News You Need to Know – Page 59

VPN Isn’t A Magic Bullet

I really like virtual private networks (VPN) and a lot of people utilize them for various reasons including protecting anonymity, thwarting region locks on services, and bypassing filters put in place by Internet service providers (ISP). However it’s important to note that there are no magic bullets and VPN is not exception.

We’re in the midst of a transition from IPv4 to IPv6. A lot of software still either doesn’t support or isn’t properly configured to handle IPv6 yet. In fact my ISP, Comcast, still doesn’t give business customers IPv6 addresses so I can’t setup my services to properly work with the new fangled Internet addressing scheme (and Comcast happens to be the only option in my area, good thing for Comcast the government exists to protect monopolies). That means my VPN server, like many others, may very well leak personal information through IPv6:

The study of fourteen popular VPN providers found that eleven of them leaked information about the user because of a vulnerability known as ‘IPv6 leakage’. The leaked information ranged from the websites a user is accessing to the actual content of user communications, for example comments being posted on forums. Interactions with websites running HTTPS encryption, which includes financial transactions, were not leaked.

The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6. IPv6 replaces the previous IPv4, but many VPNs only protect user’s IPv4 traffic. The researchers tested their ideas by choosing fourteen of the most famous VPN providers and connecting various devices to a WiFi access point which was designed to mimic the attacks hackers might use.

This is why I recommend doing things that absolutely need to remain private through a dedicated anonymity tool such as the Tor Browser. VPNs aren’t great for preserving anonymity anyways since the server administrator knows the IP address of connect clients whereas Tor exit nodes only know the IP address of the relays directly connected to it. The Tor developers also focus on anonymity first, which means they’re far more likely to find and fix leaks that could reveal personally identifiable information. However VPNs still work well for establishing connections to remote networks in a secure manner and will still do a good job of bypassing filters and region locks.

It’s also worth nothing that as we continue to transition to IPv6 we’re going to keep running into issues like this. Change is never completely smooth, especially when some ISPs, such as Comcast, still don’t provider customers the tools needed to utilize IPv6.

NSA Officially Allowed to Continue Spying Operation

Many people were too euphoric about the expiration of Section 215 of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (the whole name of the act doesn’t get printed out enough, which is a shame because somebody spent a tremendous amount of time trying to think of a backronym for USA PATRIOT) Act to take a moment to consider what it really meant. I noted that the expiration didn’t actually change anything but governments love their redundancy so the Foreign Intelligence Surveillance Court ruled that the National Security Agency (NSA) could resume (implying it didn’t simply continue its surveillance program after the expiration) wholesale spying on American citizens:

WASHINGTON — The Foreign Intelligence Surveillance Court ruled late Monday that the National Security Agency may temporarily resume its once-secret program that systematically collects records of Americans’ domestic phone calls in bulk.

[…]

In a 26-page opinion made public on Tuesday, Judge Michael W. Mosman of the surveillance court rejected the challenge by FreedomWorks, which was represented by a former Virginia attorney general, Ken Cuccinelli, a Republican. And Judge Mosman said the Second Circuit was wrong, too.

“Second Circuit rulings are not binding” on the surveillance court, he wrote, “and this court respectfully disagrees with that court’s analysis, especially in view of the intervening enactment of the USA Freedom Act.”

When the Second Circuit issued its ruling that the program was illegal, it did not issue any injunction ordering the program halted, saying it would be prudent to see what Congress did as Section 215 neared its June 1 expiration. Jameel Jaffer, an A.C.L.U. lawyer, said on Tuesday that the group would now ask for one.

Once again I find it necessary to reiterate that politics isn’t going to solve this problem. The government enjoys the ability to spy on the populace too much to give it up. No amount of begging, voting, or completely pointless filibustering by presidential hopefuls who don’t have a chance in Hell of winning the nomination is going make the NSA’s surveillance apparatus go away.

If you actually oppose this kind of spying then it is up to you to do something about it. Standing by and hoping you can vote somebody into office to deal with the problem for you isn’t going to cut it. You need to learn, encrypt, and decentralized.

