Tag: Security

Guns, Weed, and Crypto

Because I advocate apolitical action to achieve change in the world I periodically get political types snidely asking, “Well what have you done for liberty?” It’s a fair question. My recent efforts have been primarily focused on teaching people how to defend themselves online. Fortunately I’m not alone. I’ve been working with some phenomenal people to run CryptoPartyMN, and organization created specifically to teach people how to use security means of communications.

Our work hasn’t gone unnoticed either. A few weeks ago James Shiffer from the Star Tribune contacted us. He was working on an article covering Crypto War II and wanted to interview members of CryptoPartyMN to understand the counterarguments to the State’s claims that effective cryptography puts everybody at risk. In addition to interviewing several of us he also attended the last CryptoParty. The result was this article. As you can tell from the article we’ve got everything you could possibly want:

The three CryptoParty presenters were Burg, 32, a Twin Cities software developer and Second Amendment supporter whose blog is called “A Geek With Guns.” The two others are cannabis activists Cassie Traun, 26, an IT professional who “never really trusted the government,” and Kurtis Hanna, 30, an unsuccessful candidate for Minneapolis mayor and state Legislature who said he became interested in the issue after the revelations of NSA spying.

Guns, weed, and crypto. Between the three of us we’ve got pretty much every important freedom issue covered!

So, yeah, that’s one of the things I’ve been up to.

One Sword Keeps Another In The Sheath

George Herbert once wrote, “One sword keeps another in the sheath.” Later Robert Heinlein expressed a similar idea in Beyond This Horizon when he wrote, “An armed society is a polite society.” Today many people would argue the idea shared by Herbert and Heinlein is destructive. They argue that peace can only exist when the general population is unarmed but acknowledge the need for weapons to enforce such a prohibition so generally approve of the military and police keeping their weapons. But Herbert and Heinlein were correct, peace tends to prevail when no disparity of force exists.

Force is an appealing option when one enjoys a greater capacity for it than their target. We see this every day with violent criminals. Amongst violent criminals there is a great tendency for targeting easier prey. The criteria that determine how easy a target is varies. If the criminal is physically strong they may see physically weak individuals as easy prey. If the criminal has a gun they may see anybody who is unarmed as easy prey. If the criminal is with friends they may see any group they that is numerically inferior as easy prey. Most criminals see people who are entirely unaware of their surroundings as easy prey. In general criminals target those they believe to have a lesser capacity for force than themselves. Economically this makes sense because the risks of employing violence decrease when your force advantage over your target increases.

But force becomes unattractive when your target enjoys an equal capacity. The reason for this is obvious. Force carries with it the possibility of severe injury or death. That’s what makes force appealing to those who enjoy a sizable advantage. But it also means a target that is on equal footing with you stands a good chance of injuring or killing you. If two renowned swordsmen are both carrying their swords the likelihood of a disagreement between them turning violent is going to remain fairly low. Both of them know drawing their sword will cause an equal reaction from the other and the outcome of the fight may very well include the loss of limbs or life.

This principle remains even on larger scales. A nation only tends to declare war against another if it believes it’s in an advantaged position. When a nation doesn’t believe it enjoys a force advantage it tends to use diplomacy. The United States and the Soviet Union avoided a direct war because both had enough nuclear weaponry to wipe the other out. Napoleon invaded Russia because he believed his military was superior and that would ensure his victory.

One of the reasons I believe stateless societies tend to be more peaceful than ones under statism is because the disparity of force between the people and the State is nonexistent. Iceland’s stateless period, medieval Ireland, the Old American West, and Neutral Moresnet are all examples of stateless societies that tended to be very peaceful when compared to their statist neighbors. Since there was no organization with a great force advantage over everybody else the tendency was for people to choose diplomacy over violence.

The desire to eliminate disparity of force, and therefore reduce the appeal of using violence, is one of the primary reasons libertarians tend to be supporters of allowing individuals to be armed. They recognize that one gun keeps another in the holster. It is also why even libertarian statists tend to support individuals enjoying arms parity with the police and military.

Need Your Friend’s Wi-Fi Password? Ask Their Kettle!

