Assume All Source Code is Open Source

Let’s pretend that you’re a fool and believe that security through obscurity works. Because of your foolish belief you sought closed source security software. Since potential adversaries can’t see the source code, they can’t find vulnerabilities in it to attack you with, right? Not so much. Just because software is closed source doesn’t mean nobody is allowed to see the source code. HP recently granted Russia permission to review the source code of one of its security software packages:

Last year, Hewlett Packard Enterprise (HPE) allowed a Russian defense agency to analyze the source code of a cybersecurity software used by the Pentagon, Reuters reports. The software, a product called ArcSight, is an important piece of cyber defense for the Army, Air Force and Navy and works by alerting users to suspicious activity — such as a high number of failed login attempts — that might be a sign of an ongoing cyber attack. The review of the software was done by a company called Echelon for Russia’s Federal Service for Technical and Export Control as HPE was seeking to sell the software in the country. While such reviews are common for outside companies looking to market these types of products in Russia, this one could have helped Russian officials find weaknesses in the software that could aid in attacks on US military cyber networks.

I don’t subscribe to the belief that open source software is inherently more secure (however, I do believe open source software offers several advantages over closed source software that are unrelated to security). I think the numerous critical vulnerabilities discovered in OpenSSL put that belief to bed. However, I also don’t believe that closed source software is inherently more secure. Just because a developer doesn’t share its source code with everybody doesn’t mean it doesn’t share its source code with third parties. In the case of HP, one of the third parties granted access to its source code was an adversary of one of its customers.

If you’re purchasing software from a third party, you have no control over who it shares its source code with. So if you believe in security through obscurity, closed source software won’t offer you any advantage, perceived or otherwise.

But Wait, There’s More

Equifax already displayed a staggering level of incompetence but like a Billy Mays commercial there’s more:

The official Equifax Twitter account encouraged people to visit a knock-off website that mocks the company’s security practices instead of the site the company created to warn of a massive data breach. That recent breach exposed personal details for as many as 143 million US consumers.

In a tweet on Tuesday afternoon, an Equifax representative using the name Tim wrote: “Hi! For more information about the product and enrollment, please visit: securityequifax2017.com.” The message came in response to a question about free credit monitoring Equifax is offering victims. The site is a knock-off of the official Equifax breach notification site, equifaxsecurity2017.com. A security researcher created the imposter site to demonstrate how easy it is to confuse a legitimate name with a bogus one. The Equifax tweet suggests that even company representatives can be easily fooled. The tweet was deleted late Wednesday morning, more than 18 hours after it went live.

It’s almost as if large credit agencies like Equifax aren’t held accountable for screwing up and therefore aren’t motivated to do an effective job. Weird.

Statists continue to claim that government is necessary to deliver justice when large corporations like this screw up. However, I’m still waiting to see the government do anything more than give a corporation like this a minor slap on the wrist for fuck ups of this magnitude. Hell, I’m still waiting to see the government give Equifax a stern talking to over this series of amateur mistakes. As far as I can tell, government seems exists primarily to protect large corporations like this from competitors that would currently be tearing it apart if there was a free market.

Plan Ahead

Planning ahead can save you a great deal of grief, frustration, and money:

Two things are true of all festivals: the security is super tight and the booze is very expensive.

[…]

One guy from New York named Alex found an ingenious way to get past these two road blocks. Three weeks before the Electric Zoo festival in New York City, Alex travelled to the Randall’s Island where the event is located with a bottle of Vodka in arm.

He filled a reusable bottle with the Vodka and using a small shovel that he brought with him, Alex and his friends buried the bottle of booze in the ground a long time before the festival crew arrived to construct the stages for the event.

Alex is a real American hero (I know this story could be fake but I want it to be true so I’m going to believe it is).

On a more serious note, this tactic could also work for smuggling weapons into outdoor festivals. I wonder how many security providers have considered such a threat model. It’s also a difficult threat model to defend against since a security team would have to run metal detectors across the entire grounds and that would only offer protection against metallic weapons.

