It Turns Out The Paris Attackers Didn’t Even Use Encryption

Immediately following the attacks in Paris politicians were demanding bans on effective cryptography. That would lead one to believe that the attackers used cryptography to conceal their communications. As it turns out the attackers coordinated their efforts over regular old unencrypted Short Message Service (SMS):

Yet news emerging from Paris — as well as evidence from a Belgian ISIS raid in January — suggests that the ISIS terror networks involved were communicating in the clear, and that the data on their smartphones was not encrypted.

European media outlets are reporting that the location of a raid conducted on a suspected safe house Wednesday morning was extracted from a cellphone, apparently belonging to one of the attackers, found in the trash outside the Bataclan concert hall massacre. Le Monde reported that investigators were able to access the data on the phone, including a detailed map of the concert hall and an SMS messaging saying “we’re off; we’re starting.” Police were also able to trace the phone’s movements.

This is why jumping to conclusions is foolish. The politicians and other assorted government goons demanding effective cryptography be banned didn’t wait long enough to learn whether the attackers actually used encrypted communications. Now that evidence exists suggesting they didn’t the entire narrative being used to justify the proposed bans has fallen apart.

So how did the various governments’ intelligence services miss the attacks? Probably because the unencrypted messages were buried so deeply in random noise nobody noticed them.

Another possibility is complacency. When you’re looking for boogeymen everywhere you will find them everywhere. Western governments are always looking for terrorist attacks and see them everywhere from foreign nations to local airports. Their security briefings are overflowing with warnings against imminent terrorist attacks. But when you constantly hear about imminent terrorist attacks that never happen you became so numb to the warnings that when a credible threat does exist you dismiss it as yet another overreaction from an overly paranoid intelligence agent seeking a promotion.

Either way mass surveillance did nothing to thwart the attacks and most likely hindered efforts to do so.

Minneapolis Public Schools Solve Violence Issue Once And For All

Minneapolis Public Schools have had issues with violence. But after a student brought a .38 caliber handgun in the administrators decided enough is enough. Measures have been taken to ensure violence never again bothers the students and faculty of Minneapolis Public Schools:

Promoting positive learning environments for students begins with ensuring the schools are safe, MPS said. Tedmon said the district’s schools are currently the safest place for kids, and they’re going to keep it that way.What do you think?

“Alongside families and community partners, MPS is declaring our district to be a weapon-, violence- and gang-free zone. Together, we can let everyone know: Not in our schools,” MPS said in a press release.

Finally! Now they can hand signs declared their schools violence-free zones right below the very effective signs declaring them drug-free zones!

Because of the ineffectiveness of gun-free zones most of us who advocate for the right to self-defense have jokingly said that places should just declare themselves violence-free zones and be done with it. Apparently our joke was heard by a school administrator who failed to recognize the subtleties of sarcasm. This person must have also missed the fact that drugs are pervasive in schools even though they’ve been declared drug-free zones and that kid with the handgun managed to go right past the signs indicating the school was a gun-free zone.

What should be concerning though is the people in charge are making our parody reality.

Cyberfailure At The Cyberdepartment Of Cybersecurity

Do you ever get the idea China’s ability to breach United States’ networks isn’t so much due to their skill as to their adversary’s incompetency? After the breach of the Office of Personnel Management’s (OPM) network it was revealed that government networks are woefully out of date. In fact China was focusing its efforts of non-milistary federal agencies. But even though other federal agency’s network security is lackluster we were told time and again that the Department of Defense (DoD) is held to a higher standard. That wasn’t true either:

The United States Department of Defense is still issuing SHA-1 signed certificates for use by military agencies, despite this practice being banned by NIST for security reasons nearly two years ago. These certificates are used to protect sensitive communication across the public internet, keeping the transmitted information secret from eavesdroppers and impersonators. The security level provided by these DoD certificates is now below the standard Google considers acceptable for consumer use on the web.

