News You Need to Know – Page 60

If You’re Not Paying for the Service You’re the Product

There ain’t no such thing as a free lunch (TANSTAAFL) is a phrase made famous by Heinlein’s The Moon is a Harsh Mistress. In the book the people who inhabit the moon periodically say “TANSTAAFL,” as a reminder that nothing comes for free. The Internet has become the biggest embodiment of this fact. Most Internet services are “free.” Gmail, Facebook, and Twitter are just a handful of examples of services that cost users nothing and are therefore advertised as free. Anybody who understands the concept behind TANSTAAFL knows that these services aren’t free. In fact if you’re not paying for a service then there’s a very good chance that you’re the product. Normally this means your personal information is sold to advertisers but sometimes an Internet company takes things to the next level. Hola, a virtual private networks (VPN) provider that offered its service for “free”, is an example of this:

Hola is easy-to-use browser plugin available in the Google Chrome Store with currently more than 6 Million downloads. But, unfortunately, Hola could be used by hackers to maliciously attack websites, potentially putting its users at risk of being involved in illegal or abusive activities.

Hola uses a peer-to-peer system to route users’ traffic. So, if you are in Denmark and wants to watch a show from America, you might be routed through America-based user’s Internet connections.

However, Hola is not leaving a chance to make money out of a free service. It has been selling access to users’ bandwidth for profit to a third-party service called Luminati, which then re-sells the connections, Hola founder Ofer Vilenski confirmed.

I would never trust a free service provider that required me to install special client software because of the threat of shit like this. Facebook and Twitter are limited in the damage they can do by the fact that their service doesn’t rely on local software (unless you use their apps on your mobile device). Neither service can, for example, sell your bandwidth. Hola, which relied on a Chrome plugin, could because it had software resident on its users’ systems. If somebody is offering a “free” service but requires the installation of special software just remember TANSTAAFL. Since it’s free you’re the product and with resident software on your system the service provider can offer its real customers a lot more than a mere web page can.

TSA: Protecting You from Terrorists Five Percent of the Time

The Transportation Security Agency (TSA) was established shortly after the 9/11 attacks to provide better airplane security. At least that’s the official story. So far the TSA has proven to be incredibly incompetent at its job. Wannabe terrorists have managed to get explosives on board airplanes by hiding them in underwear and shoes. Fortunately the bombs failed to go off but not because of anything the TSA did. However even I never expected a failure rate this absurdly high:

A recent internal investigation by the Department of Homeland Security has found security failures at dozens of the nations’ busiest airports—breaches that allowed undercover investigators to smuggle weapons, fake explosives and other contraband through numerous checkpoints.

In one case, an alarm sounded, but even during a pat down, the screening officer failed to detect a fake plastic explosive taped to an undercover agent’s back. In all, so-called “Red Teams” of Homeland Security agents posing as passengers were able get weapons past Transportation Security Administration agents in 67 out of 70 tests — a 95 percent failure rate, according to agency officials.

A 95 percent failure rage? From a glass is half full perspective I guess the TSA will protect us from an average of five percent of terrorist attacks though!

Only a government agency could demonstrate this level of incompetence and still exist. Failing to fulfill your mandate 95 percent of the time requires shielding from liability that only the state can offer. Imagine hiring a private security guard who only stopped five percent of shoplifters. You’d toss his ass out in a second and maybe hire an investigator to see whether that guard was colluding with the shoplifters since that level of failure almost necessitates him being in on the scam.

The big question is what will come of this. My prediction is a whole lot of nothing. A few senators will use the investigation’s findings to do a big of grandstanding, the higher echelons of the TSA will get shuffled around a bit, and nothing noteworthy will change. I’m sure there will be several congressional grillings of high level TSA officials where we’ll hear excuses about lack of funding, inability to force people to go through body scanners (I’m sure the TSA would love to eliminate opt-outs), and agents not having full enforcement powers (TSA agents can’t arrest you and this really pisses many of them off). The congress critters doing the grillings will likely yell loudly, make some snide remarks, and little else. Air travelers will likely find themselves subjected to more draconian police state nonsense in the name of safety.

On the upside if you want to carry a firearm on board to protect yourself there’s a 95 percent chance you won’t get caught. Every storm cloud has its silver lining, I guess.

Section 215 of the PATRIOT Act Expire, Nothing Changes

At midnight Section 215 of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act expired. For those of you unfamiliar Section 215 was the part that authorized the National Security Agency (NSA) to collect information pertaining to phone calls, surveil people just because they switched out cell phone periodically, and spy on anybody who is labeled a “lone wolf” (which is vague enough to basically mean anybody). Many are cheering this momentous accomplishment. I’d let them celebrate in blissful ignorance but I’m kind of a prick. While Section 215 did expire that changes absolutely nothing:

Anti-surveillance groups have been split over the possible sunset of the Patriot Act powers. The American Civil Liberties Union had favored letting the Patriot Act expire, while groups like Access saw a compromise bill like the USA Freedom Act as the best chance for lasting reform. It’s unclear how the NSA and other groups will respond to the sunset of Section 215, but some have speculated that the result will be an increased reliance on national security letters and investigation-specific surveillance powers, continuing the same basic surveillance under different legal powers. Significant collection also occurs under non-legislative powers like Executive Order 12333, which remains unaffected.

