Tag: Crypto-Anarchism

Irony at It’s Finest

Anonymity is very important, which is why I hold Tor’s developers in high regard. Tor has helped political dissidents in especially tyrannical regimes speak out, made the drug trade safer by raising a barrier of anonymity between buyers and sellers, and gives people with jealous significant others a way to keep their communications secret. So when I see somebody harass any of the Tor developers my initial reaction is “Fuck that guy!”

Well an unsavory dude decided to harass Andrea Shepard, one of Tor’s developers, and learned a lesson about how valuable online anonymity is:

What happens when you troll Tor developers hard? You get unmasked.

Towards the end of last week, a troll who had sent various aggressive tweets to a host of security experts and privacy advocates associated with the Tor project and browser, which enables online anonymity, had his identity exposed. To some, that may seem hypocritical. To others, it seems like justice.

Andrea Shepard, the Tor developer who uncovered the real identity of her troll, says she was being harassed on and off for a year by a range of tweeters, all believed to be the sockpuppets of one man. The main source of abuse came from a Twitter account @JbJabroni10, but others included @JbGelasius, @SnowdenNoffect, @LimitYoHangout, @HaileSelassieYo, @thxsnowman and @PsyOpSnowden.

[…]

Things came to a head when some lighter mockery was aimed at Shepard last week, using information the troll had gleaned from her LinkedIn profile and personal website.

Unfortunately for the troll, this gave Shepard an IP address belonging to an iPhone that used a work network at atlantichealth.org to access her site. She also had some job information through LinkedIn’s “profiles that viewed yours” feature.

After searching LinkedIn for anyone with the role at Atlantic Health, she came across two profiles: one which didn’t have a name connected to it, another for a man named Jeremy Becker. She then used the Spokeo service to search for Jeremy Beckers in New Jersey, and a search for pharmacist licensees, and found only one, which gave her the middle initial ‘T’ and a hometown of Princeton, New Jersey.

She also had his father’s name, Edward Becker, and was able to find a Twitter account @ebecker which followed @JbJabroni10 and an inactive one for @JoyBecker52, apparently matching his mother Joyce Becker. Shepard had her man.

And then on 28 November, seven of the Twitter accounts linked to Becker seemed to go dark. He’d been scared off the face of the internet, to the cheers of the pro-Tor and anti-troll crowds.

Now that’s justice porn. And it should prove to be a valuable lesson to others who feel it necessary to harass security professionals. If somebody’s job is developing one of the most successful online anonymity tools chances are pretty good that they know how to uncover personally identifiable information. After all, you need to know how an attack works in order to defend against it.

You May Not Be Free But Encryption Works

The feds have been throwing a hissy fit since Apple and Google both announced that device encryption will be enabled by default on all of their mobile devices. Members of the Department of Justice have even gone so far as to imply that Apple (and, likely, Google) are marketing their devices to criminals and will ultimately be responsible for the death of a child (when all else fails just think of the children). But many people still wonder if these public tantrums are just for show. Do the feds have magical super-quantum-hyperdrive-computers that can crack any form of encryption ever?

Further evidence indicates they do not. Courts documents have been found showing how desperate the feds are getting in order to break device encryption:

OAKLAND, CA—Newly discovered court documents from two federal criminal cases in New York and California that remain otherwise sealed suggest that the Department of Justice (DOJ) is pursuing an unusual legal strategy to compel cellphone makers to assist investigations.

In both cases, the seized phones—one of which is an iPhone 5S—are encrypted and cannot be cracked by federal authorities. Prosecutors have now invoked the All Writs Act, an 18th-century federal law that simply allows courts to issue a writ, or order, which compels a person or company to do something.

A magical piece of paper that can compel you to do work for the state? Obviously we live in the freest country on Earth! While this story is further evidence that we’re little more than serfs in the eyes of the state it also shows that encryption works.

I know a lot of conspiracy theorists believe that the feds have magical computers that can break any form of encryption by utilizing subspace frequencies or some sort of bullshit like that. If that is true then the state must either be trying to keep it hush hush by not utilizing it (which would make it useless) or it costs a small fortune to operate (which makes it almost useless) because coercing people with the court system is terribly inefficient. So I think these court documents are a good indication that device encryption works pretty well and that’s reassuring.

Obviously rubber-hose cryptanalysis, which issuing legal threats is certainly a form of, is very effective so the question will become whether or not Apple is technically capable of bypassing the iPhone 5S’s encryption. Hopefully it is not.