Few things amuse me more than when one federal agency, in this case the DoD, fails to abide by the recommendations issued by another federal agency, in this case the National Institute of Standards and Technology (NIST). This shouldn’t be surprising though, the DoD’s e-mail servers don’t even support STARTTLS so any e-mails traveling between their servers are being sent in the clear. If the DoD can’t even take basic measures like that why would anybody assume they would utilize secure certificates?

We keep hearing about the coming cyberwar. When that finally comes the United States is going to be taken out in the initial volley. Every bit of news we hear indicates the computer security capabilities of the entire federal government are nonexistent.

Halloween Fear Mongering

Every year around this time the police try to scare parents about trick or treating. I’m pretty sure it’s either a ploy by law enforcers to reduce their work load by getting kids off of the street or make themselves look important to the safety of the community. This year police are again claiming that drug dealers are going to be handing out drugs to trick or treaters:

The Jackson, Miss. Police Department issued a warning for pressed Ecstasy pills that could be mistaken for Halloween candy if they ended up in children’s hands.

While stories of kids being given poisoned or tainted Halloween treats are mostly the stuff of urban legend, it’s always a good idea to check your child’s candy before letting them eat it.

Stuff of urban legend is right. Drug dealers aren’t fucking idiots. They’re in a business to make a profit. Ecstasy is a popular illicit drug, which means it commands a pretty penny. What drug dealer is going to hand out thousands of dollars in profit to a bunch of brats in costumes? If your neighborhood drug dealer is handing out anything to trick or treaters it’s going to be the same candy as everybody else.

Whenever the police try to drug up fear by insinuating somebody is going to do bad things to children ask yourself if the claim even makes sense. A drug dealer handing out ecstasy doesn’t make any goddamn sense so any warnings about it happen should be discarded.

Get Your TSA Approved Lock Keys Here

Air travelers who don’t have firearms in their checked luggage probably use a special Transportation Security Administration (TSA) approved lock. What is a TSA approved lock? I’ll let the TSA’s very own Blogger Bob explain:

TSA has worked with several companies to develop locks that can be opened by security officers using universal “master” keys so that the locks may not have to be cut. These locks are available at most airports and many travel stores nationwide. The packaging on the locks indicates whether they can be opened by TSA.

In other words TSA approved locks are locks with an included backdoor that can be used by TSA officers to access your luggage. I will take a moment to note that the use of TSA approved locks is not lawful when firearms are in your checked luggage so those of us who do fly with them do not, and legally can not, use TSA approved locks.

Now that I’m done with that aside, let’s discuss the major flaw inherent in backdoors. Backdoors necessarily break security systems, whether they’re physical locks of cryptographic algorithms, because anybody in possession of a master key can gain access. I hear some of you saying, “But, Chris, only authorized TSA agents have access to those master keys!” If only that were the case. Unfortunately some bozo went and accidentally released a picture of the TSA’s master keys.

Now you’re probably thinking, “Yeah, but pictures of keys can’t unlock locks!” While that’s true pictures of keys can be modeled and things that can be modeled can 3D printed. Behold! 3D printer models for TSA master keys! Now anybody with a 3D printer can create keys that can utilize the backdoor on TSA approved locks.

Herein lies the problem with backdoors, it only takes one person to accidentally reveal the master key to render anything secured with the backdoored system insecure. In this case a single careless TSA agent allowed a ring of TSA master keys to be photographed and therefore reproduced by anybody. The same threat would apply to any government mandated backdoors in encryption systems. It would only take one careless person with access to the government master key to have it showing on their screen when a reported took photographed to render all data secured with that system insecure.

The moral of the story is say no to backdoors.

Regel Theaters Searching Bags For Fun And Profit

I seldom go to movie theaters anymore and when I do it’s usually second-run theaters. Paying $15.00 or more to subject myself to sitting in a cramped, uncomfortable seat in a crowded theater fully of people playing with their brightly backlit smartphones for two hours doesn’t appeal to me. So Regel’s announcement that it will assume all paying customers are violent criminals doesn’t really impact me but you should probably know about it if you frequently go to theaters:

One of America’s largest cinema chains, Regal, is now searching bags of film-goers following several attacks on movie theatres across the US.

