News You Need to Know – Page 58

The Future Of Warfare

There are two common predictions regarding the future of warfare. First, the arms race between military powers necessitates a continuous adoption of improving technologies. Second, the focus will increasingly be on attacking your opponents technology as opposed to their soldiers.

TrackingPoint, an optical system that automates almost all of the previously specialized knowledge usually required to accurately hit a target at long distances with a rifle, is an example of this. Such a system could greatly increase the accuracy of the average soldier while cutting training costs. Militaries that adopt such technology would have a distinct advantage over those that didn’t. The tradeoff is that the technology can be attacked and potentially render it useless:

At the Black Hat hacker conference in two weeks, security researchers Runa Sandvik and Michael Auger plan to present the results of a year of work hacking a pair of $13,000 TrackingPoint self-aiming rifles. The married hacker couple have developed a set of techniques that could allow an attacker to compromise the rifle via its Wi-Fi connection and exploit vulnerabilities in its software. Their tricks can change variables in the scope’s calculations that make the rifle inexplicably miss its target, permanently disable the scope’s computer, or even prevent the gun from firing. In a demonstration for WIRED (shown in the video above), the researchers were able to dial in their changes to the scope’s targeting system so precisely that they could cause a bullet to hit a bullseye of the hacker’s choosing rather than the one chosen by the shooter.

I’m sure somebody is going to claim this as a reason why merging firearms and technology is stupid. Such criticisms can be dismissed entirely because any military that fails to take advantage of this type of technology will be at a tremendous disadvantage. Merging technology and firearms is inevitable so we need to address the weaknesses.

TrakingPoint has stated that it will work with the researches to fix the vulnerabilities and that’s the proper response. This should also serve as a lesson to any organization creating military technology that software security, which will eventually become the primary target of enemy forces, must be a primary consideration.

As an aside it will be interesting to see if the death tolls in future wars decrease as focus on attacking technology increases. If one side can disable the other side’s ability to wage war it could lead to a bloodless surrender or an immediate retreat.

It’ll also be interesting to see how this plays out in the ancient battle of the state versus the people. Traditionally states, being centralized bureaucracies, have responded poorly to change whereas humanity as a whole has responded very well to change. In the future states will be entirely dependent on technology to both wage war and exploit its people. That could give the people a strong advantage since you could have the creativity of the entire world focused on rendering the technology and these centralized exploiters impotent. Imagine a world where a police cruiser pursuing a nonviolent drug dealer could be turned off with the push of a button. Suddenly the dangerous high-speed chase initiated by the officer could be made into a very safe getaway for the dealer. Family pets could be saved from police kicking in a door at oh dark thirty by merely using an exploit that would cause the officer’s identification friend or foe (IFF) to identify all of the house’s inhabitants as friendly and therefore prevent their weapons from discharging at them. Admittedly that is a farfetched vision but not one outside of the realm of possibility.

Man Criminally Charged For Fixing The Roads

The roads are the purview of the state. Some claim this is because transportation infrastructure is so complex that the market couldn’t handle it. Of course this claim is bullshit. But the fact remains that the state will use its capacity for violence against anybody who tries to involve themselves in transportation infrastructure improvements.

A Massachusetts selectman got sick of the road repair teams not fixing the faded crosswalks in his town. Instead of impotently pounding his fist on a desk he actually decided to go out and fix the crosswalks himself. Now he’s facing criminal charges because, even though he’s an agent of the state, he didn’t respect the bureaucracy:

George Simolaris, a selectman in Billerica, about 25 miles from Boston, said he was tired of constituents asking when the white paint would be freshened up, so he fixed the problem himself. He said he bought cans of green paint, the town’s official color, and spent the weekend painting over six faded crosswalks.

“All I’ve heard for months is: ‘When is this going to get done?'” Simolaris said. “I got sick of it.”

Police and town officials said painting the street without authorization was illegal and charged him with two counts of destruction of property, according to Billerica police spokesman Roy Frost.

As if that wasn’t enough they are also planning to coerce him into “repairing” the “damage” he created:

He added that Simolaris would be required to repay the $4,000 cost of cleaning up the paint, which he said chipped and smeared.

