Update on Generation 4 Glock 17

Well I was able to do some more troubleshooting on my Glock 17 and it’s inability to feed ammunition without holding it extremely firm (In other words having enough body mass to ensure reliable operation). Well I can say the problem can be fixed by using hot ammunition. I took the gun to the range again this weekend with the same person that had troubles with the gun when shooting it. After loading the gun with some hotter ammunition the gun cycled perfectly.

So I’m going update my recommendation on the Generation 4 Glock 17. If you’re a person of small stature you may want to ensure you either hand load ammunition yourself or buy ammunition that’s loaded up hotter. Most of the cheap 9mm ammunition may cause failures to feed as it’s loaded down.

Wait You Don’t Need a Gun To Kill People

Holy shit! According to Days of our Trailers it’s actually possible to commit mass murder in places that ban guns. No I’m not talking through the usual mechanism of illegally obtained guns but through the mechanism of other weapons. A man in Beijing murdered eight children with a knife.

I thought the anti-gunners said this kind of thing is only possible because of easy access to firearms.

Interesting Windows Security Issue

Note that I didn’t say security hole nor security flaw, that was intentional. The nerd part of my brain has been working in overdrive as of late which means I’ve been looking into geeky things. One thing that always intrigues me is the field of security. Well I found the following story on Wired that talks about a security issue in SSL/TLS (The security mechanisms used prominently by web browsers to secure web pages). The article leads to a “no duh” paper that shows how government entities can use their power to subvert SSL/TLS security by cohering certificate authorities into issuing valid certificates (Anybody who knows how SSL/TLS work already knew this was a possibility).

The part that interested me most was an exert from one of the sited sources in the paper. See back in the day there was some kerfuffle over the fact that Microsoft included a couple hundred trusted root certificates in their operating system. Root certificates are what ultimately get used to validate a certificate issued to a website. Thus root certificates are the ultimate “authority” in determine if a website you are visiting is valid or not. The more root certificates you have the large the possibility of a malicious certificate being certified as trusted (Statistically speaking of course. This assumes that with more root certificates the possibility of one of those root certificate “authorities” being corruptible increases). Anyways Microsoft eventually trimmed down the number of root certificates included in their operating system. But they didn’t actually cut down the number of certificates because according to their own developer documentation:

Root certificates are updated on Windows Vista automatically. When a user visits a secure Web site (by using HTTPS SSL), reads a secure email (S/MIME), or downloads an ActiveX control that is signed (code signing) and encounters a new root certificate, the Windows certificate chain verification software checks the appropriate Microsoft Update location for the root certificate. If it finds it, it downloads it to the system. To the user, the experience is seamless. The user does not see any security dialog boxes or warnings. The download happens automatically, behind the scenes.

Microsoft just pulled a security theater here. They didn’t cut down the number of trusted certificates, they just moved them somewhere people wouldn’t see them. If you connect to a web page that has a certificate that can’t be validated against a root certificate Windows will automatically go out to Microsoft’s servers and see if a root certificate there will validate the web site’s certificate. If one of those root certificates will validate the web site certificate it is downloaded onto your machine automatically and the site is listed as trusted. In essence Windows trusts more root certificates than it lets on.

So what does this mean? Well it means the window for having corrupted root certificate authorities is larger. With the exception of Firefox all major web browsers depend on the underlying operating system’s root certificate store to validate web pages (Firefox actually ships with it’s trusted root certificates and uses it’s own store as opposed to the underlying operating system’s). This also gives two potential locations to place a malicious root certificate. If an attacker was able to gain access to Microsoft’s online root certificate store and upload their own root certificate any SSL/TLS page they created using that root certificate for validation would show as trusted in all versions of Windows (Firefox still would show the site as untrusted). Granted the window for this attack would be small as Microsoft would most likely find it almost immediately and remove it. Likewise the likelihood of such an attack occurring a very small considering the short time frame it would be valid for. But it’s interesting thing to ponder regardless. Additionally the same attack could create a binary of Firefox with the same malicious root certificate included and make it available for download causing the same problem for Firefox users.