A lot of companies are making a big deal out of the Internet of things. The Internet of things is just a fancy phrase for adding Internet connectivity to everything from lightbulbs to tea kettles. Theoretically this could enable some pretty neat functionality but it also means every device in your home could become an attack vector for malicious hackers. Not surprisingly the security record of current Internet of things manufacturers leaves a lot to be desired:

Following our recent demonstration at the Infosecurity Show and with Rory Cellan-Jones on the BBC here’s a write up and more technical detail on the Smarter iKettle hack.

[…]

For those of you who haven’t seen the demo in person, here’s how it works.

The brief version:

De-auth kettle from its usual access point. Use aireplay-ng
Create fake AP with same SSID
Kettle joins
Connect to telnet service, authenticate using default PIN of ‘000000’
Enter ‘AT-KEY’
Plaintext WPA PSK is then disclosed
Yes, it’s that easy

Oy vey! For some reasons each market appears dead set on learning the hard lessons the hard way. Software developers learned the mistakes of not taking security seriously. Automobile manufacturers are now learning that lesson. Manufacturers that produce Internet enabled devices will probably be the next in line to learn this lesson.

My advice for everybody is to wait a bit before diving too far into this Internet of things. Let the early adopters suffer the pain and misery of immature products. Then, when the time is right, move in and thank all those poor souls for their sacrifice.

Password Managers Compared

Now that LastPass is owned by a company nobody trusts a lot of interest in alternatives has been generated. I looked at several alternatives, ultimately settling on 1Password, but my time is limited. Fortunately I found a surprisingly complete chart comparing the features of numerous password managers. If you’re interested in moving away from LastPass or you just want to start using a password manager this chart has you covered.

Your Daily Reminder To Uninstall Flash

No matter how many times security researchers recommend that people uninstall Flash people keep using it. Yet again Adobe released an update to address a slew of critical vulnerabilities in Flash only so more could be discovered the next day:

Now today, Security researchers have disclosed a new zero-day vulnerability in fully patched versions of Adobe Flash, which is currently being exploited in the wild by a Russian state-sponsored hacking groups, named “Pawn Storm”.

That means, even users with an entirely up-to-date installation (versions 19.0.0.185 and 19.0.0.207) of the Flash software are also vulnerable to the latest zero-day exploit.

When people ask me for some easy recommendations to improve their security I tell them to uninstall Flash. Along with simple things like using a password manager to ensure you’re not reusing passwords and using two-factor authentication on websites that support it uninstalling Flash is easy and greatly reducing your vulnerability when browsing the Internet.

So once again I implore you, if you haven’t already, purge Flash from all of your computers.

LastPass Sold To LogMeIn

LastPass, a password manager I have been recommending for years due to its ease of use and compatibility with pretty much everything, was bought out by LogMeIn. Based on what I’ve read on Twitter, Ars Technica, and Reddit LogMeIn is not a well liked company. In my experience acquisitions usually end up badly for users of the product being acquired. The fact that LogMeIn is viewed so negatively by a huge portion of the Internet further exacerbates my concerns that his acquisition is not good news for LastPass users.

I believe password managers are one of the easiest ways for the average person to improve their security. Due to this acquisition I can’t as confidently recommend LastPass as I have been previously doing. While I’m not going to go so far as to say you shouldn’t use LastPass, as the future is not known, I want to have other recommendations available if things go south.

To that end I’m going to recommend two products. The first is KeePassX. KeePassX is a free password manager that’s available for Windows, Linux, and OS X. It’s an open source product and seems to be well respected amongst users. Unfortunately syncing isn’t available out of the box (there are ways you can setup syncing though), which limits its utility for people who commonly use multiple devices. For many people this could be seen as a feature though as having your passwords, even in an encrypted formate, stored on a third-party server creates more opportunities for compromise. There also seems to be an absence of decent mobile clients.

The second password manager I’m going to recommend, and it’s the one I’m not using, is 1Password. 1Password was the runner up when I was first choosing a password manager. The two reasons I chose LastPass over it were price, LastPass Premium is much cheaper than 1Password, and the fact 1Password isn’t compatible with Linux. It is, however, compatible with OS X, Windows, iOS, and Android. Since I only use Linux and Windows in virtual machines the fact I don’t have password manager for those platforms isn’t that big of a deal (in fact I’ve never used LastPass on either platform outside of initial testing). 1Password can also sync your passwords across your devices with iCloud, Dropbox, or on your local network (although the last option only works between a single Mac and iOS devices so it’s severely limited). Right now the price is pretty reasonable as the developers are having a 40% off sale that is totally because of Cybersecurity Awareness Month and not at all because LastPass’s customers are pretty unhappy right now (it’s just a coincidence the sale start shortly after the news of LastPass’s acquisition broke).