Even though many of the crosswalks in question are going to be torn up as part of a pedestrian safety project:

Town Manager John Curran said the town was in the midst of a $400,000 pedestrian safety project that requires digging up the street including some of the crosswalks in question, which are slated to be repainted once construction is complete.

So he’s facing criminal charges for painting faded crosswalks that were slated to be ripped up anyways and he’s being criminal charged for it. I think this shows just how ridiculous the “justice” system in this country is. At most I’d say he could be demanded to pay for removing the paint if the crosswalks weren’t going to be ripped up anyways. But they’re going to be ripped up so I don’t think any grounds exist for punishing him in any way.

Either way, this story shows that the state will violently enforce its monopoly on transportation infrastructure. If people are willing to repair roads and the only thing stopping them are government guns then I think the entire claim that the market can’t handle transportation infrastructure has been rendered laughable.

Use WPA-AES To Secure Your Wireless Network

Wired Equivalent Privacy (WEP) was the first standard implemented for securing wireless networks. As the weakness of the RC4 algorithm, which WEP relied on, became better known Wi-Fi Protected Access (WPA) was created as a successor. WPA has two modes: Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES).

TKIP was a bandage created for devices that could implement AES. It used WEP but with four rotating keys that raised the challenge of attacking the network significantly. But it was never meant to be a long-term replacement. Nowadays everything has support for AES, which was a good enough reason to move away from TKIP. In addition to that the weaknesses in RC4 are now bad enough where breaking TKIP is easy:

Almost a third of the world’s encrypted Web connections can be cracked using an exploit that’s growing increasingly practical, computer scientists warned Wednesday. They said the attack technique on a cryptographic cipher known as RC4 can also be used to break into wireless networks protected by the Wi-Fi Protected Access Temporal Key Integrity Protocol.

Researchers have long known statistical biases in RC4 make it possible for attackers to predict some of the pseudo-random bytes the cipher uses to encode messages. In 2013, a team of scientists devised an attack exploiting the weakness that required about 2,000 hours to correctly guess the characters contained in a typical authentication cookie. Using refinements, a separate team of researchers is now able to carry out the same feat in about 75 hours with a 94 percent accuracy. A similar attack against WPA-TKIP networks takes about an hour to succeed. The researchers said the only reliable countermeasure is to stop using RC4 altogether.

A wireless network secured with TKIP can now be broken in an hour. If you haven’t already setup your access point to exclusively use AES it’s time to do so. If you’re administering a web server and haven’t already disabled RC4 you’ve failed. But there’s no reason you can’t redeem yourself by disabling it now.

I spend a lot of time advocating for people to encrypt their data. One caveat I try to point out but sometimes forget is that all encryption isn’t made the same. Some encryption algorithms and implementations are far better than others. Even poor encryption is better than no encryption but usually not by a lot. Effective encryption is what you need if you want to keep your data private.

Focusing On Softer Targets

In regards to the Office of Personnel Management (OPM) breach I noted that the federal government’s networks are only as secure as the weakest link. While it’s likely federal agencies such as the Department of Defense (DoD) and National Security Agency (NSA) have much more secure networks than the OPM or Internal Revenue Service (IRS) the fact that all these federal agencies share data amongst each other means an attack only needs to breach the weakest network. Apparently that’s what China has been doing:

WASHINGTON — After years of cyberattacks on the networks of high-profile government targets like the Pentagon, Chinese hackers appear to have turned their attention to far more obscure federal agencies.

Law enforcement and cybersecurity analysts in March detected intrusions on the computer networks of the Government Printing Office and the Government Accountability Office, senior American officials said this week.

It’s a smart move. Just as much valuable information can be gleamed from lesser known agencies as more famous agencies. The fact is federal agencies have so much data on both individuals and government operations that they’re all prime targets. Herein again lies the fallacy of the “nothing to hide” crowd. They believe the only eyes that will be looking at the data the federal government has collected on them is the federal government. Truth be told other eyes such as foreign governments and malicious hackers will also be looking at their data.