There are always redundancies for state power. Later this week the Senate is still scheduled to codify the NSA’s phone surveillance program that wasn’t that clearly defined in the PATRIOT Act so this “expiration” will likely last all of a few days.

I do have some good news though. Those of us in CryptoPartyMN will be hosting a full blown CryptoParty at B-Sides MPS on June 13^th and 14^th. B-Sides MSP is a free event. At the CryptoParty we will be teaching you how to use tools to encrypt and anonymize your communications and data. By utilizing these tools you can defend your privacy against the state’s surveillance and not have to concern yourself with what particular provision will be used to justify spying on you. Unlike political activism, cryptography works and it requires less of your time to boot!

Without Government Who Would Expose Us to Malware

When the state confiscates a domain name do they have to renew it until the investigation concludes? Apparently not. The Federal Bureau of Investigations (FBI) seized a series of domains related to Megaupload when it decided to go after Kim Dotcom. What were once legitimate sites service the wants of users are now service up malware and porn. This didn’t happen as a result of somebody compromising the account used to register the domain names, it was only made possible because the FBI allowed the domains to expire:

Earlier this week, something suspicious started happening with Web addresses related to sites seized by the FBI from Megaupload and a number of online gambling sites. Instead of directing browsers to a page with an FBI banner, they started dropping Web surfers onto a malicious feed of Web advertisements—some of them laden with malware.

The hijacking of the Megaupload domains wasn’t the result of some sophisticated hack. Based on evidence collected by Ars, it appears someone at the FBI’s Cyber Division failed to renew the domain registration for CIRFU.NET, the domain which in turn hosted Web and name servers used to redirect traffic headed to seized domains. As soon as they expired, they were snatched up in a GoDaddy auction by a self-described “black hat SEO marketer,” a British ex-pat who calls himself “Earl Grey.”

As of Thursday afternoon, all of the server names associated with the domain no longer resolve to Internet addresses. GoDaddy has apparently suspended the domain registration, and Earl Grey has been ranting about it ever since on Twitter. The CIRFU.NET domain currently remains in limbo.

This raises a couple of concerns. First, if the FBI liable for allowing domains related to an investigation to expire? Since the FBI is seldom held accountable for its failures I doubt the answer to this question is yes. Related to this question is whether or not the FBI is liable for exposing visitors to Megaupload to malware. Even though the site wasn’t providing file hosting it was under investigation and therefore people believed they could safely visit the domain for laughs (who doesn’t enjoy laughing at the FBI). It was only due to the FBI’s incompetence that malware was being served by that domain. Finally, if the FBI isn’t held liable for this kind of failure does that mean it can effectively censor sites by seizing domains and letting them expire? Why go through the rigors of a trial when you can just make up an investigation, seize a domain, and sit on it until it expires and can be bought up by some spammer? Perhaps domain registrars would step in to prevent such shenanigans but I’m not entirely sure since they let expired domains get purchased by spammers all the time.

Had the FBI never targeted Kim Dotcom it’s almost certain that the Megaupload domains wouldn’t have expired because they were part of his business model. When you’re deriving income from something you tend to protect it. So we can just write this off as another example of the government exposing Internet users to dangers they wouldn’t have otherwise faced.

Paying Taxes is Dangerous to Your Personal Information

The Internal Revenue Service (IRS) is one of the, if not the, best examples of government incompetence. Almost all of us are required to interact with the IRS. Our interactions, unfortunately, involve handing over a great deal of personal information. This is a major problem since the agency has a poor security track record. Recently it has admitted to losing control over the personal information of 100,000 tax victims:

The IRS announced today that criminals used taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information on approximately 100,000 tax accounts through IRS’ “Get Transcript” application. This data included Social Security information, date of birth and street address.

These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer. The matter is under review by the Treasury Inspector General for Tax Administration as well as the IRS’ Criminal Investigation unit, and the “Get Transcript” application has been shut down temporarily. The IRS will provide free credit monitoring services for the approximately 100,000 taxpayers whose accounts were accessed. In total, the IRS has identified 200,000 total attempts to access data and will be notifying all of these taxpayers about the incident.

Perhaps I’m hypercritical but it seems to me that we shouldn’t have to submit any of this information to an agency that has demonstrated a complete disregard for keeping it safe. I mean, the IRS’s website doesn’t even have a valid means for users to securely connect to it. If the IRS doesn’t care enough to pull a valid Transport Layer Security (TLS) certificate to protect users then why are we supposed to trust it to store our personal information?

