Maybe Connecting Everything to the Internet Isn’t a Great Idea

I’ve made my feelings about the so-called Internet of things (IoT) abundantly clear over the years. While I won’t dismiss the advantages that come with making devices Internet accessible, I’m put off by industry’s general apathy towards security. This is especially true when critical infrastructure is connected to the Internet. Doing so can leads to stories like this:

Someone broke into the computer system of a water treatment plant in Florida and tried to poison drinking water for a Florida municipality’s roughly 15,000 residents, officials said on Monday.

The intrusion occurred on Friday evening, when an unknown person remotely accessed the computer interface used to adjust the chemicals that treat drinking water for Oldsmar, a small city that’s about 16 miles northwest of Tampa. The intruder changed the level of sodium hydroxide to 11,100 parts per million, a significant increase from the normal amount of 100 ppm, Pinellas County Sheriff Bob Gualtieri said in a Monday morning press conference.

The individuals involved with the water treatment plant have been surprisingly dismissive about this. They’ve pointed out that there was never any danger to the people of Oldsmar because treated water doesn’t hit the supply system for 24 to 36 hours and there procedures in place that would have caught the dangerous levels of sodium hydroxide in the water before it could be release. I believe both claims. I’m certain there are a number of water quality sensors involved in verifying that treated water is safe before it is released into the supply system. However, they’re not mentioning other dangers.

Poisoning isn’t the only danger of this kind of attack. What happens when treated water can’t be released into the supply system? If an attacker poisons some of the treated water, is there isolated surplus that can be released into the supply system instead? If not, this kind of attack is can work as a denial of service against the city’s water supply. What can be done with poisoned water? It can’t be released into the supply system and I doubt environmental regulations will allow it to be dumped into the ground. Even if it could be dumped into the ground, doing so would risk poisoning groundwater supplies. It’s possible that a percentage of the plant’s treatment capacity becomes unavailable for an extended period of time while the poisoned water is purified.

What’s even more concerning is that this attack wasn’t detected by an intrusion detection system. It was detected by dumb luck:

Then, around 1:30 that same day, the operator watched as someone remotely accessed the system again. The operator could see the mouse on his screen being moved to open various functions that controlled the treatment process. The unknown person then opened the function that controls the input of sodium hydroxide and increased it by 111-fold. The intrusion lasted from three to five minutes.

This indicates that the plant’s network security isn’t adequate for the task at hand. Had the operator not been at the console at the time, it’s quite possible that the attacker would have been able to poison the water. There is also a valid question about the user interface. Why does it apparently allow raising the levels of sodium hydroxide to a dangerous amount? If there are valid reasons for doing so (which there absolutely could be), why doesn’t doing so at least require some kind of supervisory approval?

It’s not uncommon for people involved in industries to cite the lack of budget necessary to address the issues I’ve raised. But if there isn’t a sufficient budget to address important security concerns when connecting critical infrastructure to the Internet, I will argue that it shouldn’t be done at all. The risks of introducing remote access to a system aren’t insignificant and the probability of an attack occurring are extremely high.

Whenever somebody discussing connecting a device to the Internet, I immediately ask what benefits doing so will provide. I then ask which of those benefits can be realized with a local automation system. For example, a Nest thermostat offers some convenient features, but many of those features can be realized with a local Home Assistant controller.

The Revolution Won’t Be Tweeted

Comparing the civil unrest at the Capitol to the 9/11 attacks seems to be the trendy thing to do. Doing so is idiotic, but most trendy things are. However, there is a noteworthy characteristic they share: they preceded crackdowns on heterodox ideas.

This crackdown has been more obvious because it follows the popularization of social media. We get to witness Facebook, Twitter, and YouTube ban users. The posts and videos made by politicians and orthodox thinkers calling for the suppression, oftentimes through violent means, of heterodox thinkers are shared far and wide. What makes it even worse is that there are quisling everywhere. Numerous people are bragging about having reported friends of family members to authorities and administrators for the crime of expressing wrongthink.

Social media sites have made it clear that they will not host heterodox ideas. The revolution won’t be tweeted. So what’s a heterodox thinker to do?