The reason it’s important to keep as much data away from the federal government as possible is not just because of what the federal government will do with it but also because of the likelihood it will lose control of that data in the future.

Federal Government Demonstrates How Not To Do HTTPS

I admit that setting up Hypertext Transfer Protocol Secure (HTTPS) isn’t as easy as it should be. But there’s no reason why something a massive as the federal government, especially when you consider the fact that it can steal as much money as it wants, can’t properly setup HTTPS. But it can’t.

I use HTTPS Everywhere to force as many sites as humanly possible over HTTPS instead of HTTP. Usually this works very well but sometimes a site isn’t properly setup and my user experience goes south. The Senate website is one of the sites that provides a suboptimal user experience. Take a look at these two exceptions I received when trying to access information on the Senate’s website:

The thing to note is that the web server is setup to give each senator their own subdomain. This requires the certificate to contain each individual subdomain. As you can see by the errors I received the certificate doesn’t contain the subdomain for the Committee of the Judiciary or Rand Paul. There are two things to take away from this.

First, the Senate’s web server is setup in a very fragile way. Instead of creating a separate subdomain for each senator it would have been much smarter to create a separate subdirectory for each senator. The only difference that would make for the user is they would have to type https://www.senate.gov/paul instead of https://www.paul.senate.gov. Since no subdomains would be needed the certificate wouldn’t have to contain the name of every senator and Senate committee.

Second, whoever is in charge of maintaining the certificate for the Senate’s web server is incompetent. Since each senator has a separate subdomain the certificate should be renewed after every election with the subdomains of the new senators added and the subdomains of the old senators removed. Likewise, the certificate should be renewed every time a new Senate committee is created or an old one is retired. That would allow users to securely connect to each Senator’s website.

In all likelihood this setup is the result of the server originally being created without any consideration given to security. When security became a concern the system was probably patched in the all too common “good enough for government work” manner instead of being redesigned properly to reflect the new requirements. And since there is almost no accountability for government employees nobody tasked with maintaining the server probably saw fit to periodically verify that the certificate is valid for every available subdomain.

I would argue that this is yet another example of the government’s poor security practice that should have everybody worried about the data it collects.

The Deplorable State Of The Government’s Network Security

“I’ve got nothing to hide,” is a phrase commonly spoken by supporters of government surveillance and those too apathetic to protect themselves against it. It’s a phrase only spoken by the ignorant. With each working professional committing an average of three felonies a day there are no grounds for anybody to claim they have nothing to hide from the government. But even those who don’t believe they have anything to hide from the government likely feel as though they have something to hide from the general public. With the breach of the Office of Personnel Management’s (OPM) network we were shown another important fact: the government’s network security is in such a poor state that any data it collects could be leaked to the general public.

Now we’re learning that the OPM wasn’t the only government agency with deplorable network security. It’s a chronic problem within the government:

Under a 2002 law, federal agencies are supposed to meet a minimum set of information security standards and have annual audits of their cybersecurity practices. OPM’s reviews showed years of problems.

But the issue is far more widespread than with just one agency. According to the Government Accountability Office, 19 of 24 major agencies have declared cybersecurity a “significant deficiency” or a “material weakness.” Problems range from a need for better oversight of information technology contractors to improving how agencies respond to breaches of personal information, according to GAO.

“Until federal agencies take actions to address these challenges—including implementing the hundreds of recommendations GAO and agency inspectors general have made—federal systems and information will be at an increased risk of compromise from cyber-based attacks and other threats,” the watchdog agency said in a report earlier this month.

A large majority of major agencies have declare their network security to be unfit. In addition to general network security there are also concerns about overseeing contractors; which is pretty legitimate after Edward Snowden, an at the time contractor, walked off with a lot of National Security Agency (NSA) secrets; and abilities to respond to breaches.