The worst part about this is that the 100,000 people who just had their personal information accessed have no recourse. Since the IRS is the government it is shielded from liability and accountability. That makes matters worse since an organization that is shielded from liability has little motivation to invest resources into fixing its mistakes.

Police Dislike When the Tables are Turned

As policing in the United States continues its downward spiral into thuggery people are finally starting to fight back. More people are recording police encounters to hold officers accountable. Demands are being made in many major cities to curtail police powers. And in a few places people are actively interfering in police attempts at kidnapping. All of this has many of the more psychopathic officers upset:

Whatever the reason, Melbourne police are grateful that for the second time in recent weeks experience and training overcame fear as officers found themselves surrounded and assaulted by hostile anti-police crowds.

This Friday night, Lt. Steve Sadoff saw 22-year-old Phoenix Chansler Low coming out of the Main Street Pub with an open container.

“The officer told him to go back inside or get rid of it,” said Melbourne Police Commander Dan Lynch. “From there it went downhill. The subject was very intoxicated and he began fighting with the officer.”

The scary thing was what happened next. A crowd of people started closing in on Lt. Sadoff and he was attacked from behind, Lynch said. Sadoff used his taser to get Low off him, and it scared the crowd away long enough for him to radio for help and make the arrest.

The person who attacked Sadoff from behind got away.

The “touch on crime” crowd want you to focus on the fact that an officer was attacked and not the fact that the officer initiated the situation by getting in the face of a person who had performed no crime (carrying an open alcohol container outside of a bar does not involve a victim and is therefore not a crime). Had the officer let the patron be nothing would have happened.

“This is the second incident in the past few weeks where officers were making an arrest and the arrestee or people around attempted to interfere with the officer attempting to do his job,” Lynch said. “It is tremendously concerning to us. Every confrontation an officer has is an armed confrontation and the officers are trained to use the minimal amount of force necessary.”

No, this is the second incident in the past few weeks where people prevented officers from kidnapping somebody. People are getting fed up with unaccountable police officers kidnapping and shooting people who haven’t hurt anybody. Decades of little police accountability combine with officers who enjoy power trips has eroded the public’s faith in modern policing. Since they lack faith in the institution they are unwilling to cooperate with it. If officers are really becoming concerned about this trend then they should start taking measures to regain the public’s trust. That starts with refusing to enforce victimless crimes and actually using minimum necessary force to resolve situations (not just talking about it).

Another Vulnerability Caused by State Meddling

In March a security vulnerability, given the fancy marketing name FREAK, was discovered. FREAK was notable because it was caused by government meddling in computer security. Due to cryptography export restrictions quality cryptographic algorithms were not allowed to be put into widespread use, at least legally, and many legacy systems were built around weak algorithms. FREAK may be behind us but a new vulnerability was just discovered:

Tens of thousands of HTTPS-protected websites, mail servers, and other widely used Internet services are vulnerable to a new attack that lets eavesdroppers read and modify data passing through encrypted connections, a team of computer scientists has found.

The vulnerability affects an estimated 8.4 percent of the top one million websites and a slightly bigger percentage of mail servers populating the IPv4 address space, the researchers said. The threat stems from a flaw in the transport layer security protocol that websites and mail servers use to establish encrypted connections with end users. The new attack, which its creators have dubbed Logjam, can be exploited against a subset of servers that support the widely used Diffie-Hellman key exchange, which allows two parties that have never met before to negotiate a secret key even though they’re communicating over an unsecured, public channel.

The weakness is the result of export restrictions the US government mandated in the 1990s on US developers who wanted their software to be used abroad. The regime was established by the Clinton administration so the FBI and other agencies could break the encryption used by foreign entities. Attackers with the ability to monitor the connection between an end user and a Diffie-Hellman-enabled server that supports the export cipher can inject a special payload into the traffic that downgrades encrypted connections to use extremely weak 512-bit key material. Using precomputed data prepared ahead of time, the attackers can then deduce the encryption key negotiated between the two parties.

We’ll likely be dealing with the consequences of those export restrictions for some time to come. The only upside to this is that it is a reminder of what happens when the government meddles in security for its own purposes. Cryptography export restrictions were put in place because the United States government feared it would be unable to spy on foreign entities (and, as it turns out, domestic entities). Now the government, operating under similar concerns for its ability to spy, is discussing mandating the inclusion of back doors in systems that use strong cryptography. If this happens and developers actually comply we’ll have a repeat of what we’re dealing with today. Security vulnerabilities will arise from government mandated cryptography weaknesses that will put the masses at risk.

