricking the devices themselves, which is likely allowed under the device’s license agreement (those agreements basically read, “We can do whatever we want and you agree to like it.”) regardless of any marketing promises of a “lifetime subscription.”

Had the Revolv been a device that ran open source software with a permissive license its fate wouldn’t be so bleak. At least the option would exist for developers to continue updating the software and creating an alternate online service. That’s the type of freedom ownership allows but licensing usually doesn’t.

As more devices are needlessly tied to “the cloud” we’re going to see more bullshit like this. In my eyes it’s the “in-app purchases” economy brought into the physical world. Many applications used to sell for a one-time fee only for the developers to change their mind and start relying on in-app purchases. An example of this is Cyclemeter. When I first purchased the app it included everything. Now you need to pay a yearly subscription fee via the in-app purchase feature to unlock most of the features. The same bait and switch is coming to our physical world via the Internet of Things. Manufacturers will brick older devices to persuade customers to buy the latest model. Since these devices are almost exclusively licensed instead of owned there will be little recourse for customers. It’s going to be a large scale demonstration of if you don’t own it, it’s not yours.

Another Hero Becomes A Political Prisoner Of Uncle Sam

Anybody who has been paying attention to the depravities of the State won’t be surprised by this post. It is a post about another hero who has been turned into a political prisoner by the State. This hero worked to reduce the violence in the drug market by keeping both buyers and sellers anonymous. He did this in spite of the fact that the last person who followed this path ended up imprisoned for life. Unfortunately the fate of his predecessor likely convinced this hero to plead guilty and suffer a reduced sentence rather than be railroaded by the State’s courts:

Last week, a federal judge in Washington formally accepted the guilty plea of Brian Farrell, the 28-year-old who had been accused in 2015 of being the right-hand man to the head of Silk Road 2.0, the copycat website inspired by the infamous Tor-enabled drug website.

In a 2015 press release, the Department of Justice said that SR2 had generated approximately $8 million per month since it began in November 2013.

While the State was busy sending Special Weapons And Tactics (SWAT) teams to people’s houses at oh dark thirty to kick in their doors, shoot their dogs, and kidnap them because they were in possession of a plant, Brian Farrell was helping run a service that kept those psychotic law enforcers away from both buyers and sellers. After all, neither drug buyers or sellers actually commit actual crimes. There is no victim in a mutually agreed upon transaction.

Due to the illegal nature of the drug trade violence often does creep into the mix though. Most of this violence occurs between competing dealers but sometimes it occurs when disagreements arise between buyers and sellers. Since the State has declared the drug trade illegal, claims a monopoly on dispute resolution services, and ruthlessly pursues anybody who creates a dispute resolution service for drug market actors there are few places for a wronged seller or buyer to go. Silk Road and Silk Road 2 acted as both a marketplace and a dispute resolution service. Through escrow, mediation, and user reviews both Silk Roads allowed wronged parties to have their disputes resolved peacefully. In fact there was no way for wronged parties to resort to violence since all parties were anonymous.

Online drug marketplaces are considered illegal by the State. But the vast majority of crimes perpetrated in relation to these marketplaces are those committed by the State as it uses its capacity for violence to terrorize and punish anybody involved in the drug trade.

Brian Farrell, like Ross Ulbricht before him, should be remembered as a hero who tried to stem the tide of government violence.

A Lack Of Transparency Is Killer

Yesterday Hennepin County Attorney Mike Freeman announced that officers Ringgenberg and Schwarze would not be charged in the death of Jamar Clark:

No charges will be filed against the two Minneapolis officers involved in the shooting death last fall of Jamar Clark, Hennepin County Attorney Mike Freeman announced Wednesday, citing DNA and other evidence showing Clark had a hand on one officer’s gun during a struggle and was not handcuffed when shot by a second officer.

This decision has gone over about as well as anybody could have expected. Those who wanted the officers charged are angry because they don’t believe justice was served. Those on the side of the officers are happy and believe justice was served. In the end the announcement served primarily to galvanize both sides’ biases.

Which side is right? Therein lies the problem. Because of how the investigation was handled it’s hard to know. It was another case of “We investigated ourselves and determined that we did nothing wrong.” The investigation was headed by the Bureau of Criminal Apprehension (BCA) and the Federal Bureau of Investigations (FBI), both of which are law enforcement organizations. In a time when public trust in law enforcement is at a notable low the fact that both investigating organizations are involved in law enforcement cannot go without mention. But the biggest problem is that the investigation took place behind an iron curtain.