GPGTools on OS X Yosemite

I finally upgrade my main system to OS X Yosemite. Why didn’t I upgrade it earlier? Because GPGTools, which I use for secure e-mail communications, wasn’t compatible with the new version of Mail. However the great team working on GPGTools released a beta earlier this month of a compatible version of their tools.

I’m happy to report that the beta works quite well (at least as far as my testing is concerned). One thing to keep in my is that the GPGTools team is going to charge for the final release of this updated tool. I have no problem with this because they do excellent work and have committed themselves to keeping the tool set open source. But Thunderbird and the Enigmail plugin are still free, which is something you may want to consider.

When the Cloud is More Secure

I’ve annoyed a great many electrons explaining how to free yourself from “the cloud” (online services controlled by the likes of Microsoft, Yahoo!, and Google). The reason I advocate individuals use self-hosted services is because it’s more difficult for creepers like the National Security Agency (NSA) to collect all of your data. As an anarchist the state is one of the most common malicious attackers in my threat models. But after gaining some experience helping somebody deal with a surveillance happy significant other I’ve finally had to consider other threat models. Namely models involving local threats. This is where “the cloud” comes in.

Consider a domestic abuse situation. The threat is likely going to be somebody who lives with you and therefore has physical access to your devices. Physical access is the death knell of any security setup (although with encrypted data storage the difficult of exploitation, assuming the threat isn’t using rubber hose cryptanalysis, has greatly increased) so what can you do? Move your data to “the cloud” and access it with anonymizing tools.

The last part is very important. If you access your “cloud” data from your normal machine using the standard tools there will be records left all over the place. However, if you use something like a Tails boot disk, which doesn’t write anything to any storage media by default and pumps all Internet traffic through Tor to render local network monitoring tools impotent, there will be very little evidence of you having created or access any data (although Tor doesn’t hide the fact that you’re using Tor, which is something to keep in mind if your network is being monitored locally).

In a situation where the data you create could agitate your threat it’s best to make sure that data is hidden. I haven’t really had time to go over the finer details of this threat model so what I’m writing here is simply a very brief introduction to something I’ve had to consider recently. Much more work is necessary on my part and I will try to post updates of what I come up with in the hopes it can help other people.

Encrypt Your Hard Drive

Modern versions of Windows, Linux, and Mac OS all have built-in utilities to completely encrypt the contents of your hard drives. Use these tools. Many people don’t encrypt their drives because they believe they have nothing to hide. But encryption your drive also protects against individuals altering the contents on your drive. This can be very valuable.

While an operating system will attempt to prevent unauthorized users from altering files or installing software when it has been booted by it will be rendered powerless if another method is used to boot the system, such as a boot disk. An encrypted hard drive, on the other hand, cannot be written to (any alteration of the encrypted data will appear to be garbage when you attempt to decrypt the drive) unless it is decrypted with the appropriate key.

That means an encrypted disk will prevent an attacker with physical access from installing software keyloggers, rootkits, and other potentially troublesome forms of malicious software.

I spent a decent portion of last night helping somebody deal with this scenario. As a related side note if you suspect your jealous and/or abusive significant other of having installed surveillance software on your system feel free to contact me. I will provide what assistance I can and I won’t charge a dime.

Another Reason to Implement HTTPS Everywhere

There is no reason for a website to not at least have an HTTPS connection available to users. When websites like StartSSL provide free certificates the old excuse of costs is no longer even applicable. Computer hardware has increased to the point where offering secure connection isn’t really that big of a drain on a server. And HTTP is just plain dangerous. Not only can any traffic sent over HTTP be viewed by anybody between the two communicating points but it can be altered without either point knowing. That is what Verizon is now doing to its customer’s HTTP traffic:

Over the past couple of days, there’s been an outpouring of concern about Verizon’s advertising practices. Verizon Wireless is injecting a unique identifier into web requests, as data transits the network. On my phone, for example, here’s the extra HTTP header.1

X-UIDH: OTgxNTk2NDk0ADJVquRu5NS5+rSbBANlrp+13QL7CXLGsFHpMi4LsUHw

After poring over Verizon’s related patents and marketing materials, here’s my rough understanding of how the header works.

[…]

In short, Verizon is packaging and selling subscriber information, acting as a data broker on real-time advertising exchanges. Questionable. By default, the information appears to consist of demographic and geographic segments.2 If a user has opted into “Verizon Selects,” then Verizon also shares behavioral profiles built by deep packet inspection.