No matter what operating system or browser you use the validity of SSL/TLS connections eventually requires that you trust somebody (Which goes against the trust no one security motto). The question here is who are you willing to trust. Only you can determine that but knowing how a security system works and how it’s implemented are important in making that decision. Anyways I just thought that was interesting.

The Weak Link in Computer Security

People often talk about the inherit lack of security in Microsoft Windows and Internet Explorer. Very seldom does anybody talk about the weakest link in computer security, the users. In the latest Pwn2Own contest, a contest where participants attempt to break into various computers to win them, 64-bit Windows 7, Mac OS X, and even the iPhone all fell. But there was a common theme running here, none of the systems feel to a direct attack.

All the hacked systems were broken into via exploits in their web browsers. Internet Explorer 8 and Firefox 3.6.2 were used to break into the 64-bit Windows 7 systems while Safari was used to break into both Mac OS X and the iPhone. Each browser was broken into by crafting a malicious web page and have the users of the system navigate to it.

But once again none of the systems at this contest were broken into without the need for human interaction. This brings up the fact that human beings are now the main component being attacked (Granted it’s been like this since the dawn of computers). The only way to protect yourself is through education. Do not click on random links that people send you regardless if you known them or not. It’s a simple thing to learn really but the motto in security is trust no one and you should follow that slogan when on a computer.

Danger of The Census

As everybody knows the United States Constitution requires the population of the United States be recorded every ten years. This is done by the Census Bureau and many of us are angry that they ask questions beyond what is constitutionally requires. Of course we’re called paranoid and asked what danger could possible exist by answering the other questions. Well that extra information has been used before to persecute a group of Americans.

The article talks about what happened shortly after the bombing at Pearl Harbor:

In the 1940 Census, the Census Bureau loudly assured people that their responses would be kept confidential. Within four days of the attack on Pearl Harbor, the Census Bureau had produced a report listing the Japanese-American population in each county on the West Coast. The Census Bureau launched this project even before Congress declared war on Japan. The Census Bureau’s report helped the US Army round up more than 100,000 Japanese-Americans for concentration camps (later renamed “internment centers”).

Yup that extra “harmless” information in the Census helped the United States Army to round up a group of “undesirables.” If something has happened before it can happen again. People need to remember every time government tries to gain more information about you they will inevitably use it against you.

Back in Free America

Well ladies and gentlemen I’m back in Minnesota. I was in New York on business and let me tell you I missed my carry piece. It felt good to strap that Glock 30 back onto my hip.

I’m sorry for the lack of updates but the Internet connectivity I had available wasn’t great. Many sites, including my own blog, were timing so I couldn’t post new stories. Likewise since I mentioned HotSpot VPN previously I would like to make a note that I was unable to get IRC to work while connected to their service. I’m not sure if it was related to lag or if they block IRC traffic but either way I wasn’t dreadfully happen about that.

In the time I was away it appears one major news item happened and that was the passing of the health insurance (It’s not care because the government isn’t doing anything there) “reform” bill. I haven’t said much about this on here because this is one of those items that I haven’t chosen to follow much. Yes it’s important since now the federal government has asserted even more control over our lives but I only have a limited amount of time in a day and hence I chose my items to follow carefully. Not to mention it was getting wall to wall coverage everywhere else and I knew it was going to pass after Obama started bribing offering deals to politicians in exchange for a yes vote. Anyways it’s through, I’m pissed about it, whatever.

The real issue though is the fact I’m a bit behind on gun news. I’m not sure if anything major happened in the gun rights arena or not but I’m going to find out. On a side note I’m most of the way through a new novel titled Daemon by Daniel Suarez (No worries it’s not an affiliate link). It’s a great title and when I’m finished I’ll do a little write up about it. Needless to say you should check it out.

Updates are probably going to remain slow for a day or two yet while I get back into the swing of things.