A Geek With Guns

Chronicling the depravities of the State.

Archive for the ‘1984 was a Warning not a Blueprint’ tag

Payback

with one comment

If there’s one thing the State won’t tolerate, it’s disobedience:

Authorities are opening a federal criminal investigation into WikiLeaks’s publication of troves of documents detailing purported CIA hacking programs, CNN reported Wednesday.

The FBI and CIA will collaborate on the probe, according to CNN, which reported that it is focused on determining how the anti-secrecy organization obtained the documents and whether they were leaked by an employee or contractor.

Notice how the criminal investigation is being performed against WikiLeaks and not the Central Intelligence Agency (CIA)? That shows you where the State’s priorities are. Much like when it went after Snowden instead of the National Security Agency (NSA), when the State is given a choice to go after criminals within its agencies or the people who blew the whistle on those criminals, it always chooses the latter.

Once again I must reiterate the point that the State doesn’t exist to protect the people, it exists to exploit the people and will go to any extent to do it.

Vault 7 isn’t the End of Privacy

with 2 comments

There has been a lot of bad stories and comments about Vault 7, the trove of Central Intelligence Agency (CIA) documents WikiLeaks recently posted. Claims that the CIA has broken Signal, can use any Samsung smart television to spy on people, and a whole bunch of other unsubstantiated or outright false claims have been circulating. Basically, idiots who speak before they think have been claiming that Vault 7 is proof that privacy is dead. But that’s not the case. The tools described in the Vault 7 leak appear to be aimed at targeted surveillance:

Perhaps a future cache of documents from this CIA division will change things on this front, but an admittedly cursory examination of these documents indicates that the CIA’s methods for weakening the privacy of these tools all seem to require attackers to first succeed in deeply subverting the security of the mobile device — either through a remote-access vulnerability in the underlying operating system or via physical access to the target’s phone.

As Bloomberg’s tech op-ed writer Leonid Bershidsky notes, the documentation released here shows that these attacks are “not about mass surveillance — something that should bother the vast majority of internet users — but about monitoring specific targets.”

The threats of mass surveillance and targeted government surveillance are very different. Let’s consider Signal. If the CIA had broken Signal it would be able to covertly collect Signal packets as they traveled from source to destination, decrypt the packets, and read the messages. This would enable mass surveillance like the National Security Agency (NSA) has been doing. But the CIA didn’t break Signal, it found a way to attack Android (most likely a specific version of Android). This type of attack doesn’t lend itself well to mass surveillance because it requires targeting specific devices. However, if the CIA wants to surveil a specific target then this attack works well.

Avoiding mass surveillance is much easier to deal with than defending yourself against an organization with effectively limitless funds and a massive military to back it up that specifically wants your head on a platter. But unlike mass surveillance, very few people have to actually deal with the latter. And so far the data released as part of Vault 7 indicates the surveillance tools the CIA has developed are aimed at targeted surveillance so you most likely won’t have to deal with them.

Privacy isn’t dead, at least so long as you’re not being specifically targeted by a three letter agency.

Vault 7

without comments

WikiLeaks dropped a large archive of Central Intelligence Agency (CIA) leaks. Amongst the archive are internal communications and documents related to various exploits the CIA had or has on hand for compromising devices ranging from smartphones to smart televisions.

I haven’t had a chance to dig through the entire archive yet but there’s one thing that everybody should keep in mind.

The government that claims to protect you, that many people mistakenly believe protects them, has been hoarding vulnerabilities and that has put you directly in harm’s way. Instead of reporting discovered vulnerabilities so they could be patched, the CIA, like the NSA, kept them secret so it could exploit them. Since discovery of a vulnerability doesn’t grant a monopoly on its use, the vulnerabilities discovered by the CIA may very well have been discovered by other malicious hackers. Those malicious hackers could, for example, be exploiting those vulnerabilities to spread a botnet that can be used perform distributed denial of service attacks against websites to extort money from their operators.

Remember this the next time some clueless fuckstick tells you that the government is there to keep you safe.

While I haven’t had a chance to read through the archive, I have had a chance to read various comments and reports regarding the information in the archive. By doing this I’ve learned two things. First, the security advice posted by most random Internet denizens is reminiscent of the legal advice posted by most sovereign citizens. Second, the media remains almost entirely clueless about information security.

