A Geek With Guns

Chronicling the depravities of the State.

Archive for the ‘Security’ tag

Mullvad VPN

without comments

Periodically I’m asked to recommend a good Virtual Private Network (VPN) provider. I admit that I don’t spend a ton of time researching VPN providers because my primary use case for VPNs is to access my local network and secure my communications when traveling so most of the time I use my own VPN server. When I want to guard my network traffic against my Internet Service Provider (ISP), I use Tor. With that said, I do try to keep at least one known decent VPN provider in my back pocket to recommend to friends.

In the past I have usually recommended Private Internet Access because it’s ubiquitous, affordable, and its claim that it doesn’t keep logs has been proven in court. However, Private Internet Access is based in the United States, which means it can be subject to National Security Letters (NSL). Moreover, Private Internet Access was recently acquired by Kape Technologies. Kape Technologies has a troubling past and you can never guarantee that a company will maintain the same policies after it has been purchased so I’ve been looking at some alternative recommendations.

Of the handful with which I experimented, I ended up liking Mullvad VPN the most. In fact I ended up really liking it (for me finding a decent VPN provider is usually an exercise in finding the least terrible option).

Mullvad is headquartered in Sweden, which means it’s not subject to NSLs or other draconian United States laws (it’s subject to Swedish laws, but I’m outside of that jurisdiction). But even if it’s subjected to some kind of surveillance law, Mullvad goes to great length to enable you to be anonymous, which greatly hinders its ability to surveil you. To start with your account is just a pseudorandomly generated number. You don’t need to provide any identifiable information, not even an e-mail address. When you want to log in to pay your account, you simple enter your number. The nice thing about this is that the number is also easily disposed of. Since you can generate a new account by simply clicking on a link, you can throw away your account whenever you want. You can even generate accounts via its onion service (this link will only work if you’re using the Tor Browser).

Mullvad’s pricing is €5 (roughly $5.50 when I last paid) per month. Paying per month allows you to change accounts every month if you want. Payments can be made using more traditional services such as credit cards and PayPal, but you can also use more anonymous payment options such as Bitcoin and Bitcoin Cash (I would like to see the option of using Monero since it has anonymity built-in).

The thing that initially motivated me to test Mullvad was the fact that it uses WireGuard. WireGuard is our new VPN overlord. If you’re new to WireGuard or less technically inclined, you can download and use Mullvad’s app. If you’re familiar with WireGuard or willing to learn about it, you can use Mullvad’s configuration file generator to generate WireGuard configuration files for your system (this is how I used it). Mullvad also supports OpenVPN, but I didn’t test it because it’s 2020 and WireGuard is our new VPN overlord.

Like most decent VPN providers, Mullvad also has a page to check if your Mullvad connection is setup correctly. It performs the usual tasks of reporting if you’re connecting through a Mullvad server and if your Domain Name System (DNS) requests are leaking. It also attempts to check if your browser is leaking information through WebRTC. You can also test your torrent client in case you want to download Linux distros (because that’s the only thing anybody downloads via BitTorrent) more securely.

I didn’t come across anything egregious with Mullvad, but don’t take my recommendation too seriously (this is the caveat I give to everybody who asks me to recommend a VPN provider). My VPN use case isn’t centered around maintaining anonymity and I didn’t perform thorough testing in that regard. Instead I tested it based on my use case, which is mostly protecting my connection from local actors when traveling. As with anything, you should test the service yourself.

Written by Christopher Burg

April 15th, 2020 at 6:00 am

Don’t Use Zoom

with 3 comments

With most of the country under a stay at home order turned into a prison, people are turning to video conferencing software to socialize. With all of the available options out there somehow the worst possible option has become the most popular (which seems like the overarching theme to our current crises). Zoom appears to have become the most popular video conferencing software for people imprisoned in their homes.

Don’t use Zoom.

Why? First, the company uses misleading marketing. If you’ve seen some of the company’s marketing, you might be under the mistaken impression Zoom video conferences are end-to-end encrypted. They’re not. But that’s the tip of the iceberg. A while back Zoom pulled a rather sneaky maneuver and installed a secret web server on Macs, which was supposedly meant to make using the software easier for Safari users (the claim was bullshit). Apple wasn’t amused and removed the software via an update. Zoom did remove that functionality, but the software still had surprises in store for Mac users. It turns out that it contained a security vulnerability that allowed a remote attacker to access the computer’s webcam and microphone… oh and provided them with root access. Don’t worry Windows users, Zoom didn’t forget about you. The Windows version of Zoom contained a vulnerability that allowed attackers to steal system password. And so everybody could suffer equally, Zoom made it easy for randos to join supposedly private video conferences.