The TSA Continues Its 95 Precent Failure Rate

Two years ago we learned that the Transportation Security Administration (TSA) failed 95 percent of red team exercises. With such an abysmal record the agency must have been spending the last two years furiously improving its security screening processes, right? If the Minneapolis-St. Paul International Airport (MSP) is any indication, the TSA hasn’t improved its processes at all:

Last Thursday, what’s referred to as the “Red Team” in town from Washington D.C., posed as passengers and attempted to sneak items through security that should easily be caught.

In most cases, they succeeded in getting the banned items though. 17 out of 18 tries by the undercover federal agents saw explosive materials, fake weapons or drugs pass through TSA screening undetected.

Two sources said that the tests carried out Thursday were eventually stopped after the failure rate reached 95 percent.

It’s pretty sad when the exercise has to be stopped because the failure rate was only a hair’s breadth away from 100 percent.

I’m sure a spokesperson for the MSP TSA will have a list of excuses to try to explain away the 95 percent failure rating. But there’s no arguing that a 95 percent failure rating is touch to distinguish from having no security at all. If the TSA were abolished today and replaced with nothing the only real difference would be that air travelers wouldn’t have to show up at the airport two hours early just to get through the security line and the taxpayers would save a lot of money. Of course the TSA wouldn’t be replaced with nothing, it would be replaced with private security, which would be a significant improvement. Unlike the TSA, which has faced no repercussions for its ongoing 95 percent failure rating, private security firms can be held accountable and are therefore motivated to improve.

Not Surprising for an Agency with a 95 Precent Failure Rate

Almost two years ago it was revealed that the Transportation Security Agency (TSA) missed a whopping 95 precent of restricted items. You would think that such a damning report would have lead to a top to bottom rework of the agency’s practices. But the TSA is a government agency, which means it doesn’t suffer consequences for failing, unlike market actors, and therefore has no motivation to improve. That’s what, two years later, we still get to read stories like this:

An off-duty policewoman flew from Los Angeles international airport (LAX) to Taiwan with a gun in her hand luggage.

The weapon was not detected during security screening and Noell Grant only realised she was carrying it as she changed planes in Taipei.

At one point I noted that the TSA exists solely to provide warm and fuzzy feelings to passengers who are too ignorant to realize that the agency isn’t securing anything. But as these stories continue to role out even ignorant fools are likely becoming aware of the fact that the TSA is just as ineffective as every other government agency. When that realization sets in the warm and fuzzy feelings of ignorance vanish, which means the agency serves no purpose whatsoever. The TSA should be completely abolished tomorrow.

Watch a Dying Business Thrash Desperately

I will go so far as to say that Let’s Encrypt revolutionized the Transport Layer Security (TLS) certificate market. While there were some free sources of certificates, the general rule remained that you had to pay if you wanted to implement a secure connection for you website. Then Let’s Encrypt was released. Now anybody can implement a secure connection for their website for free. On top of that, Let’s Encrypt greatly simplified the process of managing certificates. So it’s no surprise that certificate vendors are feeling the squeeze and responding desperately:

The fact that Let’s Encrypt is now being used to make phishing sites look legit is a total burn for us, and a potential house fire for users who rely on simple cues like the green padlock for assurance. According to certificate reseller The SSL Store, “between January 1st, 2016 and March 6th, 2017, Let’s Encrypt has issued a total of 15,270 SSL certificates containing the word ‘PayPal.'”

Keep in mind that the SSL Store is a provider of those incredibly overpriced certificates, so Let’s Encrypt’s mission isn’t necessarily in their interests. Even still, their post points out that the “vast majority of this issuance has occurred since November — since then Let’s Encrypt has issued nearly 100 ‘PayPal’ certificates per day.” Based on a random sample, SSL Store said, 96.7 percent of these certificates were intended for use on phishing sites.

