A Geek With Guns

Chronicling the depravities of the State.

Archive for the ‘Crypto-Anarchism’ tag

EFAIL

without comments

A vulnerability was announced yesterday that affects both OpenPGP and S/MIME encrypted e-mails. While this was initially being passed off as an apocalyptic discovery, I don’t think that it’s scope is quite as bad as many are claiming. First, like all good modern vulnerabilities, it has a name, EFAIL, and a dedicated website:

The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.

The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim’s email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.

The weakness isn’t in the OpenPGP or S/MIME encryption algorithms themselves but in how mail clients interact with encrypted e-mails. If your e-mail client is configured to automatically decrypt encrypted e-mails and allows HTML content to be displayed, the encrypted potion of your e-mail could be exfiltrated by a malicious attacker.

I generally recommend against using e-mail for secure communications in any capacity. OpenPGP and S/MIME are bandages applied to an insecure protocol. Due to their nature as a bolted on feature added after the fact, they are unable to encrypt a lot of data in your e-mail (the only thing they can encrypt is the body). However, if you are going to use it, I generally recommend against allowing your client to automatically decrypt your encrypted e-mails. Instead at least require that your enter a password to decrypt your private key (this wouldn’t defend against this attack if your client is configured to display HTML e-mail content but it would prevent malicious e-mails from automatically exfiltrating encrypted content). Better yet, have your system setup in such a manner where you actually copy the encrypted contents of an e-mail into a separate decryption program, such as the OpenPGP command line tools, to view the secure contents. Finally, I would recommend disabling the ability to display HTML e-mails in your client if you are at all concerned about security.

If you perform the above practices, you can mitigate this attack… on your system. The real problem is, as always, other people’s systems. While you may perform the above practices, you can’t guarantee that everybody with whom you communicate will as well. If an attacker can exploit one party, they will generally get the e-mails sent by all parties. This is why I’d recommend using a communication tool that was designed to be secure from the beginning, such as Signal, over e-mail with OpenPGP or S/MIME. While tools like Signal aren’t bulletproof, they are designed to be secure by default, which makes them less susceptible to vulnerabilities created by an improper configuration.

Written by Christopher Burg

May 15th, 2018 at 11:00 am

Set a Strong Password on Your Phone

without comments

My girlfriend and I had to take our cat to the emergency vet last night so I didn’t have an opportunity to prepare much material for today. However, I will leave you with a security tip. You should set a strong password on your phone:

How long is your iPhone PIN? If you still use one that’s only made by six numbers (or worse, four!), you may want to change that.

Cops all over the United States are racing to buy a new and relatively cheap technology called GrayKey to unlock iPhones. GrayShift, the company that develops it, promises to crack any iPhone, regardless of the passcode that’s on it. GrayKey is able to unlock some iPhones in two hours, or three days for phones with six digit passcodes, according to an anonymous source who provided security firm Malwarebytes with pictures of the cracking device and some information about how it works.

The article goes on to explain that you should use a password with lowercase and upper case letters, numbers, and symbols. Frankly, I think such advice is antiquated and prefer the advice given in this XKCD comic. You can create more bits of entropy if you have a longer password that is easier to remember. Instead of having something like “Sup3r53cretP@5sw0rd” you could have “garish-bethel-perry-best-finale.” The second is easier to remember and is actually longer. Moreover, you can increase your security by tacking on additional words. If you want a randomly generated password, you can use a Diceware program such as this one (which I used to generate the latter of the two passwords.

Written by Christopher Burg

April 19th, 2018 at 10:00 am

Overt Internet Censorship

with 2 comments

The Internet, especially the free speech that it has enabled, was fun while it lasted but it has become obvious that the governments of the world will no longer tolerate such a free system. Of course few governments wants to admit to attacking free speech so they are using euphemisms. For example, the United States government isn’t censoring free speech, it’s fighting sex trafficking:

WASHINGTON (Reuters) – U.S. law enforcement agencies have seized the sex marketplace website Backpage.com as part of an enforcement action by the Federal Bureau of Investigation, according to a posting on the Backpage website on Friday.

Groups and political leaders working to end forced prostitution and child exploitation celebrated the shutdown of Backpage, a massive ad marketplace that is primarily used to sell sex. But some internet and free speech advocates warned the action could lead to harsh federal limits on expression and the press.

Notice how they managed to throw the “for the children” get out of jail free card in there? Shutting down Backpage wasn’t about prostitution, it was about human trafficking, especially the trafficking of children. It’s just like how the Stop Enabling Sex Traffickers Act (SESTA) is being sold as a law against sex trafficking but it’s really about opening the door to censoring any online material that offends the political class.

Fortunately, there are new frontiers. Tor Hidden Services and I2P offer a mechanism for server operators to keep their location concealed, which makes taking them down more difficult than taking down a standard Internet service. As the precedent being set by SESTA expands, more Internet service operators will find themselves having to utilize the “dark web” to avoid being censored.

