Category: Technology

Why You Should Be Concerned About Wi-Fi Sense

Windows 10 has a feature, dubbed Wi-Fi Sense, that allows you to share any Wi-Fi pre-shared keys with your friends. Needless to say the security community hasn’t received this feature with open arms. Just because you trust a friend to connect to your wireless network doesn’t mean you trust all of their friends. But a lot of people have been trying to argue that this feature isn’t a big deal and people should stop being so worried about it. Some are even claiming that this feature is beneficial to security because it makes it easier for people to find encrypted Wi-Fi networks to join.

My focus when it comes to security is the individual. From my vantage point I see this feature as a risk to individuals who want to control who has access to their wireless networks. Ars Technica, while trying to argue that Wi-Fi Sense isn’t that big of a deal, inadvertently made the best case against it:

For a start, when a Wi-Fi passkey is shared with your PC via Wi-Fi Sense, you never actually see the password: it comes down from a Microsoft server in encrypted form, and is decrypted behind the scenes. There might be a way to see the decrypted passkeys if you go hunting through the registry, or something along those lines, but it’s certainly not something that most people are likely to do.

Emphasis mine. You can’t base your security model on the assumption that so long as something isn’t easy to do it won’t be done. Although Wi-Fi Sense encrypts pre-shared keys before transmitting them they have to be decrypted before they can be used. Once they’re decrypted they’re fair game for anybody who knows where to look. To make matters worse once somebody finds where the unencrypted keys are stored it will be trivial to write an automated tool for extracting and displaying them.

The biggest problem with Wi-Fi Sense it makes it extremely easy to lose any control over who has access to your pre-shared key. While it’s true that you potentially lose control over who has your pre-shared key the second you share it with somebody else this makes the problem worse because even a trustworthy person may inadvertently shard the key with all of their friends.

As with anything there are pros and cons. I’m not saying Wi-Fi Sense doesn’t offer any benefits. But I think a lot of people are sweeping major security concerns about the feature under the rug. You should be fully aware of the risks involved in using the feature and you especially can’t assume just because something is potentially difficult nobody is going to do it.

The Real Android Security Issue

A new text message vulnerability has been discovered. Sending a maliciously formed video through multimedia messaging service (MMS) an attacker can compromise a device running Android. This shouldn’t be a notable problem because Google has already pushed out a fix. But it is a notable problem because there’s no guarantee device manufacturers will push the fix to their users:

If you’re an Android user, you’d better hope that a stranger doesn’t send you a video message in the near future — it might compromise your phone. Security researchers at Zimperium have discovered an exploit that lets attackers take control if they send a malware-laden MMS video. The kicker is that you may not even need to do anything to trigger the payload, depending on your text messaging app of choice. While the stock Messenger app won’t do anything until you see the message, Hangouts’ pre-processing for media attachments could put you at risk before you’re even aware that there’s a message waiting.

Google is already on top of the flaw, and has pushed out a fix to its hardware partners. However, whether or not you’ll get that fix will depend on your phone’s manufacturer. Zimperium tells Forbes that the Nexus 6 and Blackphone are already safe against some of the related flaws (other Nexus devices are likely in a similar boat), but more common third-party phones from Samsung, HTC and others are typically still vulnerable.

There is a lot of heated debate over whether iOS or Android is more secure. Overall I think both operating systems have a decent reputations for security but Android gets a bad rap because Google doesn’t control the update channel for all Android devices. Google has already pushed the fix out to its device and some manufacturers have pushed the fixes to their users. But each manufacturer gets a great deal of leeway over what they can do with Android and many have opted to make their devices rely on their update channel instead of Google’s. This means updates may not arrive in a timely manner or at all.

iOS has an advantage when it comes to security because Apple controls the hardware and software. When a vulnerability is fixed Apple can guarantee everybody using a currently support version of iOS gets the update.