The lack of transparency is ultimately what makes the announced findings questionable. Jury trails are by no means perfect but they do take place in the public realm (members of the public can sit in and view court cases) so all evidence and arguments are not only made available but can be witnessed as they are presented. Since the investigation into Jamar Clark’s death took place entirely behind closed doors there’s no way to verify the process that lead to the findings. Without neutral witnesses to that process there is no way to verify whether the announcement was arrived to through honest analysis of the evidence at hand or through an editing process biased in favor of the officers.

Saying an investigation came to a decision is meaningless if the integrity of the investigative process cannot be verified.

Innocent Until Proven Guilty

The second worst casualty of a major attack is the presumption of innocence. Too often people are demanding heads to role and assume anybody questioned, arrested, or charged because of an attack should be hanged. This leads to a lot of stupidity such as the xenophobia that began running rampant immediately after the attack in Brussels. Investigations take time and a lot of initial judgements based on preliminary evidence are proven wrong as this story illustrates so perfectly:

BRUSSELS — The Belgian authorities on Monday conceded another enormous blunder in their investigation into the attacks last week on Brussels. They freed a man they had charged with terrorism and murder, acknowledging that a witness had mistakenly identified as a bomber in a dark hat and white coat in an airport surveillance photo.

The man, who was arrested on Thursday and charged on Friday, was released after three days in custody, during which some officials publicly vilified him as a terrorist. On Monday, the police said that the real attacker, one of the men who blew up a departure hall at Brussels Airport, remained at large, and they issued a new plea to the public to help identify him.

The release of the man — who has been identified by the Belgian news media and Belgian officials as Fayçal Cheffou, who has called himself a freelance journalist — is a stunning setback for the Belgian authorities, who have struggled for more than a year to get a handle on the growing threat of Islamic State militants.

A lot of people were demanding gallows be built so Cheffou could be immediately executed. Had they gotten their way an innocent man would have been dead and nobody would have been any closer to determining who else was connected to the attack in Brussels. This is why the presumption of innocence is important, especially in high profile event such as this one.

I know everybody hates to hear it but the only appropriate way to respond to the aftermath of an attack is to have patience. Nothing is gained by rash responses. In fact rash responses often cause the same thing as the initial attacks: innocent people being injured or killed.

Checkpoints All The Way Down

The investigation into the Brussels attack hasn’t concluded yet but politicians are already calling for actions to be taken to prevent such an attack from happening here:

Security experts, politicians and travelers alike say the Brussels bombings exposed a weak spot in airport security, between the terminal entrance and the screening checkpoint.

“If you think about the way things were done in Brussels — and have been done in other places — literally people only have to only walk in, and they can attack at will,” said Daniel Wagner, CEO of security consulting firm Country Risk Solutions.

These idiots will be putting security checkpoints before the security checkpoints if we let them:

Wagner suggests U.S. airports establish pre-terminal screening before travelers enter the facility.

“That is a common approach in many countries around the world — you cannot even get in the terminal until your bags and your person have been pre-screened,” he said. “That is, through an X-ray machine both for the bags and for the individual.”

It’ll be checkpoints all the way down. What none of these stooges have stopped to consider is that the checkpoints themselves are attractive targets. Checkpoints are chokepoints. They forces large numbers of people to gather in a single place so they can slowly (very slowly in the case of Minneapolis’ airport) be filtered through by security. If a suicide bomber wants to kill a lot of people they need only step in the checkpoint line.

Adding an additional chokepoint or moving the current one doesn’t fix the problem. Reducing the amount of damage a terrorist can cause in an airport requires dispersing people, which means making major changes to current airport security practices. The long security lines have to go. This can be done by simplifying the screening process, making it consistent (anybody who travels frequently knows that the orders barked by the Transportation Security Administration (TSA) goons can change drastically from day to day), and increasing the number of checkpoints. None of those measures will be taken though because the idiots who make the policies know nothing about security.

Cruzing The Ghetto

The attack in Brussels is only happened a few days. That means there hasn’t been enough time for a serious investigation. But that isn’t stopping people from playing the blame game. Wild speculations are being thrown about everywhere but I think Ted Cruz managed to become king of the asshole mountain:

After repeating his standard campaign-trail assertion that Barack Obama has failed to confront – or even properly identify – “radical Islamic terrorists”, he called for the US to stop admitting refugees from areas with a so-called Islamic State or al-Qaeda presence.

He then turned his attention to the home front.

“We need to empower law enforcement to patrol and secure Muslim neighbourhoods before they become radicalised,” he said.