The NSA’s program relies on the pervasive use of plaintext communications and centralization. Collecting plaintext, which is a term for any unencrypted data including e-mails and phone calls, costs very little outside of the taps on the lines and storage. Encrypted text is an entirely different beast. When the NSA scoops up encrypted communications it doesn’t know what it has obtained unless it is able to break the encryption. The documents leaked by Snowden showed us that the NSA had problems with numerous encryption tools including Pretty Good Privacy (PGP) and Off-the-Record (OTR) messaging. Even when the NSA is able to break the encryption it’s not a costless endeavor when compared to plaintext.

Another key thing the NSA relies on is centralization. It’s much easier to surveil people when they’re all using a handful of services. With the popularity of Gmail, the fact that there are only four major cell phone carriers in the country, and how many people use Facebook a lot of data is being stored in a handful of locations, which means the NSA only needs to focus its efforts on a few key spots to spy on a vast majority of American. If more people ran their own e-mail, XMPP, etc. servers it would increase the NSA’s costs as it would have to spread out its efforts. Utilizing decentralized networks, such as Wi-Fi mesh networks, instead of centralized Internet Service Providers (ISP) would even further complicate the NSA’s efforts.

Fighting the NSA’s surveillance apparatus requires increasing the agency’s costs. That can only be done by the ubiquitous use of encryption and decentralizing infrastructure. Don’t be a lazy libertarian, start learning how to utilize cryptographic tools today. As always I’m here to help.

Open Carry is Different than Threatening People With a Gun

It’s time once again for some open carry drama. This time it’s being brought to use by the police of Gulfport, Mississippi. An individual of that town went into the local Wal-Mart with a shotgun and was racking shells into the chamber to intimidate shoppers. The local Special Weapons and Tactics (SWAT) team arrived on the scene but opted not to arrest the individual. Their reason? Open carry laws:

The police chief of Gulfport, Mississippi, expressed his frustration with his state’s open carry laws after a man strolling through a Walmart Sunday night menaced shoppers by loading and racking shells into his shotgun, causing police to dispatch a SWAT team and evacuate the store.

According to Police Chief Leonard Papania, he would have arrested the unidentified man and his companion if he could for stretching the city’s police forces thin while panicked Walmart employees huddled in a safe room, WMC reported.

[…]

Using surveillance video police were able to track the men down and speak with them, but due to Mississippi’s open carry laws, the chief said his hands were tied after conferring with city attorneys.

“In our nation there continues to be violent events. Many of these tragic events start to unfold with very similar circumstances where individuals exhibit peculiar actions with firearms around large crowds,” he explained. “The actions of these two men could have inadvertently led to a very violent misunderstanding.”

Bullshit. His hands were not tied. There are numerous laws on the books that would have allowed him to arrest the individual. Terroristic threats and brandishing being two of them that come to mind immediately. Walking around a store racking shells into the chamber of a shotgun qualifies as threatening behavior and threatening behavior is illegal under many statutes.

A very obvious line exists between openly carrying a firearm and threatening people with it. Walking around with a holstered handgun or a slug long arm is nothing more than openly carrying a firearm and isn’t threatening in any way. Unholstering a handgun or unslinging a long arm and manipulating the controls in public without a present threat is an act reasonable people can assume to be threatening. I certainly would. And that’s what brandishing is, waving a weapon around in a threatening manner.

What this looks like to me is the police or city attorneys (or both) purposely making a bad situation because they are unhappy that open carry is legal. It wouldn’t be the first time law enforcement or government attorneys purposely made a bad situation by refusing to do their supposed jobs just to create public support for passing a new restriction.

This Flag Shit is Out of Hand

I’ve tried to ignore the recent Internet controversy surrounding the Confederate flag. It’s the exact same argument as last time and my opinion on the matter hasn’t changed. Flying the Confederate flag is stupid for the exact same reasons flying the United States flag is. But this time the controversy has reached some stupendously stupid levels.

Remember the Dukes of Hazzard? Not the shitty remake but the original show. It started the General Lee and some humans nobody cared about. The General Lee was an orange Dodge Charger that had a Confederate flag pained on the roof (because the show took place in the rural South which is otherwise indistinguishable from the rural North). There was nothing racist about the show. But the powers that be at Warner Brothers has decided to cease production of all toy General Lees. I can’t wait for the next Dukes of Hazzard remake where the General Lee is replaced with the General Sherman, a car with a United States flag painted on the roof.

