Tag: Security Theater

The Terrorist Canard

With encrypted communications threatening to reduce the state’s revenue stream by letting us little serfs conceal our black market business dealings the political body is getting worried. Whenever the political body gets worried it begins efforts to propagandize the general populace. The propaganda always exploits fear. At one time the fear being exploited was drug usage then it became street crime and now it’s terrorism. Hoping the hamper the development of strong cryptographic tools the political body has been looking at introducing laws that would require software and hardware developers to introduce backdoors for state usage. Because it’s the fear of the day they’re selling these laws under the guise of fighting terrorism:

President Barack Obama is making his position on encryption known: he is a supporter and “believer in strong encryption” but also “sympathetic” to law enforcement’s needs to prevent terror attacks.

“I think the only concern is… our law enforcement is expected to stop every plot. Every attack. Any bomb on a plane. The first time that attack takes place, where it turns out we had a lead and couldn’t follow up on it, the public’s going to demand answers. This is a public conversation that we should be having,” Obama said in a Friday interview with Re/Code. “I lean probably further in the direction of strong encryption than some do inside law enforcement. But I am sympathetic to law enforcement, because I know the kind of pressure they’re under to keep us safe. And it’s not as black and white as it’s sometimes portrayed. Now, in fairness, I think those in favor of air tight encryption also want to be protected from terrorists.”

Can we stop with the terrorist canard? Nobody expects law enforcement to stop every terrorist plot. In fact nobody, at least nobody sensible, expects law enforcement to stop any terrorist plot. What people expect of law enforcement is to clean up after a terrorist attack. If people actually expected law enforcement would stop terrorist attacks they wouldn’t be afraid of terrorist attacks.

Furthermore the state’s widespread surveillance efforts haven’t stopped a single terrorist plot. Every claim made to the contrary has been thoroughly debunked. This isn’t surprising. Widespread surveillance creates a sea of data from which no single piece of useful data can be extracted. What makes widespread surveillance even more worthless is that no single piece of data can reveal a terrorist plot so you need to find multiple pieces of connected data to being revealing a plot. If finding a single piece of useful data in a sea of noise is difficult try finding many pieces of connected data that aren’t obviously connected.

The only way law enforcement can stop terrorist plots is to utilize old fashion investigative techniques. But these techniques are expensive in both money and time and don’t lead to revenue for departments. Why would a law enforcement agency put resources into uncovering a terrorist plot when it can rely on anonymous tips to kick down the doors of drug deals and legally confiscate all of their property to auction of later? To add insult to injury solving a terrorist plot is actually detrimental to a law enforcement agency since they rely on successful terrorist attacks to justify buying surplus military equipment.

It’s time to put the terrorist canard to bed. Only the completely gullible are being fooled and they’re not the ones that need to be convinced. In order to put backdoors into software and devices the developers and manufacturers have to be convinced and they won’t be convinced because their users will stop buying their products if they implement said backdoors. Since many of their users are gullible idiots the state’s terrorist propaganda won’t accomplish its goal and thus the exercise is a waste of everybody’s time.

Illinois Legislators Approve Law to Requires Students Surrender Social Media Passwords

Further demonstrating that the state believes it owns us, Illinois legislators have approve a law that would require K-12 and university students to surrender their social media passwords to school officials:

However, with the new law that Illinois legislators approved, school districts and universities in Illinois can demand a student’s social media password. The new law states if a school has a reasonable cause to believe that a student’s account on a social network contains evidence that a student has violated a schools disciplinary rule of policy. Even if it’s posted after school hours.

This week some school districts sent home letters to notify parents and students about the new rules. ” To get into a social networking site and it could be at a school or at home. That we would be able to get that password and get onto their account,” said Leigh Lewis Triad Community Unity School District Superintendent.

I wouldn’t have been at all surprised if the law only covered K-12 students. The state does believe that it wholly owns every minor. And if that were the case I would urge any parent to tell snoopy school administrators to fuck off. But the law also covers university students who tend to be adults. So now I must also encourage university students to tell snoopy school administrators to fuck off.

As with all Orwellian laws this one is being sold using fear. We’re told that it’s necessary to stop “cyber bullying” (apparently adding the word cyber to something is supposed to make it scarier). In reality it’s just another tool for school administrators to put the students in their place. The message is very clear, behave or some school administrator is going to do a detailed search of your entire social media presence including private messages. I feel confident in saying this because there is no reason whatsoever for a school administrator to need a student’s password. If a student is the target of harassment they can show administrators the relevant information (and they don’t even have to surrender their password to do it). Screenshots can be taken of any pertinent evidence. It’s very easy.