The reseller added that, while their analysis has focused on fake PayPal sites, the firm’s findings have spotted other SSL phishing fakers, including Bank of America, Apple IDs, and Google.

The SSL Store paints a frightening picture. But the picture requires ignoring two facts.

First, TLS doesn’t verify if a website is legitimate. TLS verifies that the URL you’re connecting to matches the name in the certificate provided by the server and that the certificate was issued by a trusted authority. For example, if you connect to https://paypaltotallyascam.com, TLS will verify that the URL in the certificate is for https://paypaltotallyascam.com and that the certificate was issued by a trusted authority. However, TLS is not magical and cannot determine whether the site is a scam or not.

Second, you can’t even pull a certificate with Let’s Encrypt unless you have a registered URL. So why is Let’s Encrypt getting all of the blame but not the Domain Name System (DNS) registrar that allowed the domain to be registered in the first place? Because DNS registrars aren’t a threat to The SSL Store’s business model, Let’s Encrypt is.

This report by The SSL Store is nothing more than the desperate thrashings of a dying business model.

More Security Theater at the TSA

The Transportation Security Administration (TSA) has a sordid record when it comes to airport security. Since airport security is the agency’s primary job and it hasn’t been doing an effective job at providing security you might expect it to, you know, try to improve its capabilities. Instead the agency has been doubling down on security theater. But the best part is that the agency realizes that its efforts are theater:

If you’ve ever suspected that the TSA’s airport behavior screening (where it looks for visual signs of lying or stress) was just another example of ineffective security theater, you now have some science to back up your hunches. Thanks to a lawsuit, the ACLU has obtained TSA files showing that the organization has pushed and even expanded its “behavior detection” program despite a lack of supporting evidence. While the TSA maintains that it can detect signs of shady activity through fidgeting, shifty eyes and other visual cues, studies in its files suggest just the opposite — you’d have just as much success by choosing at random. And those are in controlled conditions, not a busy airport where anxiety and stress are par for the course.

The TSA hasn’t thwarted a single terrorist attack since it was founded. It hasn’t even done anything noteworthy in the field of security. The only thing the agency has managed to do is bolster the profits of bottled water manufacturers by stealing air travelers’ water and forcing them to buy more inside of “secure” areas. Yet this agency continues to exist. It continues to exist because the government that established it believes stealing your money and giving it to one of its entirely ineffective agency is fiscally responsible.

The next time some statist dipshit tells you that taxes aren’t high enough remind them that a ton of tax money is being irresponsibly dumped into agencies like the TSA.

Denial of Service Attacks are Cheap to Perform

How expensive is it to perform a denial of service attack in the real world? More often than not the cost is nearly free. The trick is to exploit the target’s own security concerns:

A flight in America was delayed and almost diverted on Tuesday after a passenger changed the name of their wi-fi device to ‘Samsung Galaxy Note 7’.

An entire flight was screwed up by simply changing the SSID of a device.

Why did this simply trick cause any trouble whatsoever? Because the flight crew was more concerned about enforcing the rules than actual security. There was no evidence of a Galaxy Note 7 being onboard. Since anybody can change their device’s SSID to anything they want the presence of the SSID “Samsung Galaxy Note 7” shouldn’t have been enough to cause any issues. But the flight crew allowed that, at best, flimsy evidence to spur them into a hunt for the device.

This is why performing denial of service attacks in the real world is often very cheap. Staffers, such as flight crew, seldom have any real security training so they tend to overreact. They’re trying to cover their asses (and I don’t mean that as an insult, if they don’t cover their asses they very well could lose their job), which means you have an easy exploit sitting there for you.

TSA Warning About Slave ID Deadline

Minnesota is one of the few remaining states that has told the federal government where to stick its REAL Slave ID requirements. If you do live in Minnesota and you really want an official Slave ID you can pay an extra $15 and go through the additional hassle necessary to convert your drivers license but it’s not required.