Toys aren’t the only thing getting pulled. Do you like historical strategy games that strive for accuracy? Too bad! Apple has pulled Civil War strategy games on account of Confederate sides displaying, get this, Confederate flags. I bet people are really going to flip their shit when they find out that there are World War II strategy games that let you play as Germany.

Of course no controversy would be complete without somebody at Slate writing an absolutely idiotic piece. It’s titled The Confederate Flag Doesn’t Belong in a Museum and it’s stupid because the Confederate flag does belong in a museum because that’s exactly what museums exist for. The title is clickbait though because the author feels that the Confederate flag could be put in a museum but only if a mountain of conditions are met:

What might such an exhibit look like? It would need to tell the history behind the flag. It is a symbol of white supremacy, and museums should acknowledge it as such. The designer for the second national flag of the Confederacy described it as a representation of the fight to “maintain the Heaven-ordained supremacy of the white man over the inferior or colored race.” The exhibit should also acknowledge the role the flag played in South Carolina’s past. The flag that’s captured national attention this week came to Columbia in 1962, as a reaction to black people fighting for and winning rights during the civil rights era.

Effective museum interpretation would not stop there. It would address the reoccurring questions surrounding this symbol. Why do people find the flag offensive? Why are other people so attached to the flag? Why do some people who embrace the fullness of Southern pride, including the Confederate flag, not see themselves as racists?

Furthermore, a complete interpretation of the Confederate flag would need to make clear that black people have always resisted white supremacy and fought for the demise of institutional racism.

Why the hell isn’t the United States flag subjected to these same conditions? That flag not only represents slavery, racism, and war but it also represents the almost complete extermination of this country’s indigenous people, dropping nuclear weapons on civilian populations, placing people in concentration camps because of their race, and a whole lot of other really shitty things.

It’s one thing to say the Confederate flag shouldn’t be flown in front of government buildings (but hypocritical if the advocate doesn’t believe the United States flag should also be taken down) but it’s an entirely different thing to attempt to erase it from history. To quote George Santayana, “Those who cannot remember the past are condemned to repeat it.”

Supreme Court Rules Hotels Not Required to Surrender Registries to Law Enforcers Without a Warrant

What happens when law enforcers enter a hotel and demand to see the registry? That question was, surprisingly, up in the air until now. Even though common sense would dictate that a hotel isn’t required to surrender such information without a warrant being issued the question had to go all the way to the Supreme Court for a definitive answer. Luckily the Nazgûl decided to rule in favor of privacy:

The Supreme Court gave a big boost to privacy Monday when it ruled that hotels and motels could refuse law enforcement demands to search their registries without a subpoena or warrant. The justices were reviewing a challenge to a Los Angeles ordinance requiring hotels to provide information to law enforcement—including guests’ credit card number, home address, driver’s license details, and vehicle license number—at a moment’s notice. Similar ordinances exist in about a hundred other cities stretching from Atlanta to Seattle.

Los Angeles claimed the ordinance (PDF) was needed to battle gambling, prostitution, and even terrorism, and that guests would be less likely to use hotels and motels for illegal purposes if they knew police could access their information at will.

Justice Sonia Sotomayor, writing for the 5-4 majority, ruled (PDF) that the Los Angeles ordinance violated the Fourth Amendment and is an illegal “pretext to harass hotel operators and their guests.”

What should concern people is that this ruling was determined by only one vote. Had a single Nazgûl voted the other way it would have been legal for law enforcers to storm a hotel and confiscate the registry without even obtaining a warrant. This is why the whole concept of majority rules doesn’t sit well with me. Sometimes the majority make the right decision, such as in this case, and sometimes they make the wrong decision.

It should be noted that this ruling doesn’t require hotels to surrender their registries without a warrant but it doesn’t stop them from voluntarily surrendering them. You should still avoid shitty hotels like Motel 6 that make it company policy to violate their customers’ privacy.