Many mass surveillance apologists have pointed out that the OPM isn’t exactly the NSA because they assume the latter has far better security. As I mentioned above, Edward Snowden proved otherwise. And even if some agencies do have effect network security the problem of inter-agency sharing is a real concern. Assume the Internal Revenue Service (IRS) actually has adequate network security but it shares information with the OPM. In the end the data held by the IRS is still acquired by malicious hackers because they were able to compromise an agency that also held the data. Security is only as strong as the weakest link.

The next time somebody claims they have nothing to hide from the government ask them to post all of their personal information to Pastebin. If they’re not willing to do that then they should be concerned about government surveillance considering the state of its networks.

Another Reason To Run An Ad Blocker

Ad blockers are marvelous web browser plugins. In addition to saving users from dealing with ceaseless pop-ups, audio that plays automatically, and other annoyances ad blockers also protect users from malware. A recent study [PDF] published by the Simon Fraser University shows another reason to run an ad blocker: they can significantly reduce the data usage of your network:

A Canadian university claims to have saved between 25 and 40 percent of its network bandwidth by deploying Adblock Plus across its internal network.

The study tested the ability of the Adblock Plus browser extension in reducing IP traffic when installed in a large enterprise network environment, and found that huge amounts of bandwidth was saved by blocking web-based advertisements and video trailers.

This is especially important when you’re dealing with a service that requires you pay by usage, such as most modern cellular data plans, or building a network that will see heavy usage from numerous individuals, such as university networks.

Ad blockers are not well received by website operators who rely on them. It’s understandable because ad blockers directly cut into their profits. But it’s also unwise to rely on a revenue source that requires users to put themselves at risk of being infected with malware and pay more for bandwidth usage. If ad blockers are a threat to your revenue model then you should consider looking into other avenues to make profits.

I mention Feedbin periodically when the issue of website revenue comes up because it’s a great example of how a website can make money without relying on advertisements. Feedbin charges customers $3.00 per month or $30.00 per year to use its service. People are more than willing to pay money for a quality online service as demonstrated by Feedbin, Netflix, and Spotify. The advantage of a subscription model is that it’s a predicable cost, unlike the potential bandwidth costs incurred by serving advertisements, and greatly reduces the risks of malware infection.

Finding alternative revenue sources is going to become increasingly important as more people utilize ad blockers for security, reducing network congestion, and lowering bandwidth costs. Instead of expecting customers to face more risks and costs website operators need to being researching ways to stay afloat without ads. As with any market online services are constantly evolving and those who want to continue participating in it need to evolve as well.

The Founding Fathers Did Use Encryption

One of the arguments that have been made for prohibiting strong encryption is that the Founding Fathers couldn’t have envisioned a world where law enforcers were unable to read communications. Why the Founding Fathers needed to be clairvoyant to justify something today is beyond me but the Electronic Frontier Foundation (EFF) had a great rebuttal to the argument. If you head over to the Library Of Congress’s website you can read about how James Madison encrypted his messages to prevent law enforcers from reading them:

As a Virginia delegate to the Continental Congress, while secretary of state, and in his personal correspondence with Thomas Jefferson, James Madison feared constantly that unauthorized people would seek to read his private and public correspondence. To deter such intrusions, he resorted to a variety of codes and ciphers.

Most of the early ciphers that Madison used were keyword polyalphabetic code systems involving a complex interaction of a keyword with alphabets and numbers in a preestablished pattern. The codes were designed by James Lovell, a Massachusetts delegate to the Continental Congress and an expert on ciphers. On July 5, 1782, Edmund Randolph wrote to James Madison: “I wish, that on future occasions of speaking of individuals we may use the cypher, which we were taught by Mr. Lovell. Let the keyword be the name of the negro boy, who used to wait on our common friend.” Madison noted at the bottom of Randolph’s letter, “Probably CUPID.” He added, “I have been in some pain from the danger incident to the cypher we now use. The enemy I am told have in some instances published their intercepted cyphers.”

What’s interesting here is that Madison not only encrypted his messages when he was in the Continental Congress but also after he became secretary of state and in his personal correspondences. He wasn’t just hiding his communications from British law enforcers but continued to hide them even after they had been replaced by United States law enforcers. That only makes sense because if you only encrypt important messages the simple fact you used encryption indicates to spies that the message is important and resources should be put into decrypting it.

