Tag: Crypto-Anarchism

Let’s Encrypt To Enter Public Beta On December 3rd

Unfortunately there are a lot of websites that still aren’t utilizing HTTPS to ensure confidential and unaltered communications between them and their users. One of the excuses often given by website administrators for not using HTTPS is that certificates cost money. Another excuse is that managing certificates is a huge pain in the ass.

StartSSL has been providing free certificates for years but administrators still have to manually manage them. A while ago a group of people decided to kill both birds with a single stone and began work on Let’s Encrypt. Let’s Encrypt is a certificate authority and software package that work together to provide automatically managed certificate to websites. It’s been in closed beta for a while and starting December 3rd it will be making the beta test available to the public.

This means anybody wanting a certificate will be able to request one. It also means there will no longer be any excuses for websites not to implement HTTPS. And with the ever more pervasive surveillance state it’s absolutely necessary to make HTTPS the default.

Setting Up An XMPP Server, Check Back Later

Between recovering from the plague, some server issues on the old server, and setting up an XMPP server I didn’t have time to get posts up.

Setting up XMPP is interesting. The first task is finding a server of which there are surprisingly few good ones to choose from. Originally I was going to use ejabberd as I’ve used it long ago. But I saw the developers have split it into “community” and “business” editions with the former lacking a lot of features (such as compatibility with other instant messenger services). My second choice was Openfire, which I settled on. The downside of Openfire is that it’s written in Java and I’m not of fan of installing Java on systems anymore (because I hate Oracle). Java aside, Openfire is pretty solid. The initial setup is a bit of a pain because it’s not available in any CentOS repositories and you have to do a little manual setup for the MariaDB database. After that you gain access to a web interface that makes everything else simple.

Because the universe likes to make my life stressful the virtual machine I initially setup became corrupted when VMWare fucked up a snapshot operation. So I had to redo all of the work mentioned above again.

Right now I’m doing a beta test with friends. Once I’m satisfied it’s solid I might make it available for others.

LastPass Sold To LogMeIn

LastPass, a password manager I have been recommending for years due to its ease of use and compatibility with pretty much everything, was bought out by LogMeIn. Based on what I’ve read on Twitter, Ars Technica, and Reddit LogMeIn is not a well liked company. In my experience acquisitions usually end up badly for users of the product being acquired. The fact that LogMeIn is viewed so negatively by a huge portion of the Internet further exacerbates my concerns that his acquisition is not good news for LastPass users.

I believe password managers are one of the easiest ways for the average person to improve their security. Due to this acquisition I can’t as confidently recommend LastPass as I have been previously doing. While I’m not going to go so far as to say you shouldn’t use LastPass, as the future is not known, I want to have other recommendations available if things go south.

To that end I’m going to recommend two products. The first is KeePassX. KeePassX is a free password manager that’s available for Windows, Linux, and OS X. It’s an open source product and seems to be well respected amongst users. Unfortunately syncing isn’t available out of the box (there are ways you can setup syncing though), which limits its utility for people who commonly use multiple devices. For many people this could be seen as a feature though as having your passwords, even in an encrypted formate, stored on a third-party server creates more opportunities for compromise. There also seems to be an absence of decent mobile clients.

The second password manager I’m going to recommend, and it’s the one I’m not using, is 1Password. 1Password was the runner up when I was first choosing a password manager. The two reasons I chose LastPass over it were price, LastPass Premium is much cheaper than 1Password, and the fact 1Password isn’t compatible with Linux. It is, however, compatible with OS X, Windows, iOS, and Android. Since I only use Linux and Windows in virtual machines the fact I don’t have password manager for those platforms isn’t that big of a deal (in fact I’ve never used LastPass on either platform outside of initial testing). 1Password can also sync your passwords across your devices with iCloud, Dropbox, or on your local network (although the last option only works between a single Mac and iOS devices so it’s severely limited). Right now the price is pretty reasonable as the developers are having a 40% off sale that is totally because of Cybersecurity Awareness Month and not at all because LastPass’s customers are pretty unhappy right now (it’s just a coincidence the sale start shortly after the news of LastPass’s acquisition broke).