I’m not even done yet. Zoom also leaked users’ e-mail addresses and photos to randos and, until it was caught, was also selling personal data to Facebook.

So I reiterate, don’t use Zoom.

Written by Christopher Burg

April 2nd, 2020 at 6:00 am

Posted in Technology

Tagged with ,

If You’re Good at Something, Never Do It for Free

without comments

A minor controversy has developed in the macOS world. Linuz Henze, a security researcher, has discovered a vulnerability in Keychain for macOS that allows an attacker to access stored passwords. However, Henze isn’t providing the details to Apple because Apple’s bug bounty program, for some stupid reason, doesn’t cover macOS vulnerabilities:

Security researcher Linuz Henze has shared a video demonstration of what is claimed to be a macOS Mojave exploit to access passwords stored in the Keychain. However, he has said he is not sharing his findings with Apple out of protest.

Henze has publicly shared legitimate iOS vulnerabilities in the past, so he has a track record of credibility.

However, Henze is frustrated that Apple’s bug bounty program only applies to iOS, not macOS, and has decided not to release more information about his latest Keychain invasion.

Some people aren’t happy with Henze’s decision because his refusal to provide the exploit to Apple will make it harder for the company to fix the vulnerability. What these people are forgetting is that Henze isn’t refusing to provide the exploit to Apple, he’s refusing to provide it for free. In other words, he wants to be paid for his work. I don’t know many people who would willingly work for free. I certainly wouldn’t. Unless you would, you really should put the blame for this on Apple for refusing to pay for macOS exploits.

Written by Christopher Burg

February 7th, 2019 at 10:00 am

Posted in Technology

Tagged with , ,

Disable FaceTime

without comments

If for some inexplicable reason you own an Apple device and haven’t already disabled FaceTime, you should do so now:

Users have discovered a bug in Apple’s FaceTime video-calling application that allows you to hear audio from a person you’re calling before they accept the call—a critical bug that could potentially be used as a tool by malicious users to invade the privacy of others.

You don’t want a caller to hear you bitching them out for being inconsiderate by calling you instead of having the decency to send a text message.

Written by Christopher Burg

January 29th, 2019 at 10:30 am

Posted in Technology

Tagged with , ,

Great Claims Request Great Evidence

without comments

A couple of months ago Bloomberg made big waves with an article that claimed China had inserted hardware bugs into the server architecture of many major American companies, including Amazon and Apple. Doubts were immediately raised by a few people because the Bloomberg reporters weren’t reporting on a bugged board that they had seen, they merely cited claims made by anonymous sources (always a red flag in a news article). But the hack described, although complicated in nature, wasn’t outside of the realm of possibility. Moreover, Bloomberg isn’t a tabloid, the organization has some journalistic readability, so the threat was treated seriously.

Since the threat was being taken seriously, actual investigations were being performed by the companies named in the article. This is where the credibility of the article started to falter. Apple and Amazon both announced that after investigating the matter they no evidence that their systems were compromised. Finally the company specifically named as the manufacturer of the compromised servers announced that an independent audit found no evidence to support Bloomberg’s claims:

SAN FRANCISCO (Reuters) – Computer hardware maker Super Micro Computer Inc told customers on Tuesday that an outside investigations firm had found no evidence of any malicious hardware in its current or older-model motherboards.

In a letter to customers, the San Jose, California, company said it was not surprised by the result of the review it commissioned in October after a Bloomberg article reported that spies for the Chinese government had tainted Super Micro equipment to eavesdrop on its clients.

Could Apple, Amazon, and Super Micro all be lying about the findings of their investigations as some have insinuated? They certainly could be. But I subscribe to the idea that great claims require great evidence. Bloomberg has failed to produce any evidence to back its claims. If the hack described in its article was as pervasive as the article claimed, it should have been easy for the journalists to acquire or at least see one of these compromised boards. There is also the question of motivation.

Most reports indicated that China has had great success hacking systems the old fashioned way. One of the advantages to remote software hacks is that they leave behind little in the way of hard evidence. The evidence that is left behind can usually be plausibly denied by the Chinese government (it can claim that Chinese hackers unaffiliated with the government performed a hack for example). Why would China risk leaving behind physical evidence that is much harder to deny when it is having success with methods that are much easier to deny?

Unless Bloomberg can provide some evidence to support its claims, I think it’s fair to call bullshit on the article at this point.