It’s too early to panic over the LastPass acquisition. LogMeIn is promising to keep LastPass’s currently business model in place although those promises don’t seem to be well received due to the company’s history. I switched immediately because the writing on the wall isn’t to my liking and because I want to be familiar with an alternative in case things go south. If you’re happy with LastPass and the acquisition isn’t a concern for you (and let’s be honestly, it won’t be a concern for anybody for a while as it takes some time for the consequences of company acquisitions to manifest) keep using it.

Verizon To Sell Customer Data To AOL

There is a battle between Verizon and AT&T to determine which of the two companies is the most evil. Both companies have gone to tremendous lengths to fuck their customers over but Verizon’s latest ploy may be enough to put it ahead:

Verizon is giving a new mission to its controversial hidden identifier that tracks users of mobile devices. Verizon said in a little-noticed announcement that it will soon begin sharing the profiles with AOL’s ad network, which in turn monitors users across a large swath of the Internet.

That means AOL’s ad network will be able to match millions of Internet users to their real-world details gathered by Verizon, including — “your gender, age range and interests.” AOL’s network is on 40 percent of websites, including on ProPublica.

Here again we see the need for HTTPS everywhere. The key to Verizon’s tracking technology is its ability to inject a tracking number into its customers’ web traffic. HTTPS is not only good at preventing people in the middle of a client-server communication from seeing content. It’s also good at preventing people in the middle from altering the content in any way.

Verizon’s tracking technology works by exploiting the fact insecure web traffic can be modified. The modification, in this case, is including a traffic number, that is invisible to the user, into a customer’s web traffic. This is made possible by the fact Verizon, the customer’s Internet service provide, sits in the middle of all communications between its customers and the Internet. By using HTTPS to secure the connect between the customer and websites on the Internet Verizon can no longer alter the traffic and therefore cannot inject its tracking number.

I’m obviously beating a dead horse on this one but I will continue to do so until every website using HTTPS exclusively.

Install That *Bleep*ing Ad Blocker Already

iOS 9 has been released and with it the ability for iOS users to install ad blockers. Online publications are already crying foul and declaring an end to the “free” web:

When Apple launches its new software update for the iPhone on Wednesday, users will be offered the chance to surf the mobile Web without annoying ads cluttering up their screen.

But Apple’s support for ad-blocking technology is ringing alarm bells on Madison Avenue, where critics warn it threatens not only the lifeblood of their business — but also the economic underpinnings of the free Internet.

“We don’t think ad blocking is right,” Scott Cunningham, senior vice president of the Interactive Advertising Bureau, told The Post.

[…]

“Advertising is the economic engine that drives the free Internet,” Cunningham said. “The reality is the last 20 years have seen people developing content online for distribution, and consumers have opted in for that free content.”

As a general rule when a business has to guilt trip you into abiding by its business model it’s time to let it die. Then there is the ironclad fact that past performance does not predict future results. Just because the last 20 years of Internet content may have been fueled primarily by advertisements doesn’t mean it will always be that way. Advertisements have worked because consumers have felt the benefits outweighed the costs. But the costs of advertising are increasing.

Most cellular providers are charging customers based on data usage, which means the additional bandwidth used by advertisements is beginning to have a very real cost. Mobile devices are also becoming the predominant means for web access. Since advertisements require additional hardware resources to render they negatively impact battery life and that is a major problem for users of mobile devices. Ad networks are also increasingly being used to spread malware.

The reason advertising has been a successful model is because most of the costs have been hidden from the consumer. Now the costs are becoming very visible to consumers. Because of that consumers will likely change their behavior. One of those changes will likely be an increased use of ad blockers. As more consumers block ads more content producers will have to change their business models to survive.

There has never been a free web. Don’t let advertisers bullshit you into believing that. And don’t let them guilt trip you into making yourself vulnerable by not using an ad blocker. I promise you that the web won’t die. You may have to pay content producers directly but that isn’t so bad when you consider how much money you’ll save on bandwidth, extra batteries, and not having to deal with malware.

