Category: News You Need to Know

Encryption Works Except When It Doesn’t

People are still debating whether Edward Snowden is a traitor deserving a cage next to Chelsey Manning or a hero deserving praise (hint, unless you believe the latter you’re wrong). But a benefit nobody can deny is the overall improvement to computer security his actions have lead to. In addition to more people using cryptographic tools we are also getting a better idea of what tools work and what tools don’t work:

The NSA also has “major” problems with Truecrypt, a program for encrypting files on computers. Truecrypt’s developers stopped their work on the program last May, prompting speculation about pressures from government agencies. A protocol called Off-the-Record (OTR) for encrypting instant messaging in an end-to-end encryption process also seems to cause the NSA major problems. Both are programs whose source code can be viewed, modified, shared and used by anyone. Experts agree it is far more difficult for intelligence agencies to manipulate open source software programs than many of the closed systems developed by companies like Apple and Microsoft. Since anyone can view free and open source software, it becomes difficult to insert secret back doors without it being noticed. Transcripts of intercepted chats using OTR encryption handed over to the intelligence agency by a partner in Prism — an NSA program that accesses data from at least nine American internet companies such as Google, Facebook and Apple — show that the NSA’s efforts appear to have been thwarted in these cases: “No decrypt available for this OTR message.” This shows that OTR at least sometimes makes communications impossible to read for the NSA.

Things become “catastrophic” for the NSA at level five – when, for example, a subject uses a combination of Tor, another anonymization service, the instant messaging system CSpace and a system for Internet telephony (voice over IP) called ZRTP. This type of combination results in a “near-total loss/lack of insight to target communications, presence,” the NSA document states.

[…]

Also, the “Z” in ZRTP stands for one of its developers, Phil Zimmermann, the same man who created Pretty Good Privacy, which is still the most common encryption program for emails and documents in use today. PGP is more than 20 years old, but apparently it remains too robust for the NSA spies to crack. “No decrypt available for this PGP encrypted message,” a further document viewed by SPIEGEL states of emails the NSA obtained from Yahoo.

So TrueCrypt, OTR, PGP, and ZRTP are all solid protocols to utilize if you want to make the National Security Agency’s (NSA) job of spying on you more difficult. It’s actually fascinating to see that PGP has held up so long. The fact that TrueCrypt is giving the NSA trouble makes the statement of its insecurity issued by the developers more questionable. And people can finally stop claiming that Tor isn’t secure due to the fact it started off as a government project. But all is not well in the world of security. There are some things the NSA has little trouble bypassing:

Even more vulnerable than VPN systems are the supposedly secure connections ordinary Internet users must rely on all the time for Web applications like financial services, e-commerce or accessing webmail accounts. A lay user can recognize these allegedly secure connections by looking at the address bar in his or her Web browser: With these connections, the first letters of the address there are not just http — for Hypertext Transfer Protocol — but https. The “s” stands for “secure”. The problem is that there isn’t really anything secure about them.

[…]

One example is virtual private networks (VPN), which are often used by companies and institutions operating from multiple offices and locations. A VPN theoretically creates a secure tunnel between two points on the Internet. All data is channeled through that tunnel, protected by cryptography. When it comes to the level of privacy offered here, virtual is the right word, too. This is because the NSA operates a large-scale VPN exploitation project to crack large numbers of connections, allowing it to intercept the data exchanged inside the VPN — including, for example, the Greek government’s use of VPNs. The team responsible for the exploitation of those Greek VPN communications consisted of 12 people, according to an NSA document SPIEGEL has seen.

How the NSA is able to bypass VPN and HTTPS is still in question. I’m guessing the NSA’s ability to break HTTPS depends on how it’s implemented. Many sites, including ones such as Paypal, fail to implement HTTPS in a secure manner. This may be an attempt to maintain backward compatibility with older systems or it may be incompetence. Either way they certainly make the NSA’s job easier. VPN, likewise, may be implementation dependent. Most VPN software is fairly complex, which makes configuring it in a secure manner difficult. Like HTTPS, it’s easy to put up a VPN server that’s not secure.

The ultimate result of this information is that the tools we rely on will become more secure as people address the weaknesses being exploited by the NSA. Tools that cannot be improved will be replaced. Regardless of your personal feelins about Edward Snowden’s actions you must admit that they are making the Internet more secure.

I’m Available for Picking Lottery Ticket Numbers

Remember when I said Sony pulling The Interview was a marketing gimmick and it would be releasing it in theaters? I was right:

According to LA Times reporter Joe Bel Bruno Sony Pictures has confirmed the plan, and indie theaters “are lining up” to show North Korea’s least-favorite movie while CEO Michael Lynton is trying to get the widest release possible. Citing anonymous sources, several outlets have reported the plans include a video-on-demand release, and will be announced publicly later today.

This “limited” release will turn into a full on release after patrons flood the theaters showing it because they want to see the “banned” movie.

Police Finally Told to Act as They Always Should Have Been

With the recent wave of opposition to the violent gangs commonly referred to as police many departments are finally telling their officers to act like they always should have been:

Police around the nation have gone on high alert, told by higher-ups and union representatives to wear bulletproof vests, keep off social media and make arrests only in cases most pressing and crucial to the safety of the public at large.