Embracing the Darknet

without comments

Big changes came to the Internet shortly after Congress passed the Stop Enabling Sex Traffickers Act (SESTA). SESTA, like most legislation, has a name that sounds good on the surface but actually conceals some heinous provisions. One of those major provisions is holding website owners criminally liable for user generated content. This resulted in some drastic changes to sites like Reddit and Craiglist:

So far, four subreddits related to sex have banned: Escorts, Male Escorts, Hookers, and SugarDaddy. None were what could accurately be described as advertising forums, though (to varying degrees) they may have helped connect some people who wound up in “mutually beneficial relationships.” The escort forums were largely used by sex workers to communicate with one another, according to Partridge. Meanwhile, the “hooker” subreddit “was mostly men being disgusting,” according to Roux, “but also was a place that sometimes had people answering educational questions in good faith.”

[…]

Reddit yesterday announced changes to its content policy, now forbidding “transactions for certain goods and services,” including “firearms, ammunition, or explosives” and “paid services involving physical sexual contact.” While some of the prohibited exchanges are illegal, many are not.

Yet they run close enough up against exchanges that could be illegal that it’s hard for a third-party like Reddit to differentiate. And the same goes for forums where sex workers post educational content, news, safety and legal advice. Without broad Section 230 protections, Reddit could be in serious financial and legal trouble if they make the wrong call.

The passage of SESTA set a precedence that will certainly expand. Today Section 230 protections can be revoked for user generated content about sex trafficking. Tomorrow it could be revoked for user generated content involving hate speech, explaining the chemistry and biology behind how prohibited drugs work, showing the mechanics of how a machine gun operates, and so on. User generated content is now a liability and will only become more of a liability as the precedence is expanded.

Will this rid the world of content about sex work, drugs, and guns? Of course not. It will merely push that content to anonymized servers, commonly referred to as the “darkweb.” As laws make hosting content on the non-anonymized Internet a legal hazard, Internet users will find that they need tools like I2P and the Tor Browser to access more and more of the content they desire. The upside to this is that it will lead to a tremendous increase in resources available to developers and operators of “darkweb” technologies. Eventually the laws passed to thwart unapproved behavior will again make restricting unapproved behavior all but impossible.

Written by Christopher Burg

March 27th, 2018 at 11:00 am

There Must Always Be a New Frontier

without comments

The early days of the Internet were akin to the myth of the Wild West. There was no rule of law. First tens then hundreds and eventually thousands of little experiments were running simultaneously. Some experiments attracted users and flourished, other experiments failed to attract users and floundered. It didn’t matter much because it didn’t require a lot of capital to put a server online.

Some of the successful experiments became more and more successful. Their success allowed the to push out or buy up their competitors. Overtime they turned into multimillion and even multibillion dollar websites. Slowly but surely much of the Internet was centralized into a handful of silos. Much like the Wild West of mythology, the Internet gradually became domesticated and restricted.

There’s nothing unique about the story of the Internet. New frontiers have a tendency to slowly become “civilized.” The rule of law is established. Restrictions are put into place. The number of experiments continue to approach zero. However, “civilization” is never the end of experimentation. Experimenters simply need to move to a new frontier.

Innovation slows to a crawl and can even stop entirely without frontiers. The Internet is mostly “civilized” at this point. A handful of successful experiments such as Amazon, Facebook, and Google exercise a tremendous amount of control. With a simple statement they can make or break other experiments and amplify or silence voices. Moreover, the rule of law has been established by various national governments and they will only tighten their grips. In order for innovation to continue on the Internet, the next frontier must be explored.

Fortunately, there are several frontiers. The most popular are “darknets,” networks that bake anonymity in by default. If clients and servers are unable to identify each others’ locations, they can’t enforce rules on one another. Other frontiers are mesh networks. While mesh networks are able to access the Internet, they are also able to operate independently. Being decentralized, it’s far more difficult to enact widespread censorship on a mesh network than on the traditional Internet whose users depend on a handful of Internet Service Providers (ISP) for their connection. But the most exciting frontiers are the ones that remain entirely unexplored.

Of course the cycle will repeat itself. The next frontier will become “civilized,” which is why there must always be a new frontier if innovation is to continue.

Written by Christopher Burg

March 23rd, 2018 at 11:30 am

Posted in Liberty

Tagged with ,

Spook Squad

with one comment

I’ve often wondered how Geek Squad stays in business. The prices it charges for even the most trivial repairs are absurd. More and more I’m becoming convinced that Geek Squad stays in business because it is being propped up by the Federal Bureau of Investigations (FBI):

After the prosecution of a California doctor revealed the FBI’s ties to a Best Buy Geek Squad computer repair facility in Kentucky, new documents released to EFF show that the relationship goes back years. The records also confirm that the FBI has paid Geek Squad employees as informants.

EFF filed a Freedom of Information Act (FOIA) lawsuit last year to learn more about how the FBI uses Geek Squad employees to flag illegal material when people pay Best Buy to repair their computers. The relationship potentially circumvents computer owners’ Fourth Amendment rights.

While Geek Squad has been caught red handed working with the FBI, any employee at any computer repair company could be operating under the same deal. The FBI has a vested interest in access the information on as many computers as possible and people who repair computers often have unrestricted access to a lot of information on a lot of computers.