Regal’s updated policy says it wants customers and staff “to feel comfortable and safe” in its cinemas.

[…]

“Security issues have become a daily part of our lives in America,” Regal Entertainment Group’s admission policy now reads on the company’s website. The company has not yet commented publicly on the new regulations.

“To ensure the safety of our guests and employees, backpacks and bags of any kind are subject to inspection prior to admission,” it continues.

While this policy is being implemented under the guise of safety I think it has more to do with profits. Tickets aren’t the only thing expensive about going to a movie theater, the food and drink is also expensive. If you read Regel’s admittance policy you’ll see what is probably the real reason bag searches are now being performed:

Outside Food or Drink:
No outside food or drink is permitted in the theatre.

Because of the price of movie theater food and drinks a lot of people smuggle their own in. Accusing paying customers of smuggling in food and drinks probably won’t sit well but claiming the searches are for safety may sit well enough (after all, it works for sporting events).

Searching bags for weapons isn’t effective anyways. I (as well as most people I know) always carry my weapons on my person. My knives are in my pockets and my handgun is in a tuckable in-the-waistband holster. Carrying weapons in a bag that can be easily separated from my person is bad form.

So keep in mind if you’re going to go to a movie that Regel’s will treat you like a criminal in the hopes of making more money off of you.

Stop Playing With That Thing

If you use amateurs as your front line defense don’t be surprised when you get amateur results. An Oklahoma gun range has followed in the tradition of another asshole range owner by declaring their facility off limits to Muslims (How can they tell if somebody is Muslim by looking at them? Here’s the secret, “Muslim” is usually a code word for “brown person.”). Needless to say this has resulted in the range owner receiving various threats because issuing threats on the Internet is pretty much a risk-free method of demonstrating your disapproval. Hoping to share in the infamy spotlight a group of self-proclaimed patriots heeded the call, gunned up, and rushed to protect the gun range. One of the patriots demonstrated why you don’t want amateurs providing your security:

The gun fell out of the holster and discharged, with a bullet hitting the man in the wrist, Muskogee County Sheriff Charles Pearson said, according to KOTV and the Tulsa World newspaper. The man was expected to survive.

First of all let us set aside the silliness of the gun falling out of its holster and discharging on impact. Although I’m sure there are exceptionally shitty holsters out there I feel safe in saying a vast majority of them will retain a firearm enough to prevent it from falling out. In addition to that most firearms are now equipped with a drop safety to prevent exactly this kind of scenario.

What’s more likely is this patriot pulled out his gun to either play with it or shot it off, dropped it, and inadvertently pulled the trigger when he attempted to catch it.

Not let’s address the issue of security. The range owner claims that he’s been receiving death threats, which wouldn’t surprise me as making such threats is almost risk-free these days. When you receive death threats you have to decide whether you feel they are credible or not. If you don’t believe they’re credible you ignore the. If you do believe they are credible you take measures to protect yourself. Hiring guards is one such measure a person could take. But there’s a difference between one of these patriots, which are almost always mouthy but otherwise mostly harmless, and professionals. If the range owner felt the threats were legitimate he should have hired professional guards to protect his business. Professional guards aren’t as apt to make amateur mistakes like play with their firearm. And if an incident does occur they’re more likely to have the training necessary to deal with it.

CryptoParty On August 30th

I don’t have much for you today because I spend my evening at a meeting hammering out the final details of an upcoming CryptoParty. On August 30th CryptoPartyMN will be hosting a CryptoParty at the Hack Factory. We’re still figuring out a few final details but we will be discussing public-private key cryptography, Off-the-Record (OTR) messaging, full disk encryption, and Tor for certain. We may cover other topics as time permits.

For those who don’t know these events are meant to be hands-on. You bring your laptops, tablets, and phones and learn how to utilize secure communication tools. Hopefully I’ll see a few of you there.