History of Crypto War I

In its zeal to preserve the power to spy on its citizens members of the United States government have begun pushing to prohibit civilians from using strong cryptography. While proponents of this prohibition try to scare you with words such as terrorists, drug cartels, and pedophiles let’s take a moment to remember the last time this war was waged:

Encryption is a method by which two parties can communicate securely. Although it has been used for centuries by the military and intelligence communities to send sensitive messages, the debate over the public’s right to use encryption began after the discovery of “public key cryptography” in 1976. In a seminal paper on the subject, two researchers named Whitfield Diffie and Martin Hellman demonstrated how ordinary individuals and businesses could securely communicate data over modern communications networks, challenging the government’s longstanding domestic monopoly on the use of electronic ciphers and its ability to prevent encryption from spreading around the world. By the late 1970s, individuals within the U.S. government were already discussing how to solve the “problem” of the growing individual and commercial use of strong encryption. War was coming.

The act that truly launched the Crypto Wars was the White House’s introduction of the “Clipper Chip” in 1993. The Clipper Chip was a state-of-the-art microchip developed by government engineers which could be inserted into consumer hardware telephones, providing the public with strong cryptographic tools without sacrificing the ability of law enforcement and intelligence agencies to access unencrypted versions of those communications. The technology relied on a system of “key escrow,” in which a copy of each chip’s unique encryption key would be stored by the government. Although White House officials mobilized both political and technical allies in support of the proposal, it faced immediate backlash from technical experts, privacy advocates, and industry leaders, who were concerned about the security and economic impact of the technology in addition to obvious civil liberties concerns. As the battle wore on throughout 1993 and into 1994, leaders from across the political spectrum joined the fray, supported by a broad coalition that opposed the Clipper Chip. When computer scientist Matt Blaze discovered a flaw in the system in May 1994, it proved to be the final death blow: the Clipper Chip was dead.

The battlefield today reflects the battlefield of Crypto War I. Members of the government are again arguing that all civilian cryptography should be weakened by mandating the use of key escrow that allows the government to gain access to any device at any time. As with the last war, where the government proposed Clipper Chip was proven to be completely insecure, this war must be looked at through the eye of government security practices or, more specifically, lack of security practices. It was only last week that we learned some of the government’s networks are not secure, which lead to the leaking of every federal employee’s personal information. How long do you think it would take before a hack of a government network lead to the leaking of every escrow key? I’d imagine it would take less than a week. After that happened every device would be rendered entirely insecure by anybody who downloaded the leaked escrow keys.

What everybody should take away from this is that the government is willing to put each and every one of us at risk just so it can maintain the power to spy on use with impunity. But its failure to win Crypto War I proved that the world wouldn’t come to an end if the government couldn’t spy on us with impunity. Since Crypto War I the power of law enforcement agents to acquire evidence of wrongdoing (according to the state) didn’t suddenly stop, terrorist attacks didn’t suddenly become a nightly occurrence, and children being abducted by pedophiles didn’t suddenly become a fact of everyday life.

Crypto War II is likely inevitable but it can be won just as the last one was. The first step to victory is not allowing yourself to be suckered by government lies.

Anything the Private Sector can Screw Up the Government can Screw Up Better

There have been numerous major data breaches in recent times that have compromised a lot of credit card numbers. The reaction from those breeches ranged from anger to outright demands that the government get involved to ensure another one never happens. As if trying teach that last crowd a valuable lesson fate has shown us once again that anything the private sector can screw up the government can screw up better (which is impressive because the private sector and really fuck some shit up):

A giant hack of millions of government personnel files is being treated as the work of foreign spies who could use the information to fake their way into more-secure computers and plunder U.S. secrets.

Millions of personnel files, including Social Security numbers, were acquired by an unknown attacker. This makes the compromise of credit card numbers look like amateur hour by comparison! But it gets better!

Federal employees were told in a video Friday to change all their passwords, put fraud alerts on their credit reports and watch for attempts by foreign intelligence services to exploit them. That message came from Dan Payne, a senior counterintelligence official for the Director of National Intelligence.

Emphasis mine. How in the hell is a regular low-level federal employee supposed to watch for attempts by foreign intelligence agencies trying to exploit them? Does the United States government honestly think other intelligence agencies are so inept as to have a guy with a strong foreign accent call up federal employees and say, “Hello, I’m a Nigerian prince…”? The average person has no idea how to defend themselves against a specialized spook (if they did spooks wouldn’t be very effective at their job).