The first thing you need to do, if you haven’t already, is establish additional means of contacting your fellow heterodox thinkers. Secure means of communication are preferable. My tribe and I have make extensive use of Signal and Element. But even e-mail is enough to notify your tribe that you were purged.

The second thing is tidy up your tribe. In an environment where friends and family members are bragging about selling each other out, it pays to raise some walls between your social circles. Take a page from the freedom fighter book and establish cells. Despite what social media encourages, not all of your friends have to know all of your other friends. Not every person with whom you sleep needs to meet your parents. It makes sense to separate your social circles into cells. Treat your family as one group. If you’re a Linux enthusiast, treat your Linux enthusiast friends as another group. If you’re also an anarchist, treat your anarchist friends as a third group. You may have friends who fall into multiple groups, which is fine. The purpose of tidying up your tribe isn’t to separate all of your friends from one another, it’s to separate those who ideologically opposes one another. Having family members is great. Having fellow anarchists is great. But some of your family members may be orthodox thinkers and thus ideologically oppose your heterodox thinking anarchist friends. If those family members know who your anarchist friends are, they may choose to report them (possibly to the authorities, possibly to the service administrators, or possibly to both).

The third thing is to establish appropriate long-term methods of communicating with your cells of friends. If your family are mostly orthodox thinkers then phone calls, standard text messages, e-mail, and even social media sites (if you haven’t already been banned) may be appropriate. Your Linux cell is likely more technologically savvy but still mostly on the up and up in the eyes of orthodox thinkers so tools like Internet Relay Chat (IRC) and Discord may be appropriate. Your anarchist cell will be populated by heterodox thinkers so secure communications, preferably using decentralized and even more preferably self-hosted tools, will be appropriate.

The final thing only applies to cells with an external mission. You and your cell need to determine appropriate ways of publishing your propaganda. The more orthodox the thinking of a cell is, the easier this is. Your Linux cell is still mostly free to post its propaganda on social media sites. But your heterodox thinking cells need to put more effort into this. Anarchists, for example, can’t rely on social media platforms. They need to consider setting up self-hosted websites, establishing mailing lists, etc. Distributing local propaganda may require resorting to old-fashion pamphlets.

Mainstream acceptance of free expression ebbs and flows. We are currently in an ebb, but just because acceptance of free expression is moving back out to sea doesn’t mean it won’t return. It also doesn’t mean we can’t express ourselves. We just need to practice more caution and exercise more creativity.

Mullvad VPN

Periodically I’m asked to recommend a good Virtual Private Network (VPN) provider. I admit that I don’t spend a ton of time researching VPN providers because my primary use case for VPNs is to access my local network and secure my communications when traveling so most of the time I use my own VPN server. When I want to guard my network traffic against my Internet Service Provider (ISP), I use Tor. With that said, I do try to keep at least one known decent VPN provider in my back pocket to recommend to friends.

In the past I have usually recommended Private Internet Access because it’s ubiquitous, affordable, and its claim that it doesn’t keep logs has been proven in court. However, Private Internet Access is based in the United States, which means it can be subject to National Security Letters (NSL). Moreover, Private Internet Access was recently acquired by Kape Technologies. Kape Technologies has a troubling past and you can never guarantee that a company will maintain the same policies after it has been purchased so I’ve been looking at some alternative recommendations.

Of the handful with which I experimented, I ended up liking Mullvad VPN the most. In fact I ended up really liking it (for me finding a decent VPN provider is usually an exercise in finding the least terrible option).

Mullvad is headquartered in Sweden, which means it’s not subject to NSLs or other draconian United States laws (it’s subject to Swedish laws, but I’m outside of that jurisdiction). But even if it’s subjected to some kind of surveillance law, Mullvad goes to great length to enable you to be anonymous, which greatly hinders its ability to surveil you. To start with your account is just a pseudorandomly generated number. You don’t need to provide any identifiable information, not even an e-mail address. When you want to log in to pay your account, you simple enter your number. The nice thing about this is that the number is also easily disposed of. Since you can generate a new account by simply clicking on a link, you can throw away your account whenever you want. You can even generate accounts via its onion service (this link will only work if you’re using the Tor Browser).