It’s too early to panic over the LastPass acquisition. LogMeIn is promising to keep LastPass’s currently business model in place although those promises don’t seem to be well received due to the company’s history. I switched immediately because the writing on the wall isn’t to my liking and because I want to be familiar with an alternative in case things go south. If you’re happy with LastPass and the acquisition isn’t a concern for you (and let’s be honestly, it won’t be a concern for anybody for a while as it takes some time for the consequences of company acquisitions to manifest) keep using it.

Verizon To Sell Customer Data To AOL

There is a battle between Verizon and AT&T to determine which of the two companies is the most evil. Both companies have gone to tremendous lengths to fuck their customers over but Verizon’s latest ploy may be enough to put it ahead:

Verizon is giving a new mission to its controversial hidden identifier that tracks users of mobile devices. Verizon said in a little-noticed announcement that it will soon begin sharing the profiles with AOL’s ad network, which in turn monitors users across a large swath of the Internet.

That means AOL’s ad network will be able to match millions of Internet users to their real-world details gathered by Verizon, including — “your gender, age range and interests.” AOL’s network is on 40 percent of websites, including on ProPublica.

Here again we see the need for HTTPS everywhere. The key to Verizon’s tracking technology is its ability to inject a tracking number into its customers’ web traffic. HTTPS is not only good at preventing people in the middle of a client-server communication from seeing content. It’s also good at preventing people in the middle from altering the content in any way.

Verizon’s tracking technology works by exploiting the fact insecure web traffic can be modified. The modification, in this case, is including a traffic number, that is invisible to the user, into a customer’s web traffic. This is made possible by the fact Verizon, the customer’s Internet service provide, sits in the middle of all communications between its customers and the Internet. By using HTTPS to secure the connect between the customer and websites on the Internet Verizon can no longer alter the traffic and therefore cannot inject its tracking number.

I’m obviously beating a dead horse on this one but I will continue to do so until every website using HTTPS exclusively.

Cell Phone Carrier Illegally Tapped Journalist’s Phone Proving Privacy Can’t Be Protected By Laws

Whenever a bill purporting to strengthen privacy protections enters the political field I receive numerous requests to support it. I always politely decline, which results in the advocate saying some variation of “I know you’re an anarchist but it doesn’t take any time to call your representatives.” It’s a false argument because it does take time to call the person who supposedly represents me (even though I never appointed him to represent me) in Congress. And since privacy laws are ineffective at protecting privacy it takes time that will gain me absolutely nothing, which is not a wise investment in my opinion.

Privacy laws are just like any other State decree. Those who are willing to tolerate the laws will follow them and those who find them burdensome will ignore them:

Telco giant Vodafone illegally ­accessed a journalist’s mobile phone records to discover the source of stories about the company, hid systemic privacy breaches from authorities and covered up fraud in its Brisbane office, according to ­internal documents.

An investigation into these allegations is currently under way. The outcome is irrelevant since the damage has already been done and it’s unlikely Vodafone will be made to pay compensation to the involved parties (usually whatever government agency oversees the regulation gets the winnings from any trail with maybe a pittance given to those actually harmed).

Protecting privacy can only be done by directly protecting it. Once privacy has been violated it’s too late to defend it. That’s why I push cryptography so heavily. Privacy laws are irrelevant if you have taken effective measure to protect your privacy. If you’ve failed to protect your privacy the laws are still irrelevant because the damage has already been done.

Begging the State to issue decrees is a waste of your time that can be better spent learning how to actually address the issue you’re petitioning the State about.