And since I’m on a kick of turning common statist arguments against them let’s also consider the children. Teenagers have a habit of sending naked pictures to their significant others. There’s no changing it, it’s a fact of life. What’s to stop a creepy teacher who suspects a student has sent or received naked pictures of themselves or others from making up an excuse to demand their password so they can comb through them? Not a damn thing since minors have no real legal rights.

The thing to keep in mind is that this law, like all laws, can be disobeyed. Just because the state says you have to surrender your password doesn’t mean you do. Upon receiving a demand for your password you can just as easily shutdown the account or, better yet, tell the person making the demand to fuck off.

Never Let a Crisis Go to Waste

Sony, in what I predict to be a brilliant marketing move, has cancelled what was certainly going to be a shitty movie. This has gotten the expected, and likely desired, result of unleashing a great deal of impotent Internet rage. Not one to let a crisis go to waste the politicians in Washington DC are swooping in like vultures. First United States officials claimed that the hack was almost certainly performed by North Korea. Now senators are using that claim to justify the necessity of a “cyber security” (a meaningless term) bill:

Senator John McCain (R-AZ) also said that the choice set a “troubling precedent” in cyberwarfare. “The administration’s failure to deter our adversaries has emboldened, and will continue to embolden, those seeking to harm the United States through cyberspace,” he said in a statement. He reiterated promises to focus on the issue if elected chair of the Armed Services Committee, including plans to create a subcommittee for cybersecurity issues. “Congress as a whole must also address these issues and finally pass long-overdue comprehensive cybersecurity legislation,” he said. McCain has been pushing cybersecurity bills for years, including the Secure IT Act, a competitor to the controversial CISPA bill.

In a statement on Tuesday, Senator Dianne Feinstein (D-CA), a major proponent of cybersecurity and author of multiple bills, said that “this is only the latest example of the need for serious legislation to improve the sharing of information between the private sector and the government to help companies strengthen cybersecurity. We must pass an information sharing bill as quickly as possible next year.”

There are three points I would like to bring up.

First, there is no evidence that North Korea was involved in the Sony hack. All we have are statements made by United States officials. Remember that United States officials also told us that there were weapons of mass destruction in Iraq.

Second, the reason people like McCain and Feinstein want to pass a “cyber security” bill is because it would further enable private corporations, the same private corporations that currently possess a great deal of your personal information, to share data with the federal government without facing the possibility of legal liability. What members of Congress are referring to as “cyber security” bills are more accurately called surveillance bills.

Third, legislation won’t improve computer security. No matter how many “cyber security” bills are passed the fact of the matter is that bills are merely words on pieces of paper and words on pieces of paper have no ability to effect the world by themselves. What you need are experts in computer security doing their job and that is done by enticing them with rewards (often referred to as paying them) for utilizing their skills. Legislation doesn’t do that, markets do. The only thing legislation does is state who the state will send armed thugs after if their desires are not properly met.

Nothing Says Secure Communications Like a Backdoor

Since Snowden released the National Security Agency’s (NSA) dirty laundry security conscious people have been scrambling to find more secure means of communication. Most of the companies called out in the leaked documents have been desperately trying to regain the confidence of their customers. Google and Apple have enabled full device encryption on their mobile operating systems by default, many websites have either added HTTPS communications or have gone to exclusive HTTPS communications, and many apps have been released claiming to enable communications free from the prying eyes of Big Brother. Verizon decided to jump on the bandwagon but failed miserably:

Verizon Voice Cypher, the product introduced on Thursday with the encryption company Cellcrypt, offers business and government customers end-to-end encryption for voice calls on iOS, Android, or BlackBerry devices equipped with a special app. The encryption software provides secure communications for people speaking on devices with the app, regardless of their wireless carrier, and it can also connect to an organization’s secure phone system.

Cellcrypt and Verizon both say that law enforcement agencies will be able to access communications that take place over Voice Cypher, so long as they’re able to prove that there’s a legitimate law enforcement reason for doing so.

Security is an all or nothing thing. If you implement a method for law enforcement to access communications you also allow everybody else to access communications. Backdoors are purposely built weaknesses in the security capabilities of a software package. While developers will often claim that only authorized entities can gain access using a backdoor in reality anybody with the knowledge of how the backdoor works can use it.