Google would do well to require device manufacturers to use its official Android update channel in order to use its proprietary apps (which is the only real pull Google has since Android is an open source operating system). Since most Android users rely on Google’s proprietary apps that would be a powerful incentive for handset manufacturers to utilize the official Android update channel instead of rolling their own. Until that is done I fear a lot of Android users will continue being vulnerable to exploits that have already been discovered and patched.

I’m Available For Performing Electronic Exorcisms

As many of you know I’m a discordian pope. In addition to that I’m also an ordained minister by the Universal Life Church Monastery. With rock solid credentials like that I’m totally getting into the electronic exorcism business:

But if you truly think your electronics have been invaded by an evil spirit, there’s someone who will take your call — Reverend Joey Talley — a Wiccan witch from the San Francisco Bay Area who claims to solve supernatural issues for techies.

[…]

“Most people want me to protect their computers from viruses and hacks,” she told SF Weekly. “So I’ll make charms for them. I like to use flora.” And when there are problems in office hardware, Talley turns to “Jet,” a black stone that serves to block energy. In extreme cases, she casts protection spells of her own over the entire company.

[…]

Talley’s services do not come cheap. She charges $200 an hour (though a phone consultation is free).

For $200.00 per hour — hell, for $100.00 per hour I’ll exorcise the daemons from your systems (at least the daemons that aren’t supposed to be there). My e-mail address is to the right of this post, feel free to contact me for your free exorcism estimate!

The Seedier Side of the Internet isn’t as Seedy as You Think

Due to the popularity of Silk Road the mainstream media has been busily reporting about the “dark” web. If you take the news stories about the “dark” web literally it is a place where child pornography is readily available, hitmen can be hired for a handful of Bitcoin, and terrorists commonly hold secret meetings to discuss their plan blow up the next elementary school. Reality, as is often the case with mainstream media portrayals, is quite different:

Read nearly any article about the dark web, and you’ll get the sense that its name connotes not just its secrecy but also the low-down dirty content of its shadowy realms. You’ll be told that it is home to several nefarious things: stolen data, terrorist sites, and child porn. Now while those things may be among what’s available on the dark web, all also are available on the normal web, and are easily accessible to anyone, right now, without the need for any fancy encryption software.

[…]

Despite reports, there are only shreds of evidence that the Islamic State is using the dark web. One apparent fund-raising site highlighted by the Washington Post had managed to garner exactly 0 bitcoins at the time of writing, and this was also the case with another I discovered recently. It’s worth pointing out that both of those sites simply claimed to be funneling the cash to the terrorist group, and could easily have been fakes. The one Islamic extremist dark web site to actually generate any revenue mustered only $1,200 earlier this year. Even it doesn’t explicitly mention the Islamic State.

And yes, child porn is accessible on the normal web. In fact, it is rampant when compared with what’s available from hidden sites. Last year, the Internet Watch Foundation, a charity that collates child sexual abuse websites and works with law enforcement and hosting providers to have the content removed, found 31,266 URLs that contained child porn images. Of those URLs, only 51 of them, or 0.2 percent, were hosted on the dark web.

In other words the big scary “dark” web is basically a smaller regular Internet. What you find on hidden sites, which is the correct term for the “dark” web, is also far more widely available on the regular Internet. Why do sites go through the hassle of requiring visitors to utilize something like the Tor browser then? Because maintaining anonymity for both themselves and their visitors is valuable.

In the case of Silk Road, for example, it was much easier to build user trust by using a hidden site since there was a barrier between the service and the identity of its users. Not only did that barrier protect users from potentially being revealed to law enforcement agents by the site’s administrators but it also prevented buyers and sellers from being able to identify each other. Silk Road was an example of anonymity making things safer for everybody involved.