AT&T Demonstrates Why HTTPS Is Needed Everywhere

Ads have become a notable threat to computer security. While they are a fact of life for accessing content without paying directly for it you wouldn’t expect a company that you pay money to to infest your web experiences with ads. But some companies like to double dip. AT&T is one of those companies. In addition to getting customers to pay for hotspots AT&T is also maliciously inserting ads into websites visiting through its hotspots:

While traveling through Dulles Airport last week, I noticed an Internet oddity. The nearby AT&T hotspot was fairly fast—that was a pleasant surprise.

But the web had sprouted ads. Lots of them, in places they didn’t belong.

[…]

Curious, and waiting on a delayed flight, I started poking through web source. It took little time to spot the culprit: AT&T’s wifi hotspot was tampering with HTTP traffic.

The ad injection platform appears to be a service from RaGaPa, a small startup. Their video pitch features “MONETIZE YOUR NETWORK” over cascading dollar signs. (Seriously.)

When an HTML page loads over HTTP, the hotspot makes three edits. (HTTPS traffic is immune, since it’s end-to-end secure.)

First, the hotspot adds an advertising stylesheet.

[…]

Next, it injects a backup advertisement, in case a browser doesn’t support JavaScript. It appears that the hotspot intercepts /ragapa URLs and resolves them to advertising images.

[…]

Finally, the hotspot adds a pair of scripts for controlling advertisement loading and display.

The title of this post promised Hypertext Transfer Protocol Secure (HTTPS) so some may be wondering what HTTPS has to do with ad injection. Simply put, this kind of bullshit can’t happen when the connection between a client and the server is encrypted. A man in the middle, which AT&T is in this case, cannot see the contents of an encrypted communication and if attempts to make any sort of alteration the decryption process will fail.

You won’t see any AT&T injected ads on this blog because everything is secured with HTTPS (the insecure HTTP interface just 301 redirects to the HTTPS connection). If every website did this the business model being used by RaGaPa, the ad injection services being used by AT&T, would be a total failure.

Securing connections doesn’t just protect against eavesdropping. It also protects again altering the contents, which can be just as big of a problem if not an even bigger one. In fact content integrity is another reason why the “nothing to hide” crowd should be ignored in discussions of pervasive cryptography. Cryptography is about so much more than hiding content.

The Best Argument For Encryption Yet

I’ve made a lot of good arguments favoring effective encryption. Effective encryption protects at risk people from oppressors by concealing their identities and communications, ensures data integrity by preventing third parties from altering data unknowingly, provides a way to verify authenticity and the identity of content creators, etc. Ironically though Jeb Bush made have inadvertently made the best argument for effective encryption:

“If you create encryption, it makes it harder for the American government to do its job—while protecting civil liberties—to make sure that evildoers aren’t in our midst,” Bush said in South Carolina at an event sponsored by Americans for Peace, Prosperity, and Security, according to The Intercept.

Effective encryption makes the American government’s job harder?

grumpy-cat-good

Assault, murder, theft, extortion, and kidnapping should be hard and anything that makes those criminal activities harder is a good thing.

CryptoParty On August 30th

I don’t have much for you today because I spend my evening at a meeting hammering out the final details of an upcoming CryptoParty. On August 30th CryptoPartyMN will be hosting a CryptoParty at the Hack Factory. We’re still figuring out a few final details but we will be discussing public-private key cryptography, Off-the-Record (OTR) messaging, full disk encryption, and Tor for certain. We may cover other topics as time permits.

For those who don’t know these events are meant to be hands-on. You bring your laptops, tablets, and phones and learn how to utilize secure communication tools. Hopefully I’ll see a few of you there.

Cat And Mouse Game

Since they want to revolutionize the world you would think libertarians would be hard to beat down. But so many of them, at least in my experience, are willing to roll over if the alternative requires too much work. Computer security is one of those things that tend to require too much work for the average libertarian.