Cruz is always looking to make government smaller and more efficient. Whereas Franklin Roosevelt built expensive concentration camps to hold American citizens of Japanese decent, Cruz wants to use the cheaper option of simply turning Muslim neighborhoods into little Warsaw Ghettos.

Since Cruz stylizes himself as an individualist his proposal is ironic. Collective punishment, as the name denotes, is an entirely collectivist ideal. By saying Muslim neighborhoods must be patrolled Cruz is stating that he believes all Muslims shared responsibility for the action of the bombers in Brussels. That’s the exact opposite of individualism, which only holds the individuals directly responsible for crimes responsible (because they were the only ones responsible).

If turning Muslim neighborhoods into ghettos isn’t the proper response to these attacks, what is? As much as people hate to hear it the only proper response is to have patients. Nothing can be accomplished until a thorough investigation has been performed and the evidence has been analyzed. Until the investigation has concluded anything we hear will be speculative or preliminary in nature. Once the investigation has concluded we can consider methods of mitigating future attacks like this. Unfortunately it will be impossible to bring those responsible for these attacks to justice since they killed themselves. But we can use the information gathered by investigators to make future attacks like this harder to pull off (of course, since the government will claim a monopoly on implementing countermeasures, we’ll probably just get an expansion of the police state instead of effective methods of guarding against these kinds of attacks).

When Your Radical Goals Become Self-Defeating

From yesteryear’s anti-war movement to today’s social justice movement, college campuses have served as some of the biggest hot zones for social upheaval. Today’s upheaval, just like yesteryear’s, is being played out by conservatives who want things to remain as they are, radicals who want to change things, and everybody caught between them.

Both extremes have an unfortunate habit of becoming extremely authoritarian. For the radicals this authoritarianism can quickly become self-defeating though:

At Western Washington University, a public institution with roughly 15,000 students, a group of leftist activists calling itself the Student Assembly for Power and Liberation has issued a sweeping list of demands that would radically reshape its school.

[…]

The petition goes on to call for $45,000 annually to compensate “students and faculty doing de-colonial work on campus” and the creation of a 15-member student panel, dubbed the Office for Social Transformation, “to monitor, document, and archive all racist, anti-black, transphobic, cissexist, misogynistic, ablest, homophobic, Islamophobic, xenophobic, anti-semitic, and otherwise oppressive behavior.” This panel would have the power to investigate and discipline students and faculty members and to fire even tenured faculty members.

Surveillance always favors those already in power. Conservatives, as proponents of the current system, favor the current individuals in power. That means any surveillance system will necessarily favor conservatives.

Herein lies the moment when radicalism can become self-defeating. Surveillance sounds like a very attractive tool to both sides because it allows them to identify and take out their opposition. Given an excuse the established power will gladly implement a surveillance system. By demanding such a surveillance system the radicals are giving the conservatives a convenient excuse to implement a surveillance system while justifying it as a compromise. Once implemented though the surveillance system remains in their control and they can use it to identify and take out radicals.

The current social justice movement isn’t unique in this. Many radical movements throughout history have provided the rope needed to hang them with to their conservative opposition. If you’re a radical any authoritarian system will be used against you so don’t volunteer your support for its implementation.

What The Paris Attackers Used Instead Of Encryption

Our overlords are still trying to make us believe the the reason the Paris attackers weren’t discovered before the attack is because they used effective cryptography. That is a blatant lie though. So what did the attackers use to avoid detection? A lot of cell phones:

New details of the Paris attacks carried out last November reveal that it was the consistent use of prepaid burner phones, not encryption, that helped keep the terrorists off the radar of the intelligence services.

As an article in The New York Times reports: “the three teams in Paris were comparatively disciplined. They used only new phones that they would then discard, including several activated minutes before the attacks, or phones seized from their victims.”

The article goes on to give more details of how some phones were used only very briefly in the hours leading up to the attacks. For example: “Security camera footage showed Bilal Hadfi, the youngest of the assailants, as he paced outside the stadium, talking on a cellphone. The phone was activated less than an hour before he detonated his vest.” The information come from a 55-page report compiled by the French antiterrorism police for France’s Interior Ministry.

I hesitate to say the attackers used burner phones because the term usually implies phones that were purchased in convenience stores with cash. In reality this type of evasion is possible with any type of cell phone so long as a group has enough of them. The trick is to only use a particular cell phone for one or two messages before disposing of it. With numbers changing constantly it’s difficult for the spooks to create a reliable social graph and therefore a plot.

This news will likely have the undesired effect of inspiring legislators to write bills prohibiting the purchase of cell phones for cash but such legislation won’t hinder this kind of strategy.