Case in point, a lot of comments and stories have said that the archive contains proof that the CIA has broken Signal and WhatsApp. But that’s not true:

It’s that second sentence that’s vital here: It’s not that the encryption on Signal, WhatsApp (which uses the same encryption protocol as Signal), or Telegram has been broken, it’s that the CIA may have a way to break into Android devices that are using Signal and other encrypted messaging apps, and thus be able see what users are typing and reading before it becomes encrypted.

There is a significant difference between breaking the encryption protocol used by a secure messaging app and breaking into the underlying operating system. The first would allow the CIA to sit in the middle of Signal or WhatsApp connections, collect packets being sent to and from Signal and WhatsApp clients, and decrypting the packets and reading the contents. This would allow the CIA to potentially surveil every WhatsApp and Signal user. The second would allow the CIA to target individual devices, compromise the operating system, and surveil everything the user is doing on that device. Not only would this compromise the security of Signal and WhatsApp, it would also compromise the security of virtual private networks, Tor, PGP, and every other application running on the device. But the attack would only allow the CIA to surveil specific targeted users, not every single user of an app.

The devil is in the details and a lot of random Internet denizens and journalists are getting the details wrong. It’s going to take time for people with actual technical knowhow to dig through the archive and report on the information they find. Until then, don’t panic.

Written by Christopher Burg

March 8th, 2017 at 11:00 am

What What (In the Butt)

without comments

The Transportation Security Administration (TSA) has announced that it’s going to perform even more thorough acts of sexual assault against air travelers:

While few have noticed, U.S. airport security workers long had the option of using five different types of physical pat-downs at the screening line. Now, those have been eliminated, replaced instead with one universal approach. And this time, you will notice.

The new physical touching-for those selected to have a pat-down-will be more invasive in what the federal agency describes as a more “comprehensive” physical screening, according to a Transportation Security Administration spokesman.

Denver International Airport, for example, notified employees and flight crews on Thursday that the “more rigorous” searches “will be more thorough and may involve an officer making more intimate contact than before.”

I guess the TSA hired Agent Flemming:

How much more “intimate” could they get? Current pat downs cover everything except grabbing junk and cavity searches. I wonder if TSA agents will at least inform you if they feel anything potentially cancerous in your colon.

Not surprisingly, the TSA is citing its abysmal failures as justification for performing even more grotesque acts of sexual assault. When government agencies fuck up they always punish the people.

Punishing Suspects without Proving Guilt

without comments

Federal prosecutors have a history of letting suspected child pornographers go free so it can keep the techniques it used to identify them secret. That history continues:

Rather than share the now-classified technological means that investigators used to locate a child porn suspect, federal prosecutors in Washington state have dropped all charges against a man accused of accessing Playpen, a notorious and now-shuttered website.

The case, United States v. Jay Michaud, is one of nearly 200 cases nationwide that have raised new questions about the appropriate limitations on the government’s ability to hack criminal suspects. Michaud marks just the second time that prosecutors have asked that case be dismissed.

Of course, the government left an out for itself. Double jeopardy is a concept under United States law that protects individuals from being prosecuted for the same crime twice. However, like all concepts that appear to protect the people from the government, there are loopholes that allow double jeopardy to be bypassed. A case can be dismissed with either with or without prejudice. If a case is dismissed with prejudice then it is done. If a case is dismissed without prejudice then it can be brought back into the courtroom at a later date.

“The government must now choose between disclosure of classified information and dismissal of its indictment,” Annette Hayes, a federal prosecutor, wrote in a court filing on Friday. “Disclosure is not currently an option. Dismissal without prejudice leaves open the possibility that the government could bring new charges should there come a time within the statute of limitations when and the government be in a position to provide the requested discovery.”

Dismissal without prejudice is often used when prosecutors screwed up procedurally. It gives them the option to correct their mistake and refile. But in this case the prosecution didn’t screw up procedurally. It simply didn’t want to reveal its evidence at this time but wants to reserve the ability to refile the charges at a time it finds more convenient. By using the ability to dismiss without prejudice in this manner the State has effectively nullified the concept of double jeopardy.