Both the breach and the response are ridiculous. However this points to something more concerning. If the government can’t keep its personnel files safe or detect a major breach for months (the story notes the breach occurred in December but wasn’t discovered until this month) then why should we have any confidence in its ability to keep our personal information secure? Everything from tax records to our phone calls (thanks National Security Agency) are being held by the federal government and could be up for grabs by any competent attacker. Imagine the wealth of information that could be acquired if an attacker managed to breach one of the NSA’s databases. This is another reason why allowing the government to store personal information is so dangerous.

Thou Shalt Not Discuss Manufacturing Firearms

The United States government has been trying fruitlessly to stifle the spread of any information it deems inappropriate for centuries (at least since the passage of the Alien and Sedition Acts). Back in the 1990s the government was trying to restrict the sharing of information about of strong cryptography, claiming such algorithms were munitions (I’m not making this up). Now the government is doubling down on its stupidity and trying to prevent the sharing of information related to manufacturing 3D printed firearms:

As readers of Reason know well, Cody Wilson is living proof the government has already been acting on the belief they have this power to prevent certain technical details about gun making from spreading to the Internet without their approval—in Wilson’s case, CAD files to for a 3D printed plastic handgun. And they’ve already been sued for it by Wilson.

Wilson this morning tells me that in making this regulatory move public, it’s almost like the people he’s suing are begging for an injunction to stop them. The proposed regulation is even signed by one of the same people Wilson is suing, C. Edward Peartree, director of the Office of Defense Trade Controls Policy. (One might argue that this is a person being sued in some sense backtracking to cover his own legal ass by stating that the seemingly objectionable actions he’s being sued over are settled lawful regulations, though I don’t know if a court would agree with that argument one way or the other.)

The State Department, Wilson says, could have gone to the next hearing on his case on July 6 “and say we are changing the rule, we will address [Wilson’s complaints about the 1st, 2nd, and 5th amendment issues with their censorious practice], moot the case.” Instead they are “completely explicit” with these new announced regs, “doubling down” on their supposed power to require government license for certain kinds of speech related to weapons usable for self-defense.

Wilson says his suit had to try to demonstrate that the government had such a policy for prior approval of speech. Now the government is “saying our policy is literally that there is such a requirement and always has been.” Wilson seems to think it might make it easier to get an injunction against the government’s threats to him to take down from his servers information related to the home-making of plastic guns via 3D printers. We’ll see.

Attempts to restrict the proliferation of information don’t worry me. The state can write as many laws as it wants but in the end people will always ignore restrictions on sharing information. Thanks to strong cryptographic tools, which the state tried but failed to control in the 1990s, it’s trivial for people to post and read information anonymously. And the task will only become more futile as the state tightens its grip. Arrests, charges, prosecutions, and imprisonments will encourage more and more people to utilize tools such as Tor to protect their anonymity. As more people use these tools the task of the state to identify and attack sharers of information will become more infeasible.

This battle has been waging since at least the invention of the printing press and will continue to wage until humanity rids itself of the yoke of statism. But it is a battle that the state can never win because it is only a handful of individuals going against the collected creativity of the masses.

It Wasn’t Enough to Just Silence Ross Ulbricht

The railroading of Ross Ulbricht, whose only crime was to host a website that made buying and selling illicit drugs safer, was sentenced to life in prison so he would serve as an example to anybody else thinking of doing the same. But silencing Ulbricht wasn’t enough. Now the state is moving to silence people who believed the charges and sentence were absurd:

The United States Department of Justice is using federal grand jury subpoenas to identify anonymous commenters engaged in typical internet bluster and hyperbole in connection with the Silk Road prosecution. DOJ is targeting Reason.com, a leading libertarian website whose clever writing is eclipsed only by the blowhard stupidity of its commenting peanut gallery.

Why is the government using its vast power to identify these obnoxious asshats, and not the other tens of thousands who plague the internet?

Because these twerps mouthed off about a judge.