Mullvad’s pricing is €5 (roughly $5.50 when I last paid) per month. Paying per month allows you to change accounts every month if you want. Payments can be made using more traditional services such as credit cards and PayPal, but you can also use more anonymous payment options such as Bitcoin and Bitcoin Cash (I would like to see the option of using Monero since it has anonymity built-in).

The thing that initially motivated me to test Mullvad was the fact that it uses WireGuard. WireGuard is our new VPN overlord. If you’re new to WireGuard or less technically inclined, you can download and use Mullvad’s app. If you’re familiar with WireGuard or willing to learn about it, you can use Mullvad’s configuration file generator to generate WireGuard configuration files for your system (this is how I used it). Mullvad also supports OpenVPN, but I didn’t test it because it’s 2020 and WireGuard is our new VPN overlord.

Like most decent VPN providers, Mullvad also has a page to check if your Mullvad connection is setup correctly. It performs the usual tasks of reporting if you’re connecting through a Mullvad server and if your Domain Name System (DNS) requests are leaking. It also attempts to check if your browser is leaking information through WebRTC. You can also test your torrent client in case you want to download Linux distros (because that’s the only thing anybody downloads via BitTorrent) more securely.

I didn’t come across anything egregious with Mullvad, but don’t take my recommendation too seriously (this is the caveat I give to everybody who asks me to recommend a VPN provider). My VPN use case isn’t centered around maintaining anonymity and I didn’t perform thorough testing in that regard. Instead I tested it based on my use case, which is mostly protecting my connection from local actors when traveling. As with anything, you should test the service yourself.

Don’t Use Zoom

With most of the country under a stay at home order turned into a prison, people are turning to video conferencing software to socialize. With all of the available options out there somehow the worst possible option has become the most popular (which seems like the overarching theme to our current crises). Zoom appears to have become the most popular video conferencing software for people imprisoned in their homes.

Don’t use Zoom.

Why? First, the company uses misleading marketing. If you’ve seen some of the company’s marketing, you might be under the mistaken impression Zoom video conferences are end-to-end encrypted. They’re not. But that’s the tip of the iceberg. A while back Zoom pulled a rather sneaky maneuver and installed a secret web server on Macs, which was supposedly meant to make using the software easier for Safari users (the claim was bullshit). Apple wasn’t amused and removed the software via an update. Zoom did remove that functionality, but the software still had surprises in store for Mac users. It turns out that it contained a security vulnerability that allowed a remote attacker to access the computer’s webcam and microphone… oh and provided them with root access. Don’t worry Windows users, Zoom didn’t forget about you. The Windows version of Zoom contained a vulnerability that allowed attackers to steal system password. And so everybody could suffer equally, Zoom made it easy for randos to join supposedly private video conferences.

I’m not even done yet. Zoom also leaked users’ e-mail addresses and photos to randos and, until it was caught, was also selling personal data to Facebook.

So I reiterate, don’t use Zoom.

If You’re Good at Something, Never Do It for Free

A minor controversy has developed in the macOS world. Linuz Henze, a security researcher, has discovered a vulnerability in Keychain for macOS that allows an attacker to access stored passwords. However, Henze isn’t providing the details to Apple because Apple’s bug bounty program, for some stupid reason, doesn’t cover macOS vulnerabilities:

Security researcher Linuz Henze has shared a video demonstration of what is claimed to be a macOS Mojave exploit to access passwords stored in the Keychain. However, he has said he is not sharing his findings with Apple out of protest.

Henze has publicly shared legitimate iOS vulnerabilities in the past, so he has a track record of credibility.

However, Henze is frustrated that Apple’s bug bounty program only applies to iOS, not macOS, and has decided not to release more information about his latest Keychain invasion.

Some people aren’t happy with Henze’s decision because his refusal to provide the exploit to Apple will make it harder for the company to fix the vulnerability. What these people are forgetting is that Henze isn’t refusing to provide the exploit to Apple, he’s refusing to provide it for free. In other words, he wants to be paid for his work. I don’t know many people who would willingly work for free. I certainly wouldn’t. Unless you would, you really should put the blame for this on Apple for refusing to pay for macOS exploits.