Whenever the government wishes the involve itself in something that only appropriate answer for the people to give is a loud “No!” This is especially true when it comes to security because the government has a direct interest in ensuring that each and every one of us is vulnerable to its surveillance apparatus.

State Solutions Versus Market Solutions

Technology is a double-edged sword. One edge improves the lives of people. The other edge enables bad people to do bad things. When you want to see both edges of a technology you need only compare how it is used by the state versus the market. Consider drones. States use drones to spy and drop bombs on people. Meanwhile the market utilizes them to provide better services to individuals. Xcel Energy is planning to utilize drones to inspect power infrastructure:

Xcel Energy says it has approval from federal regulators to use drones to inspect more than 320,000 miles of electric and natural gas infrastructure.

The Federal Aviation Administration says Xcel can use the small unmanned aircraft systems to visually inspect electric transmission and distribution lines, power plants, renewable energy facilities, substations and pipelines.

This will allow more reliable provision of power by identifying flaws in the infrastructure before they become a major problem. It will also allow fast identification of problem sources as aerial inspection of power infrastructure is usually faster than ground inspection. Instead of using drones to terrorize entire nations Xcel Energy is another company that has found yet another way to utilize the technology to enhance the lives of people.

DRM, Not Even Once

Keurig, the manufacturer of a machine that makes a single cup of coffee, recently implemented Digital Rights Management (DRM) (and oxymoron of a term, I know) on its latest model to prevent users from using cheaper third-party coffee grounds in the machine. This did not sit well. In its lust for money by forcing people to buy its overpriced coffee in addition to its coffee maker Keurig managed to pummel its stock price:

Sales of Keurig brewing machines and accessories tumbled 23% in the first quarter compared to the prior year.

The company had a lot of excuses, but the basic problem is there are too many Keurig machines in stores and people aren’t buying them, especially the newest Keurig 2.0 model.

“We do have some headwinds,” said Chief Financial Officer Fran Rathke on a call with analysts.

Investors are fleeing the stock. Keurig (GMCR) dropped 10% Thursday when the market opened for trading. Shares are now down more than 25% this year.

It’s a big change for the company which had been one of the hottest stocks in 2013 and 2014 and does over $1 billion in sales.

CEO Brian Kelley says he’s listening to consumers and is ready to make changes. The biggest frustration for customers is that the 2.0 model only brews Keurig branded coffee cups.

Let this be a lesson to other companies. If you try to control how your customers use your product you’re going to have a bad time. Companies like to use the combination of DRM and selling a device that relies on consumables at a loss. The most famous market that has built an industry around this combination are printers. Most printers are solder either at a loss or for no profit with the expectation customers will buy overpriced printer ink from the manufacturer. DRM is usually used to prevent third-party ink cartridges from functioning although the schemes are almost always bypassed.

Keurig thought it could get away with such a scheme for its coffee maker. But I think Keurig made a fatal mistake. If you’re going to use DRM you really should use it from the start. When consumers are used to using your product in a certain way they probably won’t be happy if your change the rules on them. And when entire companies exist from selling a product that’s used in you’re device you’re going to have some major players investing resources into bypassing your DRM scheme.

Keurig really fucked up and their stock price shows it. This should be a lesson to every company that DRM is something you shouldn’t even try once.

Your Government at Work

When people discuss government waste the topics of extravagant dinners, vacations, lifetime healthcare for politicians, etc. usually come up. However the topic of law enforcement doesn’t come up nearly enough. Truth be told federal law enforcement agents are some of the biggest wasters of tax victim money out there. Consider the Federal Bureau of Investigations (FBI). One minute it’s creating terrorists for it to stop and the next minute it’s investing years into studying the lyrics of a song with several other alphabet soup agencies:

You know the song. You also know the lyrics are completely indecipherable. However, with Ely’s death, there’s been renewed attention to the fact that the FBI spent nearly two years investigating the damn song. It is just as ridiculous as it sounds, but the FBI has released the file on its investigation and it’s a rather hilarious read. It turns out it wasn’t just the FBI, but involved the FCC and the Post Office:

Apparently people reported that the song Louis Louis was obscene so the federal government decided it need to investigate just in case it had to stop down some free speech. But it gets better. Wasting money of fruitless investigations isn’t the only way the FBI has to waste money. Failing to call up other government agencies that could actually solve the investigation immediately is another way it likes to waste money:

Also, as Marc Randazza notes, it took nearly two years for someone in the FBI to think, hey, isn’t the song registered at the Copyright Office down the street? Maybe we should send someone over there to find out what it says? This was after the FBI had reached out to the record label (who gave them the accurate lyrics) along with the original author of the song, Richard Berry, who told them the lyrics.

Government waste comes in many forms and a lot of those forms have to do with enforcing victimless “crimes”. Even if the lyrics of Louie Louie were obscene no crime was committed because offensive lyrics don’t harm anybody.