While it’s been known that the Transportation Security Administration (TSA) would begin requiring Slave IDs to board aircraft the exact deadline has remained unknown. Soon the TSA at the Minneapolis International Airport will post signs indicating that the deadline will be January 22, 2018:

MINNEAPOLIS (KMSP) – Signs will soon be posted at Minneapolis-St. Paul International Airport with a warning that your current Minnesota driver’s license won’t be enough to pass through security in 2018.

Starting Jan. 22, 2018, you will need an alternate ID to fly if you have a standard driver’s license or ID card issued by any of the following states: Kentucky, Maine, Minnesota, Missouri, Montana, Oklahoma, Pennsylvania, South Carolina or Washington. Alternate forms of ID include a passport, military ID, or permanent resident card. You can find a full list of accepted ID at https://www.tsa.gov/travel/security-screening/identification

If you live in Minnesota and wish to travel on an airplane you should consider getting a passport. In fact, if you live in the United Police States of America you should consider getting a passport just so you have the option to leave this forsaken Orwellian nation.

I hope the Minnesota government continues to push against the Slave ID requirements but I fear that they’re going to kowtow to their federal masters before the deadline.

So Much for Farook’s Phone

Shortly after the attack in San Bernardino the Federal Bureau of Investigations (FBI) tried to exploit the tragedy in order to force Apple to assist it in unlocking Syed Rizwan Farook’s iPhone. According to the FBI Farook’s phone likely contained information that would allow them to find his accomplices, motives, and basically solve the case. Apple refused to give the FBI the power to unlock any iPhone 5C willy nilly but the agency eventually found a third party that had an exploit that would allow the built-in security to be bypassed.

One year later the FBI hasn’t solved the case even with access to Farook’s iPhone:

They launched an unprecedented legal battle with Apple in an effort to unlock Farook’s iPhone and deployed divers to scour a nearby lake in search of electronic equipment the couple might have dumped there.

But despite piecing together a detailed picture of the couple’s actions up to and including the massacre, federal officials acknowledge they still don’t have answers to some of the critical questions posed in the days after the Dec. 2, 2015, attack at the Inland Regional Center.

Most important, the FBI said it is still trying to determine whether anyone was aware of the couple’s plot or helped them in any way. From the beginning, agents have tried to figure out whether others might have known something about Farook and Malik’s plans, since the couple spent months gathering an arsenal of weapons and building bombs in the garage of their Redlands home.

Officials said they don’t have enough evidence to charge anyone with a crime but stressed the investigation is still open.

This shouldn’t be surprising to anybody. Anybody who had the ability to plan out an attack like the one in San Bernardino without being discovered probably had enough operational security to not use an easily surveilled device such as a cellular phone for the planning. Too many people, including those who should know better, assume only technological wizards have the knowhow to plan things without using commonly surveilled communication methods. But that’s not the case. People who are committed to pulling off a planned attack that includes coordination with third parties are usually smart enough to do their research and utilize communication methods that are unlikely to be accessible to prying eyes. It’s not wizardry, it’s a trick as old as human conflict itself.

Humans are both unpredictable and adaptable, which is what makes mass surveillance useless. When an agency such as the National Security Agency (NSA) performs mass surveillance they get an exponentially greater amount of noise than signal. We’re not even talking about a 100:1 ratio. It would probably be closer to 1,000,000,000,000:1. Furthermore, people with enough intelligence to pull off coordinated attacks are usually paranoid enough to assume the most commonly available communication mechanisms are being surveilled so they adapt. Mass surveillance works well if you want a lot of grandmothers’ recipes, Internet memes, and insults about mothers made by teenagers. But mass surveillance is useless if you’re trying to identify individuals who are a significant threat. Sure, the NSA may get lucky once in a while and catch somebody but that’s by far the exception, not the rule. The rule, when it comes to identifying and thwarting significant threats, is that old fashioned investigative techniques must be employed.