Disable FaceTime

If for some inexplicable reason you own an Apple device and haven’t already disabled FaceTime, you should do so now:

Users have discovered a bug in Apple’s FaceTime video-calling application that allows you to hear audio from a person you’re calling before they accept the call—a critical bug that could potentially be used as a tool by malicious users to invade the privacy of others.

You don’t want a caller to hear you bitching them out for being inconsiderate by calling you instead of having the decency to send a text message.

Great Claims Request Great Evidence

A couple of months ago Bloomberg made big waves with an article that claimed China had inserted hardware bugs into the server architecture of many major American companies, including Amazon and Apple. Doubts were immediately raised by a few people because the Bloomberg reporters weren’t reporting on a bugged board that they had seen, they merely cited claims made by anonymous sources (always a red flag in a news article). But the hack described, although complicated in nature, wasn’t outside of the realm of possibility. Moreover, Bloomberg isn’t a tabloid, the organization has some journalistic readability, so the threat was treated seriously.

Since the threat was being taken seriously, actual investigations were being performed by the companies named in the article. This is where the credibility of the article started to falter. Apple and Amazon both announced that after investigating the matter they no evidence that their systems were compromised. Finally the company specifically named as the manufacturer of the compromised servers announced that an independent audit found no evidence to support Bloomberg’s claims:

SAN FRANCISCO (Reuters) – Computer hardware maker Super Micro Computer Inc told customers on Tuesday that an outside investigations firm had found no evidence of any malicious hardware in its current or older-model motherboards.

In a letter to customers, the San Jose, California, company said it was not surprised by the result of the review it commissioned in October after a Bloomberg article reported that spies for the Chinese government had tainted Super Micro equipment to eavesdrop on its clients.

Could Apple, Amazon, and Super Micro all be lying about the findings of their investigations as some have insinuated? They certainly could be. But I subscribe to the idea that great claims require great evidence. Bloomberg has failed to produce any evidence to back its claims. If the hack described in its article was as pervasive as the article claimed, it should have been easy for the journalists to acquire or at least see one of these compromised boards. There is also the question of motivation.

Most reports indicated that China has had great success hacking systems the old fashioned way. One of the advantages to remote software hacks is that they leave behind little in the way of hard evidence. The evidence that is left behind can usually be plausibly denied by the Chinese government (it can claim that Chinese hackers unaffiliated with the government performed a hack for example). Why would China risk leaving behind physical evidence that is much harder to deny when it is having success with methods that are much easier to deny?

Unless Bloomberg can provide some evidence to support its claims, I think it’s fair to call bullshit on the article at this point.

Chip-and-Fail

EMV cards, those cards with the chip on the front, were supposed to reduce fraud but credit card fraud is rising. What gives? It turns out that the security provided by Chip-and-PIN doesn’t work when you don’t use it:

The reasons seem to be twofold. One, the US uses chip-and-signature instead of chip-and-PIN, obviating the most critical security benefit of the chip. And two, US merchants still accept magnetic stripe cards, meaning that thieves can steal credentials from a chip card and create a working cloned mag stripe card.

A lot of stores still don’t have credit card readers that can handle cards with a chip so you’re stuck using the entirely insecure magnetic strip. And most credit cards equipped with chips don’t require entering a PIN because Americans are fucking lazy:

The reason banks say they don’t want to issue PINs is that they’re worried it will add too much friction to transactions and make life difficult for their customers. “The credit-card market is pretty brutally competitive, so the first issuer who goes with PINs has to worry about whether the consumers are going to say, ‘Oh, that’s the most inconvenient card in my wallet,’’ says Allen Weinberg, the co-founder of Glenbrook Partners. “There’s this perception that maybe it’s going to be less convenient, even though some merchants would argue that PINs take less time than signatures.”

Since card holders face little in the way of liability for fraudulent transactions, they have little motivation to enter a four to six digit PIN every time they purchase something. If card holders aren’t motivated to enter a PIN, card issuers aren’t likely to require holder to enter a PIN because it might convince them to get a different card. It’s tough to improve security when nobody gives a damn about security.