Matters are made worse by the fact that law enforcement access is the problem everybody is trying to fix. The NSA was surveilling the American people in secret. A lot of people have also been questioning the amount of surveillance being performed by local law enforcement agencies. Since there is a complete absence of oversight and transparency nobody knows how pervasive the problem is, which means we must assume the worst case and act as if local departments are spying on everything they can. Tools like the one just released by Verizon don’t improve the situation at all.

Here’s Some Compromise

Most people have probably heard that Apple is no long able to bypass a device’s encryption and Google has announced the same feature will appear in the next release of Android. Anybody with a modicum of intelligence is glad to hear this but there are a few dipships who think this is a bad feature. Take this fool for example:

How to resolve this? A police “back door” for all smartphones is undesirable — a back door can and will be exploited by bad guys, too. However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use only when a court has approved a search warrant. Ultimately, Congress could act and force the issue, but we’d rather see it resolved in law enforcement collaboration with the manufacturers and in a way that protects all three of the forces at work: technology, privacy and rule of law.

So a police back door is undesirable but Apple and Google could perhaps implement a police back door. Idiot. Do you know what I think about that idea? This is what I think about that idea:

fuck-you

That’s right, fuck this guy and his idea. There is no magical security mechanism that can allow only legitimate bypasses. If there is a back door then it can, as a matter of fact, be abused. Even if malicious third parties were unable to access the system it would still be ripe for abuse by law enforcement agents, which have a notable history of abusing power.

Here’s my idea for a compromise. Apple and Google should not implement any back door and in return law enforcement agents can deal with the fact that they can’t access our personal data on our devices. How’s that for a compromise?

If You Hire Specialists You Should Probably Listen to Them

Since the breach at Target several other high profile cases of customer credit card data being stolen have arisen. Home Depot is one of the stores whose credit card data was obtained by unknown third parties. What’s interesting about the Home Depot case is that it’s beginning to appear as though the company’s internal security team issued a warning about the problem several years ago:

But despite alarms as far back as 2008, Home Depot was slow to raise its defenses, according to former employees. On Thursday, the company confirmed what many had feared: The biggest data breach in retailing history had compromised 56 million of its customers’ credit cards. The data has popped up on black markets and, by one estimate, could be used to make $3 billion in illegal purchases.

Yet long before the attack came to light this month, Home Depot’s handling of its computer security was a record of missteps, the former employees said. Interviews with former members of the company’s cybersecurity team — who spoke on the condition they not be named, because they still work in the industry — suggest the company was slow to respond to early threats and only belatedly took action.

A heads up from an anonymous former employee isn’t solid evidence but it wouldn’t surprise me if this is true. Companies have a history of putting aside time and money to hire security specialists only to ignore their advice. This is something that I never understood. Why would any company invest resources to hire specialists only to ignore their advice? When you hire security specialists you should expect them to deliver bad and costly news, especially between the time you first hire them and have a chance to implement their recommended security practices. Yet so many companies seem dead set on ignoring any bad news delivered by their security specialists. It’s stupid, that’s the only word for it.

A Special Fear Day Announcement for Retail Workers

On this most frightful Fear Day the Department of Motherland Fatherland Homeland Security (DHS) has a very special message for those of you working retail:

Homeland Security Secretary Jeh Johnson said his department will be issuing new guidance to retailers this week giving them pointers on how to spot potential terrorists among their customers by looking at what they’re buying.

While saying the government cannot prohibit sales of some everyday materials, Mr. Johnson said retailers should be trained to look for anyone who buys a lot from what he described as a “long list of materials that could be used as explosive precursors.”

That’s right, those of you working retail our this country’s first line of defense! It is you who can identify terrorists buying supplies to build bombs! It is you who can report all suspicious persons to Big Brother! It is you who can save the lives of your fellow countrymen before some terrorist shitbag has a chance to act! The safety of our entire nation now rests of your ever vigilant shoulders!

So what sorts of things should a vigilant retail employee look for? How about pressure cookers:

“We can’t and we shouldn’t prohibit the sale of a pressure cooker. We can sensitize retail businesses to be on guard for suspicious behavior by those who buy this kind of stuff,” Mr. Johnson said during a question-and-answer session after a speech at the Council on Foreign Relations.

Is that person buying a pressure cooker a chef, person who cans food, or terrorist plotting to bomb the people you know and love? Don’t take chances, if you see somebody attempting to buy a pressure cooker call the police and allow them to interrogate the buyer.