Freedom of speech only exists so long as you don’t say something that the state disagrees with. Mind you, some of the commenters said some shitty things. Some may even consider them threats if not for the fact they were posted online, which is the capital of impotent rage. In fact we know the state doesn’t usually care about threatening language as can be seen by it’s completely lack of action against the Gamer Gate community. But when such speech is directed at a holy robed one the rules change and names must be obtained!

This is why, more than ever, tools for preserving anonymity are necessary. If you’re going to comment about one of the state’s misdeeds it would be wise to do so through Tor. Failing to do so could result in you facing charges for posting offensive comments.

Clearing Your Browser History? That’s a Felony!

“Obey the letter of the law,” is a phrase shouted by the touch on crime crowd. They believe all laws, not matter how asinine, should be obeyed exactly as written and if you fail to do so you deserve everything that comes to you. It’s an attitude that requires a complete lack of critical thinking ability, especially today when so many laws are so ridiculous that it’s impossible to actually comply with them. Furthermore the volumes of legalese that rule our lives are so large that it’s impossible to know every law. For example, did you know that it’s a felony to clear your browser history under certain circumstances? I bet you didn’t. But it is:

Khairullozhon Matanov is a 24-year-old former cab driver from Quincy, Massachusetts. The night of the Boston Marathon bombings, he ate dinner with Tamerlan and Dhzokhar Tsarnaev at a kebob restaurant in Somerville. Four days later Matanov saw photographs of his friends listed as suspects in the bombings on the CNN and FBI websites. Later that day he went to the local police. He told them that he knew the Tsarnaev brothers and that they’d had dinner together that week, but he lied about whose idea it was to have dinner, lied about when exactly he had looked at the Tsarnaevs’ photos on the Internet, lied about whether Tamerlan lived with his wife and daughter, and lied about when he and Tamerlan had last prayed together. Matanov likely lied to distance himself from the brothers or to cover up his own jihadist sympathies—or maybe he was just confused.

Then Matanov went home and cleared his Internet browser history.

Matanov continued to live in Quincy for over a year after the bombings. During this time the FBI tracked him with a drone-like surveillance plane that made loops around Quincy, disturbing residents. The feds finally arrested and indicted him in May 2014. They never alleged that Matanov was involved in the bombings or that he knew about them beforehand, but they charged him with four counts of obstruction of justice. There were three counts for making false statements based on the aforementioned lies and—remarkably—one count for destroying “any record, document or tangible object” with intent to obstruct a federal investigation. This last charge was for deleting videos on his computer that may have demonstrated his own terrorist sympathies and for clearing his browser history.

Matanov faced the possibility of decades in prison—twenty years for the records-destruction charge alone.

Federal prosecutors charged Matanov for destroying records under the Sarbanes-Oxley Act, a law enacted by Congress in the wake of the Enron scandal. The law was, in part, intended to prohibit corporations under federal investigation from shredding incriminating documents. But since Sarbanes-Oxley was passed in 2002 federal prosecutors have applied the law to a wider range of activities. A police officer in Colorado who falsified a report to cover up a brutality case was convicted under the act, as was a woman in Illinois who destroyed her boyfriend’s child pornography.

Prosecutors are able to apply the law broadly because they do not have to show that the person deleting evidence knew there was an investigation underway. In other words, a person could theoretically be charged under Sarbanes-Oxley for deleting her dealer’s number from her phone even if she were unaware that the feds were getting a search warrant to find her marijuana. The application of the law to digital data has been particularly far-reaching because this type of information is so easy to delete. Deleting digital data can inadvertently occur in normal computer use, and often does.

Matanov is the victim of a practice that is far too common in the United States. Wanting to nail him to the wall the state applied every law it could to increase the number of charges. It’s the legal version of throwing everything at the wall and seeing what sticks. With the massive library of laws available to a prosecutor it’s impossible for any individual to avoid being charged with something. In this case one of the charges was applied simply because he cleared his browser history.

What’s most worrisome about this case is that no sane person would consider clearing their browser history a felony unless, perhaps, they knew they were being investigated. But even that final case is irrelevant here because Sarbanes-Oxley doesn’t leave any exception for an individual being entirely unaware that they’re being investigated.

When laws are so numerous that nobody can know them all and so ridiculous that no sane person can comprehend them then the trial system ceases to be fair as it advantages the prosecution to an insurmountable degree.