Emphasis mine. Assuming we’re happy living in a society where a handful of individuals hold power over everybody else, the handful of individuals tasked with oppressing everybody else should refrain from kidnapping unless it is absolutely necessary to protect people. If this recent surge of protests accomplishes nothing else, and assuming police officers actually begin heeding this advice (which they won’t), they will finally be doing what they should have been doing all along. I find it funny how this is considered a dire circumstance by so many officers. That really says everything there is to say.

The Scope of the North Korea Internet Outage

I’m sure many of you are aware of the Internet outage in North Korea. An entire country’s Internet service disrupted? On paper this may sound impressive, it may even sound like retaliation by another nation state for a hack North Korea had nothing to do with. But the outage isn’t nearly as impressive as it sounds:

Chris Nicholson, a spokesman for Akamai, an Internet content delivery company, said it was difficult to pinpoint the origin of the failure, given that the company typically sees only a trickle of Internet connectivity from North Korea. The country has only 1,024 official Internet protocol addresses, though the actual number may be a little higher. That is fewer than many city blocks in New York have. The United States, by comparison, has billions of addresses.

1,024 official Internet protocol addresses for an entire nation? Damn. Obviously there aren’t a lot of connected people in that country (shocker, I know). According to Bloomberg the attack is directed at North Korea’s domain name service servers, which is cheap enough pretty much anybody could do it:

Such attacks flood Internet servers with traffic to knock infrastructure offline. In North Korea’s case, the attack appears to be aimed at the country’s domain-name service system, preventing websites from being able to resolve Internet addresses, Holden said.

It’s unlikely the attack is being carried out by the U.S., as any hacker could probably spend $200 to do it, Holden said.

This is most likely an attack being carried out by a bored teenager with a small botnet than a nation state. Then again with Sony’s recent behavior it wouldn’t surprise me a whole lot if it was doing this.

It’s Only Perjury What It Doesn’t Work In The Oligarch’s Favor

Lying under oath during a trail is considered a crime. However it, like all crimes, is selectively enforced. If you look through cases of perjury, both prosecuted and dismissed, a trend seems to exist. When the oligarchs get the result they want perjury seems to go unnoticed but when things don’t go their way they’re quick to get revenge. It has been revealed that several witnesses in the grand jury trail of Darren Wilson knowingly lied about what they saw but are going unpunished, probably because Darren Wilson wasn’t charged:

On Monday, the Smoking Gun published a story revealing the identity and troubled history of “Witness 40,” a woman whose elaborate story of witnessing Brown’s death was allegedly taken from newspaper accounts. The woman, who told investigators that she is racist, bi-polar and has raised money for Wilson, approached prosecutors five weeks after the Aug. 9 shooting. In a journal entry that she showed the grand jury, the woman said she had driven through Ferguson at the time of the shooting “so I stop calling Blacks N—— and Start calling them People.”

Another witness, according to The Washington Post, described Brown on his hands knees pleading for his life. “What you are saying you saw isn’t forensically possible based on the evidence,” a prosecutor said. That witness, The Post noted, later asked to leave.

Nonetheless, McCulloch told KTRS host McGraw Milhaven that he will not pursue perjury charges. He said he thought it was more important for the grand jury to “hear everything” and assess each witnesses’ credibility on their own.

It’s unlikely that the decision would have been different if the lying witnesses hadn’t testified because grand juries have a habit of charging everybody except cops. But it’s important to acknowledge this because it’s an example of the state once again selectively enforcing its laws.

This post shouldn’t be construed as me saying the lying witnesses should be charged. I don’t believe they should. The state is an illegitimate entity to which nobody should be expected to tell the truth to. In fact you should lie to the state as much as you feel you can get away with because that’s the best way to avoid some of its extortion.

The Dangers of Being a Cop

With all of the recent reports of police abuse there has been a notable amount of backlash against police officers. The tough on crime crowd has been pointing out that cops have a dangerous job and they’re right. At any point an officer could be required to put himself at risk of a heart attack by having to physically exert him or herself to chase down a perp:

Their job is to protect and serve – but it seems some police officers interpret this as an excuse to enjoy too many extra servings at the lunch table.

A study has revealed US cops have the highest rates of obesity among any profession in the country.

Along with firefighters and security guards, nearly 41 per cent of boys in blue are obese, according to a study in the American Journal of Preventive Medicine.

This probably explains why cops are so quick to use deadly force. There’s no way many of them could possibly chase down a perp so they have to resort to the only tool that can, their sidearm.

And for those wondering the answer is yes. I’m more than willing to go for the easy fat joke when it’s against members of violent gangs.

The Privacy Dangers of Body Camera Equipped Police

I’ve been how ineffective body cameras on police will be but after seeing some of the things posted by my friend Kurtis Hannah I am now convinced that they will also bring a new wave of surveillance and privacy violations.