This is a dirty trick only made possible over unsecured connections. Secure connections, in addition to preventing anybody in between two communicating points from snooping on the communications, also provides mechanisms to verify that the data wasn’t altered when traversing between its start and end points. This is done with a wonderful algorithm called hashbased message authentication codes (HMAC). If the contents of the message are altered in any way the HMAC will not match and the receiver can verify that the message received doesn’t match the message that was sent. HTTP, unfortunately, has no way of providing this functionality so there is no way to know whether or not the data has been altered in transit.

The bottom line is HTTP needs to die and HTTPS needs to replace it for every website.

Technology is Trumping Statism Again

Regardless of the laughable claims made by an author at Daily Kos, market anarchism is showing how practical its rhetoric is once again. This time the place is Venezuela, the problem is currency controls and economic collapse, and the solution is Bitcoin:

(Reuters) – Tech-savvy Venezuelans looking to bypass dysfunctional economic controls are turning to the bitcoin virtual currency to obtain dollars, make Internet purchases — and launch a little subversion.

Two New York-based Venezuelan brothers hope this week to start trading on the first bitcoin exchange in the socialist-run country, which already has at least several hundred bitcoin enthusiasts.

While the Venezuelan government continues its attempt to control its population through economic controls its power is quickly fading as its economy collapses and more people turn to the “black” market for basic necessities. This is similar to what happened during the collapse of the Soviet Union.

Once the state’s controls have been circumvented its death is inevitable.

Internet Defensive Services

The dust is beginning to settle after the Fappening. For those who haven’t been following along the Fappening involved individuals gaining unauthorized access to nude photos of celebrities stored on Apple’s iCloud service. Earlier this week the Fappeneing was looking to strike again as a website appeared with a countdown. The site claimed that when the countdown reached zero nude photos of Emma Watson would be released. As it turns out the site was a hoax and now there is a debate about whether it was a hoax created by 4chan itself or a marketing company aimed at taking down 4chan. But the mere existence of the site created a shitstorm that has fueled a lot of angry ranting. Most of the ranting can be summarized by the idea that women aren’t safe on the Internet.

First of all let me say that it’s good that people are in an uproar. Data breaches suck but all too often they raise little ire. When they do manage to piss a lot of people off resources get diverted to tighten security. But so long as people aren’t outraged companies are all too happy to let known security issues linger until somebody gets bit in the ass. While Apple has finally taken measure to fix the iCloud vulnerability the damage has been done. The images are out there and there’s no way to remove them since the Internet is forever.

But this situation got me thinking. Stunts like the Fappening are all too easy to pull off because the minor risks involved are seldom dissuasive. To prevent thing like the Fappening from occurring again the risks need to be increased. Most people seem to be aware of this and they have been demanding stronger laws against unauthorized computer access and other state interventions. Let me say that demanding state intervention is pointless. The state doesn’t give a fuck about anybody but itself and its cronies. It will only exploit these situations to gain more power for itself over the Internet without actually address the issue.

What we really need are hackers. As an anarchist I’m a proponent of a compensatory justice system, social ostracization, and outlawry. Suffice to say when it is possible to compensate somebody for a wrong then they should be compensated. If an individual or individuals have a habit of shitty behavior then the community should ostracize them. And if somebody refuses to abide by the laws of society (the natural laws created through spontaneous order, not the decrees issued by the state) they should not receive the protection of the law. For any of this to be possible the identity of the bad actors must be uncovered.

My proposal is complex and revolutionary since it works outside of the state (in fact by the state’s very laws it is illegal as hell). But I put forth that hackers should form organizations with the purpose of identifying bad actors and seeking justice against them. This obviously requires a lot of investigative work and either cooperation from organizations that have suffered data breaches or gaining unauthorized access to their systems to collect forensic information. Once the bad actors have been uncovered justice can be sought. Depending on the severity of the offense justice may entail something as simple as compensation paid to the victim or as complex as attacking any system in that person’s possession with the express purpose of preventing them from gaining access to the Internet. In especially egregious circumstance destruction of their data, credit ratings, and identity may be called for.

In other words I propose we create our own justice system just as stateless societies have in the past. I subscribe to the ideas expressed in the Crypto Anarchist Manifesto. The Internet is the realm of those who use it, not the state. To borrow a page from agorism we need to create our own goods and services and utilize the market to determine where resources should be prioritized. Seeking justice against those who gain unauthorized access to other people’s personal data sounds like a good place to put some resources. And it’s something that people can do. Most of the electrons spilled over the Fappening have been in the form of impotent bitching. Take the article I linked to that claimed women aren’t safe on the Internet. A group of feminist hackers coming together to seek justice against those who wrong women online could create a safer Internet for women. It certainly would accomplish more than complaining has.