Obviously the fine people at the DHS will have many more guidelines. But the bottom line is this: just because you have absolutely no security or counter-terrorism training doesn’t mean you can’t point the finger at random people and accuse them of wrongdoing. Fear best propagates when we believe everybody is out to get us so do you part by spreading fear of your customers.

A Rather Brilliant Scam

There’s a lot of scams out there but it’s rare that you come across an especially clever one. Sharron Laverne Parrish Jr. supposedly managed to pull off a scam that actually merits a little congratulations for creativity:

Here’s how it works: Parrish allegedly visited Apple Stores and tried to buy products with four different debit cards, which were all closed by his respective financial institutions. When his debit card was inevitably declined by the Apple Store, he would protest and offer to call his bank — except, he wasn’t really calling his bank.

So, the complaint says, he would offer the Apple Store employees a fake authorization code with a certain number of digits, which is normally provided by credit card issuers to create a record of the credit or debit override. (Business Insider, like the Tampa Bay Times, refuses to publish the number of digits “so as not to inspire anyone.”)

But that’s the problem with this system: as long as the number of digits is correct, the override code itself doesn’t matter.

I could find the number of digits from the quick Google search I performed otherwise I would let you know what it is (because security through obscurity is dumb and people who rely on it should feel bad for doing so). But using this scheme Mr. Parrish scammed various Apple stores out of $309,768 in merchandise. My guess is the high amount is what ultimately got him caught. Let this be a lesson to would-be thieves. If you’ve found a good scam don’t use it too much because that is what will most likely get you caught.

What’s especially bad about this scam is that the retailer generally has to eat the costs because they overrode the declination. Because of this many retailers will probably stop accepting override codes under any circumstance. That’s the only way to protect against this scam since the only thing that determines whether or not an authorization code is valid or not is the number of digits.

TSA Develops New Scam to Steal Your Stuff

The Transportation Security Administration (TSA) will soon have to change its name to the Thieves’ Guild. While it has been stealing trinkets from airline passengers for ages now but it has had to steal more valuable items behind closed doors. That will no longer be the case! The TSA has developed a new scam to separate you from your stuff:

The TSA now requires that you power on your gadgets when flying to the US from “certain overseas airports.” If you have a dead battery, you’re out of luck. You’ll likely have to leave that hardware behind, and you might go through “additional screening” at the same time.

Did you run your laptop’s battery down at the meeting before flying back home? That’s too bad because it will now become the property of the TSA. Did your cellphone battery run out while you were taking pictures on your last day of vacation? The TSA thanks you for donating your cellphone to its agents.

There are so many things that are wrong with this new policy that I don’t know where to begin. First of all the fancy baggage x-ray machines can already see the contents of your electronic devices. If the screener misses a fucking bomb hidden inside of the case then he shouldn’t be screening. Anything. Ever. Because that’s a major mishap. Second of all there have been no cases of an attacker smuggling a bomb onto a plane inside of an electronic device. This is probably because the baggage x-ray machines would see it. Third of all having every passenger power on every electronic device they’re carrying is going to slow down security lines a lot. After all many passengers fly with a laptop and a cell phone at a minimum. Others also fly with an e-book reader, handheld game system, portable music player, smartwatch, camera, and so on. This policy would actually bring the entire Las Vegas airport to a grinding halt if TSA implemented it during Defcon.

This is another case of the TSA playing security theater and whenever it does that it almost always involves taking passenger’s stuff. And the best part about this theater is the ticket prices will soon be increasing. There’s nothing like having to pay somebody more money so they can steal more of your shit.

For $600,000 a Month You Too Can Hire a Failure as a Security Consultant

Do you have $600,000 a month to burn? Do you hate children or the homeless too much to use it to help them? Do you like to give money to former government goods? If you answered yes to all three I have a deal for you. Keith Alexander, the former head of the National Security Agency (NSA), has a cybersecurity consulting company called IronNet Cybersecurity Incorporated:

Alexander offered to provide advice to Sifma for $1 million a month, according to two people briefed on the talks. The asking price later dropped to $600,000, the people said, speaking on condition of anonymity because the negotiation was private.

$600,000 a month to get security advice from a man who couldn’t stop one consultant from walking off with his agency’s secrets on a thumb driver. Sounds like a good bargain to me!

But Keith’s position is an example of an all too common phenomenon among former government goons. After leaving his post with the state he returns to the private sector to use the knowledge and contacts to rake in massive amounts of cash. It’s why threats to dismiss state goons is so ineffective. They know once they are kicked out of their position they can use the contacts they made while working for the state to become wealthy.