We already live in a world where much of our activity is recorded by cameras. Department stores, gas stations, hospitals, and pretty much everywhere else employ security cameras. While I don’t like all being recorded at these places I also acknowledge that they won’t send men with guns after me unless I’ve done something legitimately bad in most cases (because that’s usually the only time the footage is reviewed). Police footage, especially in this day and age where the National Security Agency (NSA) already has a massive surveillance apparatus, could be employed differently. It’s not unimaginable that police departments would employ people to review all footage from body cameras to find potential criminal offenses that the officer missed. Such a large amount of footage could also enable police to track individuals by using facial recognition software against body camera footage. That wouldn’t be unprecedented since many departments already do something similar with automatic license plate scanners.

This puts us in a really bad spot. On the one hand we cannot trust the police to go about their activities unsupervised. Having their actions recorded at all times while they’re on duty and streaming that footage live for anybody to access at any point is the only way any semblance of accountability can exist. But doing that will also violate the privacy of anybody within camera shot of an officer.

What’s the solution? In my opinion the only viable solution is to toss out the entire institution of modern policing and replace it with something better. That something better will have to be decentralized by nature and not in any way associated with the state, which seems impossible to implement today due to the controlling nature of today’s state. But until that happens there will be no accountability and the only “solutions” offered to us will be ones that better enable the police to keep us under their boots.

Turning Shame Into an Asset

The Internet is abuzz by news that Sony has cancelled the theatrical release of the latest Rogen and Franco shitfest:

ony is canceling The Interview‘s planned theatrical release in response to all major US theater chains deciding not to show the film after attacks were threatened. “In light of the decision by the majority of our exhibitors not to show the film The Interview, we have decided not to move forward with the planned December 25 theatrical release,” Sony says in a statement, reprinted by Variety. “We respect and understand our partners’ decision and, of course, completely share their paramount interest in the safety of employees and theater-goers.”

Everybody has concluded that this is a very bad precedent. I believe that this is a very good marketing strategy. Let’s be honest, threats form the two groups that have opposed the release of this movie, hackers and North Korea, have never been taken seriously by anybody in the United States before. Hackers have traditionally been unable to inflict physical damage or pain and thus go mostly ignored and North Korea is the laughing stock of the entire world. So why would a major cinema chain suddenly back down when one of these groups makes a threat? Because it’s brilliant marketing.

There’s already plenty of people upset by this news. After all, capitulating with terrorism doesn’t set a good precedent. So people are going to demand that the movie be brought to theaters, if for not other reason than to not cooperate with terrorists. I predict that in the not too distant future Sony will reverse it’s decision due to “popular demand”. Every theater chain in the country will likewise reverse their decisions for the same reason. Then people will flock to see the “banned” movie. If I’m right it’s a goddamn brilliant strategy and would allow Sony to turn the shame of a major hack into an asset.

I’m sure some of you reading this probably think I’m joking. I’m not.

Happy Birthday Chelsea Manning

Although I know she’ll not see this on account of the fact that she’s rotting in a cage for informing us of American war crimes I still want to take a moment in joining people in wishing Chelsea Manning a happy 27th birthday.

Without her bravery we may have never learned about some of the war crimes being perpetrated by the United States military. But her plight is also a reminder that the state, not matter how transparent it claims to be, does not like it when people air its dirty laundry. Although it seems doubtful maybe someday there will be a president in office that will pardon her. Or maybe a group of people will get together and come up with a workable plan to break Chelsea out of her cage. Anybody who managed to do that would be heroes in my book.

The Impact of Edward Snowden

As if anybody had any questions about whether or not Edward Snowden’s actions resulted in a safer Internet we now have a survey with some interesting results:

There’s a new international survey on Internet security and trust, of “23,376 Internet users in 24 countries,” including “Australia, Brazil, Canada, China, Egypt, France, Germany, Great Britain, Hong Kong, India, Indonesia, Italy, Japan, Kenya, Mexico, Nigeria, Pakistan, Poland, South Africa, South Korea, Sweden, Tunisia, Turkey and the United States.” Amongst the findings, 60% of Internet users have heard of Edward Snowden, and 39% of those “have taken steps to protect their online privacy and security as a result of his revelations.”

[…]

I ran the actual numbers country by country, combining data on Internet penetration with data from this survey. Multiplying everything out, I calculate that 706 million people have changed their behavior on the Internet because of what the NSA and GCHQ are doing. (For example, 17% of Indonesians use the Internet, 64% of them have heard of Snowden and 62% of them have taken steps to protect their privacy, which equals 17 million people out of its total 250-million population.)

After we learned about the National Security Agency’s (NSA) massive domestic spying program a lot of people who previously didn’t care about security suddenly began showing an interest. I saw this firsthand when participating in several local CryptoParties. Past attempts to even get enough people to bother throwing one failed miserably but after Snowden let us all in on the game interest spiked. I’m still busy assisting people interested in computer security because of Snowden. And that’s just individuals who developer a personal interest. Many companies have greatly increased their security including Google, Apple, and Microsoft.

In addition to better security Snowden’s leaks have also been good for agorism.

So I think it’s pretty clear that Snowden’s actions ended up benefiting us all greatly.