Comcast Continues Its Quest to be The Most Dickish Company Ever

Comcast has a mission. That mission is to be the single most dickish company in the world. Between it’s horrible customer service, attempts to convince people it supports net neutrality through shady marketing, and continued attempts to regulate competition out of existence Comcast gotten far in realizing its goal. But all of this still isn’t enough to win the crown of dickishness so Comcast is now injecting advertisements into webpages served by its publicly accessible Wi-Fi access points:

Comcast has begun serving Comcast ads to devices connected to one of its 3.5 million publicly accessible Wi-Fi hotspots across the US. Comcast’s decision to inject data into websites raises security concerns and arguably cuts to the core of the ongoing net neutrality debate.

A Comcast spokesman told Ars the program began months ago. One facet of it is designed to alert consumers that they are connected to Comcast’s Xfinity service. Other ads remind Web surfers to download Xfinity apps, Comcast spokesman Charlie Douglas told Ars in telephone interviews.

The advertisements may appear about every seven minutes or so, he said, and they last for just seconds before trailing away. Douglas said the advertising campaign only applies to Xfinity’s publicly available Wi-Fi hot spots that dot the landscape. Comcast customers connected to their own Xfinity Wi-Fi routers when they’re at home are not affected, he said.

Now that’s some dickish behavior! Injecting code into a page without the permission of the page owner is something mostly attributed to malicious software. Granted Comcast is pretty malicious so I believe calling its injected ads malware isn’t dishonest. But this story also makes another very important point:

One way to prevent this from happening, he said, is for websites to encrypt and serve over HTTPS. But many sites do not do that.

There’s no reason this day and age for a website to have an unsecured connection available. Companies like StartSSL will provide free Transport Layer Security (TLS) certificates for personal use and change a very reasonable fee for commercial use. Almost every (I’m not actually aware of any exceptions) personal computer, tablet, and smartphone made in the last decade is capable of communicating via secured connections. If you’re running a website get a TLS certificate, load it on your server, and force the unsecured connection to redirect to the secured connection (that’s what I do on this site). For those of you who are using a hosting service that doesn’t give you the option of enabling TLS demand that they offer that capability or provide the certificates and enable TLS for you. Allowing only TLS connections not only prevents third parties from eavesdropping but it also prevents third parties from altering pages in transit. We’re at a point (and have been for a long time) where the benefits of TLS far outweigh the negatives.

You Should Probably Stop Using TrueCrypt

One of my favorite security tools must now be added to my blacklist. Yesterday all hell broke loose as the TrueCrypt website had a rather dramatic update. It now redirects visitors to a SourceForge site that warns users to not use TrueCrypt anymore and to instead rely on the encryption features built into most operating systems. Needless to say this has caused quite a stir.

There are a lot of theories surrounding what really happened. Many people are claiming that the TrueCrypt website was hacked. If that is the case then the hack was really good. In addition to redirecting users to the SourceForce site the hackers would have also obtained the private key used by the TrueCrypt team to sign their releases as a new version of TrueCrypt, which was signed by the team’s key, was made available on the website. The hackers would have also had to write the newly released version of TrueCrypt, which removed all of the encryption capabilities (it’s basically a TrueCrypt partition decrypter now). While all of this isn’t outside the realm of possibility it would require either a great deal of sophistication or an insider.

Others have theorized that this reaction was due to the TrueCrypt team receiving either a National Security Letter (NSL) or being otherwise coerced by the state. This, in my opinion, is more likely than a hack. Lavabit shutdown rather than comply with the state’s demand to provide a means to decrypt user e-mail. It’s possible the TrueCrypt team decided to abandon its product rather than compromise it.

I also have a theory that, like all of the other theories circulating, has no evidence to back it up. For a while the primary focus of TrueCrypt has been booting Windows from an encrypted partition. This feature is not really possible on systems that utilize Secure Boot. Perhaps in a fit of frustration the TrueCrypt team decided to give up on future development because their pet feature was no longer viable. Or they may have decided the work to support other operating systems was no longer worth the effort since Windows, Linux, and OS X all have the ability to boot from an encrypted drive.

Regardless of the reason it’s fairly safe to recommend that people stop using TrueCrypt. This could very well be a very good hack but we don’t know and since we don’t know we have to assume that what the site says is legitimate and that TrueCrypt may have some major security flaws in it.