If you’re of the opinion that buying and selling drugs should result in men with guns kicking down doors at oh dark thirty and therefore what I said above is not a valid justification for hidden sites don’t worry, I have another. Journalists often find themselves in positions where sources demand anonymity before revealing important information. That is why services such as Onionshare, were created:

That’s exactly the sort of ordeal Micah Lee, the staff technologist and resident crypto expert at Greenwald’s investigative news site The Intercept, hopes to render obsolete. On Tuesday he released Onionshare—simple, free software designed to let anyone send files securely and anonymously. After reading about Greenwald’s file transfer problem in Greenwald’s new book, Lee created the program as a way of sharing big data dumps via a direct channel encrypted and protected by the anonymity software Tor, making it far more difficult for eavesdroppers to determine who is sending what to whom.

Whistle blowers are an example of individuals who are less likely to talk to journalists, and therefore blow the whistle, unless their identify can be protected. This is especially true when the whistle blower is revealing unlawful government activities. With access to legal coercive powers it is possible for the state to compel a journalist to reveal a source of information damning to it. If the journalist doesn’t know the identity of the whistle blower, as would be the case if the data was sent via a hidden service, they cannot reveal it to the state no matter what court orders it issues or torture it performs. That protection makes the likelihood of a whistle blower to come forward much higher.

The “dark” web is little more than a layer of anonymity bolted onto the existing Internet. Anything available on the former is available in far larger quantities on the latter. What the “dark” web offers is protection for people often needing it. Like any tool it can be used for both good and bad but that doesn’t justify attempting to wipe it out. And because much of the world is ruled by even more insane states than the ones that dominate the so-called first world I would argue the good of protecting people far outweighs the bad that was happening and still is happening on the regular Internet.

Government Networks Are too Old to Secure

The quest for answers regarding the recent breach that put every federal employee’s personal information at risk has begun. As with most government investigations into government screw ups this one is taking the form of public questionings of mid-level federal employees. Buried within the extensive waste of time that was the most recent public hearing were a few nuggets of pure gold. For starters the Office of Personnel Management (OPM) Director, Katherine Archuleta, let some information slip that should be very concerning to everybody:

During testimony today in a grueling two-hour hearing before the House Oversight and Government Reform Committee, Office of Personnel Management (OPM) Director Katherine Archuleta claimed that she had recognized huge problems with the agency’s computer security when she assumed her post 18 months ago. But when pressed on why systems had not been protected with encryption, she said, “It is not feasible to implement on networks that are too old.” She added that the agency is now working to encrypt data within its networks.

Apparently government networks are too old to secure. The only conclusion one could draw from this is that involved the government networks are running on unsupported software. Perhaps most of the computers in its networks are still running Windows XP or something older. Perhaps the hardware they’re using is so ancient that it cannot actually encrypt and decrypt data without a noticeable performance hit. What is clear is that somebody really screwed up. Whether it was network administrators failing to update software and hardware or bean counters failing to set aside funding for modernization the network that holds the personal information for every federal employee was not properly maintained. And this is the same organization that has a great deal of personal information about every American citizen. The federal government has your name, address, phone number, Social Security Number, date of birth, and more sitting in its janky-ass network. Think about that for a moment while you contemplate the importance of privacy from the government.

But old networks aren’t the only problem with the government’s networks:

But even if the systems had been encrypted, it would have likely not mattered. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.

Gaining valid user credentials shouldn’t allow one to obtain personal information on every government employee. This admission indicates that every user on the network must either have administrative rights or the data isn’t protected in any way against unauthorized access from internal users. Any network administrator worth a damn knows that you only give users the privileges they require. Developers of systems that handle sensitive personal information should know that any access to said information would require approval from one or more higher ups. If I’m a user and want to access somebody’s Social Security Number there should be some kind of overseer that must approve the request.

Many network administrators haven’t implemented multifactor authentication but this omission is inexcusable for a network that contained so much personal information. Relying on user names and passwords to protect massive databases of personal information is gross negligence. With options such as YubiKey, RSA Secure ID, and Google Authenticator there is no excuse for not implementing multifactor authentication on networks with so much sensitive information.