Written by Christopher Burg

December 12th, 2018 at 10:30 am

Posted in Technology

Tagged with ,

Chip-and-Fail

with 2 comments

EMV cards, those cards with the chip on the front, were supposed to reduce fraud but credit card fraud is rising. What gives? It turns out that the security provided by Chip-and-PIN doesn’t work when you don’t use it:

The reasons seem to be twofold. One, the US uses chip-and-signature instead of chip-and-PIN, obviating the most critical security benefit of the chip. And two, US merchants still accept magnetic stripe cards, meaning that thieves can steal credentials from a chip card and create a working cloned mag stripe card.

A lot of stores still don’t have credit card readers that can handle cards with a chip so you’re stuck using the entirely insecure magnetic strip. And most credit cards equipped with chips don’t require entering a PIN because Americans are fucking lazy:

The reason banks say they don’t want to issue PINs is that they’re worried it will add too much friction to transactions and make life difficult for their customers. “The credit-card market is pretty brutally competitive, so the first issuer who goes with PINs has to worry about whether the consumers are going to say, ‘Oh, that’s the most inconvenient card in my wallet,’’ says Allen Weinberg, the co-founder of Glenbrook Partners. “There’s this perception that maybe it’s going to be less convenient, even though some merchants would argue that PINs take less time than signatures.”

Since card holders face little in the way of liability for fraudulent transactions, they have little motivation to enter a four to six digit PIN every time they purchase something. If card holders aren’t motivated to enter a PIN, card issuers aren’t likely to require holder to enter a PIN because it might convince them to get a different card. It’s tough to improve security when nobody gives a damn about security.

Eventually the level of fraud will rise to the point where card issuers will take the risk of alienating some holders and mandate the use of a PIN. When that day finally comes, card issuers will discover that Americans are absolutely able to overcome any barrier if doing so allows them to continue buying sneakers with lights in them.

Written by Christopher Burg

November 16th, 2018 at 11:00 am

Bitwarden Completes Security Audit

without comments

In my opinion one of the easiest things an individual can do to improve their overall computer security is use a password manager. I had been using 1Password for years and have nothing but good things to say about it. However, when I decided to move from macOS to Linux, I decide that I needed a different option. 1Password’s support on Linux is only available through 1Password X, which is strictly a browser plugin. Moreover, in order to use 1Password X, you need to pay a subscription (I was using a one-time paid license for 1Password 7 on macOS as well as the one-time paid version for iOS), which I generally prefer to avoid.

Bitwarden bubbled to the top of my list because it’s both open source and can be self-hosted (which is what I ended up doing). While Bitwarden lacks several nice features that 1Password has, using it has been an overall pleasant experience. Besides missing some features that I’ve come to enjoy, another downside to Bitwarden has been the lack of a security audit. Two days ago the Bitwarden team announced that a third-party vendor has completed a code audit and the results were good:

In the interest of providing full disclosure, below you will find the technical report that was compiled from the team at Cure53 along with an internal report containing a summary of each issue, impact analysis, and the actions taken/planned by Bitwarden regarding the identified issues and vulnerabilities. Some issues are informational and no action is currently planned or necessary. We are happy to report that no major issues were identified during this audit and that all issues that had an immediate impact have already been resolved in recent Bitwarden application updates.

The full report can be read here [PDF].

With this announcement I’m of the opinion that Bitwarden should be given serious consideration if you’re looking for a password manager. It’s an especially good option if you want to go the self-hosted route and/or want support for Linux, macOS, and Windows.

Written by Christopher Burg

November 14th, 2018 at 10:00 am

Posted in Technology

Tagged with ,

Your Vote Matters

without comments

After the last election the Democrats were throwing a fit over supposed Russian interference with the presidential election (funny how politicians here get bent out of shape when somebody interferes with their elections). Implied in the accusation is that an extremely sophisticated enemy such as a state actor is necessary to interfere with a United States election. However, the security of many election machines and election-related sites is so bad that an 11-year-old can break into them:

An 11-year-old boy on Friday was able to hack into a replica of the Florida state election website and change voting results found there in under 10 minutes during the world’s largest yearly hacking convention, DEFCON 26, organizers of the event said.

Thousands of adult hackers attend the convention annually, while this year a group of children attempted to hack 13 imitation websites linked to voting in presidential battleground states.

The boy, who was identified by DEFCON officials as Emmett Brewer, accessed a replica of the Florida secretary of state’s website. He was one of about 50 children between the ages of 8 and 16 who were taking part in the so-called “DEFCON Voting Machine Hacking Village,” a portion of which allowed kids the chance to manipulate party names, candidate names and vote count totals.