The government can recharge Jay Michaud when it decides that it wants to actually reveal its evidence. I think this move shows us how the government is planning to proceed. Instead of revealing the exploits it used to identify suspected child pornographers, the government will bring charged and dismiss them without prejudice and then recharge previous suspects after either the exploits have been discovered and patched or the statute of limitations is about to expire.

I’m sure this sounds like a great strategy to many people, especially considering the crime at hand. But it throws the entire concept of double jeopardy out the window. Instead of gathering enough evidence to bring charges and revealing that evidence to a jury, prosecutors can gather evidence, bring charges, dismiss the case without prejudice, and then bide their time until they decide to press charges again (where they may decide to just repeat the cycle or actually prosecute the suspect). Meanwhile, the suspect has to live with the charges looming over their head, which will almost certainly cause them a great deal of anxiety and mental anguish. It’s borderline mental torture. Dismissal without prejudice when used in this manner allows the State to inflict some punishment in the form of mental anguish without having to actually prove a suspect is guilty of a crime.

Written by Christopher Burg

March 7th, 2017 at 10:00 am

Boogeymen

without comments

Watching politics is a lot like watching a train wreck. Part of you wants to look away but the other part of you is too fascinated by the death and destruction.

For me, one of the most entertaining aspects of politics is the boogeymen. Every politician and political group has boogeymen that are supposedly responsible for the nation’s woes. These boogeymen change whenever it’s politically expedient and when they do we’re told that we were never at war with the previous boogeymen but we were always at war with the new boogeyman.

Right now the Republicans and Democrats seem to have settled on their current boogeymen. The Republicans are blaming the nation’s woes on immigrants while the Democrats are blaming the nation’s woes on Russia.

Why do politicians and political groups always point to boogeymen? Because they need to deflect attention away from the people who have been screwing things up, the people who are actually in power in this nation, themselves. And if you talk to most people they’ll acknowledge that the politicians have screwed things up. But then they’ll totally ignore that sentiment when one of the boogeymen is brought up. Mention Russia around Democrats and they’ll fly into a frenzy about how Putin manipulated our election like some kind of Central Intelligence Agency (CIA) agent. Mention immigrants around Republicans and they’ll foam and the mouth as they spew vitriol about the evil immigrants who built their deck and roofed their house being lazy and unwilling to work.

The reason politicians continue wrecking things but remain in power is because the average person is stupid enough to ignore their antics so long as they’re given something else to fear.

Written by Christopher Burg

March 3rd, 2017 at 10:00 am

Government Databases

without comments

Every politician needs a boogeyman. The Democrats have decided that Russia is their boogeyman while Republicans have decided that immigrants are their boogeyman. While the Democrats pursue their boogeyman by claiming every Republican is a secret Russian agent, the Republicans have been working to ramp up harassment of immigrants. One method the Republicans have decided on is releasing private data on immigrants in the country:

Over the last month, the Trump administration has waged a war on the rights of immigrants and foreigners — including by issuing a policy that strips away basic privacy protections that have been provided by Democratic and Republican presidents for decades.

This policy shift was tucked into Trump’s immigration enforcement executive order released on January 25. It could let the Trump administration release the names and private information of non-U.S. citizens — including refugees, college students, tourists, and people here on work visas. The new policy could also make it easier for Immigration and Customs Enforcement to obtain information from other agencies that can be used to detain or deport people.

If the government didn’t have the data in the first place it wouldn’t be able to release it.

That’s the lesson people should be taking away from this. Government databases are always dangerous. Sure, they sound like a jolly good idea when your team is in power, especially if the databases are being used to store information about people you don’t like. But when the team you don’t like gets into power they’re granted access to every existing database, including those containing information about yourself and people you like.

If you’ve ever supported the government keeping data on people; whether it be on motorists, gun owners, or anybody who holds an ideology that you don’t agree with; then this recent development is the inevitable result of what you wanted.

This Will End Well

without comments

I would think that a nation primary composed of people who have had a rather unpleasant history with government databases would be very reluctant about creating government databases. But then I would be wrong:

The Knesset passed the biometric database law Monday night.

The bill was approved in its second and third readings after all objections were overcome. The final vote was 39-29 in favor.

The bill was significantly changed from its original version.