Well all know governments love oversight and this is no exception. The systems in question were inspected by a government overseer, were deemed to not be properly secure, and nothing was done about it:

He referred to OPM’s own inspector general reports and hammered Seymour in particular for the eleven major systems out of 47 that had not been properly certified as secure—which were not contractor systems but systems operated by OPM’s own IT department. “They were in your office, which is a horrible example to be setting,” Chaffetz told Seymour. In total, 65 percent of OPM’s data was stored on those uncertified systems.

Chaffetz pointed out in his opening statement that for the past eight years, according to OPM’s own Inspector General reports, “OPM’s data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information.”

Here we see one of the biggest failures with government oversight, the lack of enforcement. When an inspector deems systems to be unfit those systems should be made fit. If they’re not made fit people charged with maintaining them should be replaced. There is no point in oversight without follow through.

When people claim they have nothing to hide from the government they seldom stop to consider who can gain access to its data. It’s not just the law enforcers. Due to general incompetence when it comes to security it’s potentially anybody with valid user credentials. And valid user credentials are obtainable by exploiting the weakest link in any computer network, the user. According to Dr. Andy Ozment the credentials were likely obtained through social engineering, which is something most people can fall prey to. Because of the lack of multifactor authentication that means anybody who can social engineer user credentials from a government employee potentially has access to all of the data collected by the government on yourself. Is that something you’re honestly OK with? Do you really want a government this incompetent at protecting the personal data of its own employees holding a lot of personal data about you?

Nothing to See Here

My Kindle Voyage arrived last night so I was playing with that instead of blogging. Admittedly it’s expensive but holy hell is it a wonderful reading device. The screen is really nice (at least compared to my first generation touch screen Kindle) and the back light doesn’t interfere with the e-paper legibility. Did I mention the return of the page flip buttons? I missed those and am glad they’re back. If you read a lot I highly recommend this thing.

Since Goodreads is integrated with the Voyage I created an account. If you want to know what I’m reading and what I’ve read you can follow me here (hint: it’s almost all science fiction and history).

Deus Ex is Our Future

Deus Ex is a great series of video games because it not only has great game play but also addresses the issue of transhumanism. As prosthetic technology improves we will certainly have people opting to have their squishy natural limbs and organs replaced by far superior mechanical versions. Even now prosthetics are becoming more capable. But they still lack one major feature, a sense of touch. That will soon change:

Daniel Moran, PhD, professor of biomedical engineering in the School of Engineering & Applied Science and of neurobiology, of physical therapy and of neurological surgery at the School of Medicine, has received a three-year, nearly $1.9 million grant from the Defense Advanced Research Projects Agency (DARPA) to test a novel device his lab developed that would stimulate the nerves in the upper arm and forearm. If it works, upper-limb amputees who use motorized prosthetic devices would be able to feel various sensations through the prosthetic, which would send sensory signals to the brain.

[…]

Moran and his team, which includes Harold Burton, PhD, professor of neurobiology; Wilson (Zach) Ray, MD, assistant professor of neurological surgery, both at the School of Medicine; and Matthew MacEwen, who will graduate with an MD/PhD in May 2015 and worked on this project for his dissertation, have developed a macro-sieve peripheral nerve interface designed to stimulate regeneration of the ulnar and median nerves to transmit information back into the central nervous system. The macro-sieve is made of an ultrathin, flexible material similar to a soft contact lens, is about 1/8th the size of a dime and looks like a wagon wheel with open spaces between the “spokes” that allow the nerve to grow.

At this rate we’ll have actual cyborgs within the decade. It’s amazing how quickly technology is advancing. Much of it is due to the development of every smaller power-efficient computers. Since technology is cumulative, that is to say technology builds on itself to create more technology, we may enjoy that almost utopian future dreamed of in the 1950’s (you know the one with flying cars and infinite energy provided by nuclear power).