Florida’s website isn’t an isolated incident. The entire infrastructure supporting elections here in the United States is a mess:

Even though most states have moved away from voting equipment that does not produce a paper trail, when experts talk about “voting systems,” that phrase encompasses the entire process of voting: how citizens register, how they find their polling places, how they check in, how they cast their ballots and, ultimately, how they find out who won.

Much of that process is digital.

“This is the problem we always have in computer security — basically nobody has ever built a secure computer. That’s the reality,” Schneier said. “I want to build a robust system that is secure despite the fact that computers have vulnerabilities, rather than pretend that they don’t because no one has found them yet. And people will find them — whether it’s nation-states or teenagers on a weekend.”

And before you think that you’re state is smart for not using voting machines, you should be aware that computers are involved in various steps of any modern voting process. Minnesota, for example, uses paper ballots but they’re fed into an electronic machine. Results from local ballot counts are transmitted electronically. Those results are then eventually transmitted electronically to media sources and from there to the masses.

If you go to cast your ballot today, know that there is no reason to believe that it will matter. There are far too many pieces of the voting infrastructure that are vulnerable to the machinations of 11-year-olds.

Written by Christopher Burg

November 6th, 2018 at 11:00 am

Making Surveillance Easy

without comments

We’re only a few days away from yet another “most important election in our lifetime.” Since the Republicans are in power, the Democrats and their sympathizers are pissed and when they’re pissed it’s not uncommon for them to protest (Remember the last time they were out of power? They actually protested the wars that the party in power started! Those were the days!). Nobody likes it when people protest again them so the party in power wants to keep tabs on the people who might take action against them. Fortunately for them, most protesters make this easy:

The United States government is accelerating efforts to monitor social media to preempt major anti-government protests in the US, according to scientific research, official government documents, and patent filings reviewed by Motherboard. The social media posts of American citizens who don’t like President Donald Trump are the focus of the latest US military-funded research. The research, funded by the US Army and co-authored by a researcher based at the West Point Military Academy, is part of a wider effort by the Trump administration to consolidate the US military’s role and influence on domestic intelligence.

The vast scale of this effort is reflected in a number of government social media surveillance patents granted this year, which relate to a spy program that the Trump administration outsourced to a private company last year. Experts interviewed by Motherboard say that the Pentagon’s new technology research may have played a role in amendments this April to the Joint Chiefs of Staff homeland defense doctrine, which widen the Pentagon’s role in providing intelligence for domestic “emergencies,” including an “insurrection.”

A couple of years ago a few friends and I had the opportunity to advise some protesters on avoiding government surveillance. They were using Facebook to organize and plan their protests. We had to explain to them that using Facebook for that purpose meant that every local law enforcement agency was likely receiving real-time updates on their plans. We made several recommendations, most of which involved moving planning from social media to more secure forms of communications (Signal, RetroShare, etc.). In the end they thanked us for our advice, decided that using anything but Facebook was too difficult (which made me suspect that there were undercover law enforcers amongst them), and kept handing law enforcement real-time information.

The moral of the story is that government agencies pour resources into social media surveillance because it works because most protesters are more concerned about convenience than operational security.

Security for Me, Not for Thee

without comments

Google has announced several security changes. However, it’s evident that those changes are for its security, not the security of its users:

According to Google’s Jonathan Skelker, the first of these protections that Google has rolled out today comes into effect even before users start typing their username and password.

In the coming future, Skelker says that Google won’t allow users to sign into accounts if they disabled JavaScript in their browser.

The reason is that Google uses JavaScript to run risk assessment checks on the users accessing the login page, and if JavaScript is disabled, this allows crooks to pass through those checks undetected.

Conveniently JavaScript is also used to run a great deal of Google’s tracking software.

Disabling JavaScript is a great way to improve your browser’s security. Most browser-based malware and a lot of surveillance capabilities rely on JavaScript. With that said, disabling JavaScript entirely also makes much of the web unusable because web developers love to use JavaScript for everything, even loading text. But many sites will provide at least a hobbled experience if you choose to disable JavaScript.

Mind you, I understand why Google would want to improve its security and why it would require JavaScript if it believed that doing so would improve its overall security. But it’s important to note what is meant by improving security here and what potential consequences it has for users.

Written by Christopher Burg

November 2nd, 2018 at 10:30 am

Posted in Technology

Tagged with ,