Eventually the level of fraud will rise to the point where card issuers will take the risk of alienating some holders and mandate the use of a PIN. When that day finally comes, card issuers will discover that Americans are absolutely able to overcome any barrier if doing so allows them to continue buying sneakers with lights in them.

Bitwarden Completes Security Audit

In my opinion one of the easiest things an individual can do to improve their overall computer security is use a password manager. I had been using 1Password for years and have nothing but good things to say about it. However, when I decided to move from macOS to Linux, I decide that I needed a different option. 1Password’s support on Linux is only available through 1Password X, which is strictly a browser plugin. Moreover, in order to use 1Password X, you need to pay a subscription (I was using a one-time paid license for 1Password 7 on macOS as well as the one-time paid version for iOS), which I generally prefer to avoid.

Bitwarden bubbled to the top of my list because it’s both open source and can be self-hosted (which is what I ended up doing). While Bitwarden lacks several nice features that 1Password has, using it has been an overall pleasant experience. Besides missing some features that I’ve come to enjoy, another downside to Bitwarden has been the lack of a security audit. Two days ago the Bitwarden team announced that a third-party vendor has completed a code audit and the results were good:

In the interest of providing full disclosure, below you will find the technical report that was compiled from the team at Cure53 along with an internal report containing a summary of each issue, impact analysis, and the actions taken/planned by Bitwarden regarding the identified issues and vulnerabilities. Some issues are informational and no action is currently planned or necessary. We are happy to report that no major issues were identified during this audit and that all issues that had an immediate impact have already been resolved in recent Bitwarden application updates.

The full report can be read here [PDF].

With this announcement I’m of the opinion that Bitwarden should be given serious consideration if you’re looking for a password manager. It’s an especially good option if you want to go the self-hosted route and/or want support for Linux, macOS, and Windows.

Your Vote Matters

After the last election the Democrats were throwing a fit over supposed Russian interference with the presidential election (funny how politicians here get bent out of shape when somebody interferes with their elections). Implied in the accusation is that an extremely sophisticated enemy such as a state actor is necessary to interfere with a United States election. However, the security of many election machines and election-related sites is so bad that an 11-year-old can break into them:

An 11-year-old boy on Friday was able to hack into a replica of the Florida state election website and change voting results found there in under 10 minutes during the world’s largest yearly hacking convention, DEFCON 26, organizers of the event said.

Thousands of adult hackers attend the convention annually, while this year a group of children attempted to hack 13 imitation websites linked to voting in presidential battleground states.

The boy, who was identified by DEFCON officials as Emmett Brewer, accessed a replica of the Florida secretary of state’s website. He was one of about 50 children between the ages of 8 and 16 who were taking part in the so-called “DEFCON Voting Machine Hacking Village,” a portion of which allowed kids the chance to manipulate party names, candidate names and vote count totals.

Florida’s website isn’t an isolated incident. The entire infrastructure supporting elections here in the United States is a mess:

Even though most states have moved away from voting equipment that does not produce a paper trail, when experts talk about “voting systems,” that phrase encompasses the entire process of voting: how citizens register, how they find their polling places, how they check in, how they cast their ballots and, ultimately, how they find out who won.

Much of that process is digital.

“This is the problem we always have in computer security — basically nobody has ever built a secure computer. That’s the reality,” Schneier said. “I want to build a robust system that is secure despite the fact that computers have vulnerabilities, rather than pretend that they don’t because no one has found them yet. And people will find them — whether it’s nation-states or teenagers on a weekend.”

And before you think that you’re state is smart for not using voting machines, you should be aware that computers are involved in various steps of any modern voting process. Minnesota, for example, uses paper ballots but they’re fed into an electronic machine. Results from local ballot counts are transmitted electronically. Those results are then eventually transmitted electronically to media sources and from there to the masses.

If you go to cast your ballot today, know that there is no reason to believe that it will matter. There are far too many pieces of the voting infrastructure that are vulnerable to the machinations of 11-year-olds.