If you’re going to send your computer to somebody else for repairs, here are my recommendations to guard your privacy. If the device you’re sending in has a removable hard drive, remove the drive that is in it and replace it with a blank drive (one that has never been used to store personal information). On the blank drive install the operating system that came on the device and a user account with generic credentials (this is one of the few times where the password “password” is a good idea) so the repair person can log in. By doing this you ensure that the repair person doesn’t have access to any of your personal data. When the device comes back, format the drive that you provided the repair person, remove it, and install the hard drive with your data again.

If your device doesn’t have a removable drive, ensure that the first thing you do when you initially start the device after getting it out of the box is enable full disk encryption. When you need to send the device in for repairs, format the drive, reinstall the default operating system, setup a user account with generic credentials, and send the device in. When the drive comes back, wipe the drive again and restore your data from a backup. For those who are wondering why full disk encryption should be enabled it’s because formatting a drive doesn’t necessarily erase the data. By default formatting a drive wipes the file allocation table but leaves the data preserved. Enabling full disk encryption ensures that the data on the drive is unreadable without the proper decryption key. While formatting won’t erase the data, the data will be unreadable to the repair man if they attempt to restore the old file allocation table to pilfer your data for law enforcers.

Written by Christopher Burg

March 7th, 2018 at 11:00 am

Possible Theft Versus Guaranteed Theft

without comments

There are a lot of criticisms against cryptocurrencies. One criticism that I see come up periodically is that transactions can’t be reversed. If somebody manages to steal your cryptocurrency, there is no way to reverse the fraudulent transfer. Fraudulent electronic transactions in dollars, on the other hand, can be reversed.

That is a valid criticism. But I would like to point out something that is generally ignored by advocates of government issued money. Holders of dollars are being stolen from every moment of every day via purposeful inflation and there is no way to recover the purchasing power lost to inflation.

Cryptocurrencies can be stolen and if your cryptocurrency is stolen, there isn’t a damned thing you can do about it. However, government issued money is guaranteed to be stolen and there isn’t a damned thing you can do about it.

Written by Christopher Burg

March 1st, 2018 at 11:00 am

The Beginning of the End for Unsecured Websites

without comments

Chrome looks to be the first browser that is going to call a spade a spade. Starting in July 2018, Chrome will list all websites that aren’t utilizing HTTPS as unsecured:

For the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

I think Let’s Encrypt was the catalyst that made this decision possible. Before Let’s Encrypt was released, acquiring and managing TLS certificates could be a painful experience. What made matters worse is that the entire process had to be redone whenever the acquired TLS certificates expired. Let’s Encrypt turned that oftentimes annoying and expensive process into an easy command. This made it feasible for even amateur website administrators to implement HTTPS.

The Internet is slowly moving to a more secure model. HTTPS not only prevents third parties from seeing your web traffic but, maybe even more importantly, it also prevents third parties from altering your web traffic.

Written by Christopher Burg

February 16th, 2018 at 10:00 am

Decentralized the Internet

without comments

I’m glad to see that other people are beginning to understand the need to decentralized the Internet:

Net neutrality as a principle of the federal government will soon be dead, but the protections are wildly popular among the American people and are integral to the internet as we know it. Rather than putting such a core tenet of the internet in the hands of politicians, whose whims and interests change with their donors, net neutrality must be protected by a populist revolution in the ownership of internet infrastructure and networks.

In short, we must end our reliance on big telecom monopolies and build decentralized, affordable, locally owned internet infrastructure. The great news is this is currently possible in most parts of the United States.

I’ve been saying this for years. If you want a feature like net neutrality, you have to control the infrastructure. Personally, I’d like to see a decentralized Internet that encrypts all traffic by default for both confidentiality and anonymity purposes. What people are calling net neutrality would be enforced by default on such a network because nobody could see the traffic to throttle or block it. However, it would come at a performance cost (TANSTAAFL).

One thing is certain, begging the Federal Communications Commission Fascist Communications Club (FCC) to enforce net neutrality isn’t a longterm solution as we’re seeing today. Under the Obama administration net neutrality was enforced by the FCC. Under the Trump administration it looks like it won’t be enforced. When the next administration comes into power it could go either way. Begging Congress isn’t any better because what one Congress passes a future Congress can eliminate.

Written by Christopher Burg

December 8th, 2017 at 11:00 am

Open Whisper Systems Released Standalone Desktop Client

without comments

Signal is my favorite messaging application. It offers very good confidentiality and is easy to use. I also appreciate the fact that a desktop client was released, which meant I didn’t have to pull out my phone every time I wanted to reply to somebody. What I didn’t like though was the fact that the Signal desktop client was a Chrome app. If you use a browser besides Chrome you had to install Chrome just to use Signal’s desktop client. Fortunately, Google announced that it was deprecating Chrome apps and that forced Open Whisper Systems to release a standalone desktop client.

Now you can run the Signal desktop client without having to install Chrome.

Written by Christopher Burg

November 1st, 2017 at 10:00 am