Same Exploits, New Target

I can’t wait for self-driving cars to hit the market. If there’s one thing I won’t want to waste my time doing it’s driving. Unfortunately public transportation is limited by destinations and times. Why should I schedule my entire day around the whims of a public transportation provider when I can have the best of both worlds?

But a lot of people don’t agree with me. The biggest argument I hear against self-driving cars is that they could make mistakes. This is an especially laughable argument since humans make mistakes while driving frequently enough to kill over 30,000 people per year in the United States alone. Another argument against self-driving cars is that hackers can more easily manipulate them into performing undesirable actions such as going to an incorrect destination or crashing. Seemingly supporting this argument is recent research that demonstrated how self-driving cars could be manipulated by feeding their sensors faulty data:

The multi-thousand-dollar laser ranging (lidar) systems that most self-driving cars rely on to sense obstacles can be hacked by a setup costing just $60, according to a security researcher.

“I can take echoes of a fake car and put them at any location I want,” says Jonathan Petit, Principal Scientist at Security Innovation, a software security company. “And I can do the same with a pedestrian or a wall.”

Using such a system, attackers could trick a self-driving car into thinking something is directly ahead of it, thus forcing it to slow down. Or they could overwhelm it with so many spurious signals that the car would not move at all for fear of hitting phantom obstacles.

This isn’t as damning as many people are making it sound. While the target has changed the exploit hasn’t. You can cause all sorts of havoc by feeding human drivers false data. Drivers have driving into bodies of water because their navigation software fed them incorrect data. Putting up fake road signs can manipulate people into taking wrong roads. Using an FM transmitter to broadcast a fake emergency message can cause all sorts of chaos.

Humans, like machines, use sensory input to make decisions. That sensory input can be exploited, which is how a lot of less likely to be lethal weapons work. Where machines differ is that they’re easier to update to protect against sensory exploitation. Sensory exploits on self-driving cars are likely correctable with software updates.

As machines continue to replace the need for human labor let us not forget that many of the weaknesses present in machines are also present in ourselves.

AT&T Demonstrates Why HTTPS Is Needed Everywhere

Ads have become a notable threat to computer security. While they are a fact of life for accessing content without paying directly for it you wouldn’t expect a company that you pay money to to infest your web experiences with ads. But some companies like to double dip. AT&T is one of those companies. In addition to getting customers to pay for hotspots AT&T is also maliciously inserting ads into websites visiting through its hotspots:

While traveling through Dulles Airport last week, I noticed an Internet oddity. The nearby AT&T hotspot was fairly fast—that was a pleasant surprise.

But the web had sprouted ads. Lots of them, in places they didn’t belong.

[…]

Curious, and waiting on a delayed flight, I started poking through web source. It took little time to spot the culprit: AT&T’s wifi hotspot was tampering with HTTP traffic.

The ad injection platform appears to be a service from RaGaPa, a small startup. Their video pitch features “MONETIZE YOUR NETWORK” over cascading dollar signs. (Seriously.)

When an HTML page loads over HTTP, the hotspot makes three edits. (HTTPS traffic is immune, since it’s end-to-end secure.)

First, the hotspot adds an advertising stylesheet.

[…]

Next, it injects a backup advertisement, in case a browser doesn’t support JavaScript. It appears that the hotspot intercepts /ragapa URLs and resolves them to advertising images.

[…]

Finally, the hotspot adds a pair of scripts for controlling advertisement loading and display.

The title of this post promised Hypertext Transfer Protocol Secure (HTTPS) so some may be wondering what HTTPS has to do with ad injection. Simply put, this kind of bullshit can’t happen when the connection between a client and the server is encrypted. A man in the middle, which AT&T is in this case, cannot see the contents of an encrypted communication and if attempts to make any sort of alteration the decryption process will fail.

You won’t see any AT&T injected ads on this blog because everything is secured with HTTPS (the insecure HTTP interface just 301 redirects to the HTTPS connection). If every website did this the business model being used by RaGaPa, the ad injection services being used by AT&T, would be a total failure.

Securing connections doesn’t just protect against eavesdropping. It also protects again altering the contents, which can be just as big of a problem if not an even bigger one. In fact content integrity is another reason why the “nothing to hide” crowd should be ignored in discussions of pervasive cryptography. Cryptography is about so much more than hiding content.