Over the course of the day it was decided that the database will not include fingerprints of anyone under the age of 16 and will not be used for unusual police applications.

New additions to the law were intended to amend the arrangements for the biometric database, in which all residents of the State will have their pictures and fingerprints taken, but for those who object, their data would be tied to their smart-cards instead of being entered into a database. However, those who choose to not be entered into the database will have to renew their passports and ID cards once every five years instead of every ten.

Those who fail to learn from history are doomed to repeat it.

Written by Christopher Burg

March 1st, 2017 at 10:00 am

Rules are for Thee, Not for Me

with 2 comments

The State makes hypocrites of everybody involved in it. At some point even the most principled individual will have to compromise those principles. Take Representative Devin Nunes, for example. He strongly supports the National Security Agency’s (NSA) widespread surveillance program when it’s used against you and me. But when surveillance is used against him and his ilk he suddenly hates it:

Back then there was a bipartisan push to try to require some more due process in National Security Agency (NSA) surveillance of Americans. Nunes used the deadly attack on the nightclub in Orlando to argue against it, claiming it would hamper the government in its fight against the war on terror.

But while he was opposed to protecting you and me from unwarranted government surveillance, apparently Nunes does think that the feds recording a call between ex-National Security Adviser Mike Flynn and a Russian ambassador in December is beyond the pale. From The Washington Post:

The chairman of the House Intelligence Committee said Tuesday that the most significant question posed by the resignation of national security adviser Michael Flynn is why intelligence officials eavesdropped on his calls with the Russian ambassador and later leaked information on those calls to the press.

“I expect for the FBI to tell me what is going on, and they better have a good answer,” said Rep. Devin Nunes (R-Calif.), chairman of the House Permanent Select Committee on Intelligence, which is conducting a review of Russian activities to influence the election. “The big problem I see here is that you have an American citizen who had his phone calls recorded.”

The ability of politicians to hold two mutually exclusive beliefs simultaneously never ceases to amaze me. Usually their cognitive dissonance comes out when discussing so-called rights. Most politicians seem to believe that the State has unlimited rights whereas the people have no rights.

The right to free speech? The State can say whatever it wants, even if it’s false, but the people should have certain restrictions placed upon what they can say. The right to bear arms? The people should be heavily restricted in what they are allowed to possess while the State should be allowed to have an unlimited number of goddamn nuclear weapons. The right to privacy? As Mr. Nunes demonstrated, the State should enjoy an expectation of privacy while the people should be surveilled at all times.

The politicians espousing their cognitive dissonance always have a convenient excuse. The right to free speech is dangerous when that speech is seditious, hateful, untrue, etc. The right to bear arms is dangerous in general because people use weapons to kill other people. The right to privacy is a direct threat to national security because it makes it more difficult for the State to find terrorists. All of these excuses would apply equally to the State but the politicians never mention that.

Written by Christopher Burg

February 15th, 2017 at 11:00 am

Your Browser is a Snitch

with one comment

The privacy-surveillance arms race will likely be waged eternally. The State wants to spy on people so it can better expropriate their wealth. Private companies want to spy on people so they can collect data to better serve them and better target ads at them. The State wants the private companies to spy on their users because it can get that information via a subpoena. Meanwhile, users are stuck being constantly watched.

Browser fingerprinting is one of the more effective tools in the private companies’ arsenal. Without having to store data on users’ systems, private companies are able to use the data surrendered by browsers to track users with a surprising degree of accuracy. But fingerprinting has been limited to individual browsers. If a user switches browsers their old fingerprint is no longer valid… until now:

The new technique relies on code that instructs browsers to perform a variety of tasks. Those tasks, in turn, draw on operating-system and hardware resources—including graphics cards, multiple CPU cores, audio cards, and installed fonts—that are slightly different for each computer. For instance, the cross-browser fingerprinting carries out 20 carefully selected tasks that use the WebGL standard for rendering 3D graphics in browsers. In all, 36 new features work independently of a specific browser.

New browser features are commonly used for tracking users. In time those features are usually improved in such a way that tracking becomes more difficult. I have no doubts that WebGL will follow this path as well. Until it is improved through, it wouldn’t be dumb to disable it if you’re trying to avoid being tracked.

Written by Christopher Burg

February 15th, 2017 at 10:30 am