Arguing that the Founding Fathers couldn’t have predicted pervasive encryption is idiotic because they themselves used it. There’s also no evidence that they provided either British or United States law enforcers with any keys to allow them to rapidly decrypt the communications if needed.

Hennepin County Offers To Make Peaceful Transactions More Risky

Every day people are performing voluntary transactions, many of which are setup over trade websites like Craigslist. There have been a few horror stories arising from these arranged transactions, mostly because one party didn’t demand the transaction occur in a public place, but a vast majority occur without incident. Thanks to the media and police the handful of bad incidents have been trumped up enough to make a lot of people unnecessarily afraid of such transactions. Now that it has helped create the problem Hennepin County is claiming to have the solution:

MINNEAPOLIS (KMSP) – Ever purchased or sold an item on Craigslist and wondered if the person on the other end could kill you? To combat online purchasing crime, Hennepin County unveiled “Swap Spots,” public safe havens where members of the community can go to make a variety of transactions.

[…]

Swap Spots are only available during normal hours of operation and designated by a blue and red logo. A deputy is not required to monitor each exchange, will not facilitate the transaction, and won’t keep a log of transactions, but if you would like a deputy present, the sheriff’s office said they’ll try to accommodate you.

What could make another otherwise peaceful transactions risky? Adding armed men with liability shield and an extensive history of violence into the mix! That’s what Hennepin County is offering with these “Swap Spots.” Instead of meeting in a public place, say a busy park or a restaurant, to perform a transaction people now have the option of performing the transaction under the gaze of police officers who are likely chomping at the bit to arrest somebody for violating some esoteric law, failing to pay a tax, or any number of other possible justifications they can fabricate on the spot.

If I were going through with an online transaction the last place I would do it at is one of these “Swap Spots.” Adding government in any capacity to the free market is always dangerous. I’d far prefer performing a transaction at a restaurant where you’re not only safe but also have access to food and drink (which is always nice when doing business).

Unaffordable Health Insurance Soon To Be More Unaffordable

I assume any bill passed by Congress will do the opposite of what its title says and I’m usually correct. The Affordable Care Act (ACA) may be the best example of this. Going by the title you would assume the bill is means to lower the cost of healthcare in this country. What it actually does is puts a gun to everybody head (which really is the only thing the government knows how to do) to force them to buy health insurance. What happens when a business knows you must do business with them? This:

WASHINGTON — Health insurance companies around the country are seeking rate increases of 20 percent to 40 percent or more, saying their new customers under the Affordable Care Act turned out to be sicker than expected. Federal officials say they are determined to see that the requests are scaled back.

Blue Cross and Blue Shield plans — market leaders in many states — are seeking rate increases that average 23 percent in Illinois, 25 percent in North Carolina, 31 percent in Oklahoma, 36 percent in Tennessee and 54 percent in Minnesota, according to documents posted online by the federal government and state insurance commissioners and interviews with insurance executives.

And there’s not a damn thing we can do about it. Of course government officials are going to ensure the requests are scaled back because the health insurance companies paid them a great deal to pass the ACA so they could jack up rates. If government officials actually care about the costs fronted by the people they would have made it illegal to raise insurance rates (or not have passed the ACA in the first place).

If you live in the Twin Cities you know what game is being played here. It’s the same game Xcel Energy plays every few years. Xcel will request to raise its rates by a large amount knowing government officials who oversee its granted power provision monopoly will scale back the request. So long as Xcel demands double of what it really wants it gets what it wants in the end.

Now that we’re all forced to buy health insurance the insurance providers are going to request to jack up their rates every several years. Government officials, claiming to be magnanimous, will bitch that the rate hike is outrageous and demand the rate be raised by less. Eventually a number the insurance providers and government officials are happy with will be agreed upon and we’ll all be forced to pay more.

Shit like this is why I thought everybody who advocated for the ACA was a bloody idiot. It’s also why I think anybody who wants to “repeal and replace” or “modify” the ACA instead of completely abolishing it is a bloody idiot.