Embrace the Machines

Self-driving cars are advancing quickly, which has lead to a debate. Many people don’t like the idea of self-driving cars because they believe the potential for software glitches to lead to a catastrophic crash is too high. I, on the other hand, can’t wait to buy a self-driving car. Software glitches are always a possibility but the truth is we humans are far more prone to error when driving then current self-driving cars have been. That’s because our species as a problem with complacency. When we do a task successfully so many times we become less cautious and allow ourselves to be distracted more easily. This is why humans suck at watching security monitors all day. It’s also why adding some intelligence to our vehicles makes a lot of sense. Recently the European New Car Assessment Program (NCAP) did a study on self-braking cars and found that they reduced rear-end collisions significantly:

While we’re still some way off seeing full-blown, self-driving cars winding their way across continental Europe, a more modest autonomous technology has found approval with safety bods. Research conducted by the European road safety research organisation Euro NCAP concluded that having a car automatically slam on the brakes to avoid low-speed accidents leads to a 38 percent reduction in rear-end crashes.

As you’ll note software glitches didn’t lead to an increase in crashes. And while software glitches could lead to isolated failures that almost certainly won’t be enough to offset the benefits of such a highly reduce rear-end collision rate. This also shows that there are things machines are better at than us squishy humans. Repetitive tasks, such as driving, are one of them.

Machines are not only incapable of getting bored but they are also better at maintaining awareness. A computer can monitor a vast number of sensors simultaneously whereas us humans have five sense that are very restricted (for example, our vision only sees forward and our sense of touch requires physical contact). If you think you can maintain better awareness than a self-driving car equipped with cameras, radar, laser sensors, radio communication to other self-driving cars, and a slew of other sensors you are mistaken.

The debate over self-driving cars shouldn’t be whether software glitches will lead to isolated catastrophes. It should be over whether self-driving cars, as a whole, will increase overall vehicle safety. Since machines are better at almost every aspect of driving (road rage is the only exception I can think of) than we are the debate is pretty much settled. That’s not to say wanting a car you drive yourself because you prefer to drive a car yourself isn’t a valid reason to buy one. But the concerns about safety risks involve in self-driving cars has been put to rest.

The Future is Here

If there are any questions about my belief that technological advancements will save us before political actions this story should answer them:

Snuggly situated in an industrial section of Oakland, CA is Next Thing Co. a team of nine artists and engineers who are pursuing the dream of a lower cost single board computer. Today they’ve unveiled their progress on Kickstarter, offering a $9 development board called Chip.

The board is Open Hardware, runs a flavor of Debain Linux, and boasts a 1Ghz R8 ARM processor, 512MB of RAM, and 4GB of eMMC storage. It is more powerful than a Raspberry Pi B+ and equal to the BeagleBone Black in clock speed, RAM, and storage. Differentiating Chip from Beagle is its built-in WiFi, Bluetooth, and the ease in which it can be made portable, thanks to circuitry that handles battery operation.

$9 for a computer with a 1Ghz process, 512MB of RAM, and 4GB of storage? And it runs Linux? Sign me up! I never thought I’d live to see this day. My family’s first computer, and we came to the computer game fairly late, was a real piece of shit 3.11 machine and must have cost at least $2,000 or $3,000. Back then the idea that a computer would be available for $9 was inconceivable.

This is another example of the market providing real solutions to real problems. Is there any wonder why us market anarchists have more faith in it than politicians who seem incapable of identifying, let alone solving, real problems?

Modern Medical Technology Amazes Me

Prosthetics have only recently become more than crude mechanical devices capable of only being able to simulate very basic human movements, if they could even simulate that. But that introduction of computer technology has allow prosthetics to improve dramatically in a very short period of time. One of my friends posted this video of a woman who has a prosthetic hand that moves very much like a natural hand.

The prosthetic is made by Bebionic, which makes prosthetics that use motors and microprocessors to better mimic human movements. All I can say is that’s incredibly cool.