Oracle. Because You Suck. And We Hate You.

Unpatched vulnerabilities are worth a lot of money to malicious hackers. Hoping to outbid more nefarious types many large software companies; including Google, Microsoft, and Mozilla; have begun offering cash payments for disclosed vulnerabilities. Companies that don’t have bounty programs will often publicly credit you for the discovery. But Oracle will do neither. In fact Oracle’s Chief Security Office went out of her way to describe Oracle’s official policy regarding vulnerability disclosure (the blog post was later, smartly, removed from Oracle’s site but the Internet is forever so we get to laugh anyways). The post contains some real gems:

If we determine as part of our analysis that scan results could only have come from reverse engineering (in at least one case, because the report said, cleverly enough, “static analysis of Oracle XXXXXX”), we send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer’s behalf – reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already. (In legalese, of course. The Oracle license agreement has a provision such as: “Customer may not reverse engineer, disassemble, decompile, or otherwise attempt to derive the source code of the Programs…” which we quote in our missive to the customer.) Oh, and we require customers/consultants to destroy the results of such reverse engineering and confirm they have done so.

It’s good to get this out of the way early. Oracle, upon receiving a report of a vulnerability, will first investigate whether discovering the vulnerability required reverse engineering its code. If it did Oracle’s way of saying thanks is to send you a legal threat for violating the license agreement. Although I’ve never sold a vulnerability to a malicious hacker I’m fairly certain their reaction is not to threaten you with legal action. Score one for the “bad guys” (I’m using quotes here because I’m not sure if malicious hackers really are bad guys when compared to Oracle).

Q. What does Oracle do if there is an actual security vulnerability?

Pay the person who disclosed it instead of selling it to malicious hackers, right?

A. I almost hate to answer this question because I want to reiterate that customers Should Not and Must Not reverse engineer our code. However, if there is an actual security vulnerability, we will fix it. We may not like how it was found but we aren’t going to ignore a real problem – that would be a disservice to our customers. We will, however, fix it to protect all our customers, meaning everybody will get the fix at the same time. However, we will not give a customer reporting such an issue (that they found through reverse engineering) a special (one-off) patch for the problem. We will also not provide credit in any advisories we might issue. You can’t really expect us to say “thank you for breaking the license agreement.”

Or not. People kindly disclosing discovered vulnerabilities to Oracle will only receive the legal threat. No payment or even public credit will be given. Meanwhile malicious hackers will give you cash for unpatched vulnerabilities so they score another point.

Q. But one of the issues I found was an actual security vulnerability so that justifies reverse engineering, right?

Under these circumstances I’m sure Oracle will forgive you for violating the license agreement since malicious hackers aren’t going to abide by it either, right?

A. Sigh. At the risk of being repetitive, no, it doesn’t, just like you can’t break into a house because someone left a window or door unlocked.

I guess not. Although I’m not sure how breaking into a house is an accurate analogy here. A better analogy would be buying a lock, taking it apart, and discovering a mechanical flaw that makes it easy to bypass. Entering a home uninvited is quite a bit different than being inviting into a home, and a customer who paid Oracle for a license was certainly invited to use the company’s software, and discovering that the locks inside the home could be easily bypassed due to a design flaw. Most homeowners would probably thank you for pointing out the locks they purchased are shitty. Regardless of the analogy a malicious hacker isn’t likely to care that you “broke into a house” or violated a license agreement. Score yet another point to them.

Q. Hey, I’ve got an idea, why not do a bug bounty? Pay third parties to find this stuff!

That’s a good question. Oracle can’t possibly argue that bug bounty programs are a bad idea, right?

A. Bug bounties are the new boy band (nicely alliterative, no?) Many companies are screaming, fainting, and throwing underwear at security researchers**** to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure. Ah, well, we find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers. (Small digression: I was busting my buttons today when I found out that a well-known security researcher in a particular area of technology reported a bunch of alleged security issues to us except – we had already found all of them and we were already working on or had fixes. Woo hoo!)