Libertarianism is about wrestling power away from the state. One way of doing this is exploiting economics. The more resources you can make the state misallocate the less it will available for maintaining and expanding its power. That being the case cryptography should be every libertairans best friend. Cryptography, even when it’s not entirely effective, still forces the state to allocate more resources into its surveillance apparatus. Even data secured with weak cryptography requires more effort to snoop than plaintext data. When you start using effective cryptography the amount of resources you force the state to invest increased greatly.

Learning how to use cryptographic tools requires quite a bit of initial effort. Instead of investing their time into learning these tools a lot of libertarians invest their time in creating excuses to justify not learning these tools. One of the excuses I hear frequently is that current cryptographic tools will be broken in a few years anyways.

It’s certainly possible but that’s not an excuse. Cryptography is a cat and mouse game. As cryptographic tools improve the tools used to break them need to improve and as those tools improve cryptographic tools need to improve again. In keeping with the theme I established above the key to this cycle is that the tools to break cryptography need to improve as cryptography improves. In other words adopting better cryptography forces the state to allocate more of its resources into improving its tools to break cryptography. Using effective cryptography today forces the state to invest resources today. If you don’t use it the state doesn’t have to invest resources to break it and therefore has more resources to solidify its power further.

Libertarians have to accept the fact that they’re in a big cat and mouse game anyways. As libertarians work to seize power from the state the state develops new ways to maintain its power. Surveillance is one way it maintains its power and effective cryptography turns it into a cat and mouse game instead of a mouse and mousetrap game. So stop making excuses and start learning about these tools.

Don’t Return To The Caves

Robert Anton Wilson popularized the words neophiles and neophobes to describe people who enjoy and can adapt to rapid changes and those who fear and oppose change respectively. Whenever neophiles create and adopt a technological advancement neophobes step in to try and retard it. Strong cryptography allows individuals to securely communicate between one another. Neophobes, who are fearful by nature, cannot accept the idea of people having conversations that cannot be spied on. Advancements in automation require less human labor to produce more goods and services. Neophobes fear automation because they cannot conceive of a world where laborers don’t have to work as much or can find meaningful employment after being displaced by machines. Genetically modified crops can dramatically increase our species food production and feed more people with less resource expenditure. Neophobes want to halt production of genetically modified crops because they fear tampering with nature will have frightening and currently unrealized consequences.

The biggest difference between neophiles and neophobes is the former understands risks are inherent in change and accepts those risks while the latter fears change because it involves unknown risks.

Would you enjoy living a much shorter and hard life as a hunter gatherer in a cave? Because that’s what we’d all being doing if everybody listened to the neophobes. Advancement is scary because we don’t know how they will change the world. But advancement is far less scary than stagnation. This is why I don’t give any weight to arguments against technological advancement.

Are there risks in widespread availability to strong cryptography? Yes. Are there risks in allowing machines to do more and more of our labor? Yes. Are there risks in creating and cultivating genetically modified crops? Again, yes. However there are risks in enabling widespread surveillance, relying on manual labor, and refusing to advance agriculture. Those risks are powerful police states, injuries and deaths on jobs, and starvation.

Since the industrial revolution we’ve enjoyed a world where neophilia has surpassed neophobia. Even though we’re enjoying a standard of living unheard of only a generation ago the neophobes are still pounding their drums and trying to scare people into returning to the caves. Do you want to live in a world where we’re relegated to subsistence agriculture or one where robots produce more food than our species can possibly consume? If you, like me, desire the latter then you should work to ensure technological advancement isn’t hindered by neophobes. That means not supporting any efforts to stop the advancement of technology. Don’t support attempts to control the exportation of strong cryptography. Don’t support attempts to stop the adoption of automation. Don’t support prohibitions against genetically modified crops. Try to help technological advancements to flourish so more people can enjoy their benefits. Refute the neophobic fear mongering by pointing out how not adopting new technologies is also risky and how the fears of neophobia have seldom, if ever, been realized. Don’t help those who would return us to the caves.