Jesus Christ. Really? Since Oracle finds 87 percent of vulnerabilities bug bounty programs are useless? I guess the other 13 percent are somehow valueless because they’re the minority? Seriously, what the fuck is Oracle thinking here? Malicious hackers pay per vulnerability. They don’t give a shit if it’s part of a minority of irrelevant metric kept by Oracle. And it only takes one vulnerability to put your customers at risk. That’s the fourth point for malicious hackers.

Q. Surely the bad guys and some nations do reverse engineer Oracle’s code and don’t care about your licensing agreement, so why would you try to restrict the behavior of customers with good motives?

I’m not even going to waste your time with asking if Oracle has found some common sense by now. We know it hasn’t.

A. Oracle’s license agreement exists to protect our intellectual property. “Good motives” – and given the errata of third party attempts to scan code the quotation marks are quite apropos – are not an acceptable excuse for violating an agreement willingly entered into. Any more than “but everybody else is cheating on his or her spouse” is an acceptable excuse for violating “forsaking all others” if you said it in front of witnesses.

Oracle seems to have the same mentality as those who put up those retched “no guns allowed” signs. That is a belief that words can somehow stop people from acting in a certain fashion. The question or malicious hackers reverse engineering Oracle’s code in violation of its license agreement isn’t one that lends itself to arguing about the moral high ground. They are doing it so it’s in your best interest to have other people, people who want to help you thwart the malicious hackers, doing the same. Once again we return to the fact malicious hackers aren’t going to give you a speech on morality, they’re going to pay you. That’s five points to them and zero to Oracle.

Considering what we learned in this blog post what motivation does anybody have to disclose discovered vulnerabilities in Oracle’s software? At worst you’ll receive a legal threat and at best you’ll receive nothing at all. Meanwhile malicious hackers will pay you cash for that vulnerability.

The reason companies like Google, Microsoft, and Mozilla established bounty programs is because they realize vulnerabilities are a valuable commodity and they have to outbid the competition.

I’ve long wondered why anybody does business with Oracle considering the company’s history. But this post really confirmed my dislike of the company. There are times where you have to set aside trivial disagreements, like a customer violating a license agreement, for the good of your business (which is also the good of the customers in this case). If somebody discloses a vulnerability to you you shouldn’t waste time asking a bunch of irrelevant legal questions and you certainly shouldn’t threaten them with legal action. Instead you should verify the bug and pay the person who disclosed it to you instead of disclosing it to somebody with a vested interest in exploiting your customers. Make it worth somebody’s while to disclose vulnerabilities to you so they don’t disclose them to people who are going to target your customers.

TSA: We’re Not Happy Until You’re Not Happy

When the Department of Homeland Security (DHS) recently performed an internal investigation of the Transportation Security Administration’s (TSA) security procedures it discovered a 95 percent failure rate. Were the TSA a private security provider you would probably have seen some serious housecleaning to rid itself of individuals who obviously don’t know what they’re doing. But the TSA is a government agency, which means you and I are punished for its failures. In response to the 95 percent failure rate the TSA is demanding more tax victim money and planning to make air travelers wait even longer to get through security:

The Transportation Security Administration has a new strategy for improving its woeful performance in catching airport security threats — and it will likely mean longer lines and more government bucks.

A month after the TSA was embarrassed by its almost-total failure in a covert security audit, Homeland Security Secretary Jeh Johnson has ordered the agency to pursue an improvement plan that will require more hand-wanding of passengers, more use of bomb-sniffing dogs and more random testing of luggage and travelers for traces of explosives. It will also consider reducing travelers’ chances of being sent through the expedited PreCheck lines at airports.

Let us not forget the TSA motto: we’re not happy until you’re not happy. This “improvement plan” should tell you everything you need to know about government agencies. If you look at the list of “improvements” you’ll see the word “more” in front of everything. The TSA’s response to its 95 percent failure rate is literally trying more of the same thing only harder.