Security – Page 33 – A Geek With Guns

German Ships Traversing Somali Waters Can Now Hire Private Security

Traversing the waters around Somali can be a pretty risky endeavor. Nothing will ruin your day more thoroughly than a bunch of pirates boarding your ship, holding you a gun point, and demanding a random for your release. The biggest problem has been in the fact most ships have been barred from having means of self-defense by the very governments that have been pretending to protest ships. Well Germany has finally admitted that they are incapable of protecting their ships and have authorized their serfs on the seas to hire private security:

State secretary in the economics ministry responsible for maritime affairs, Hans-Joachim Otto, said on Thursday that he could not answer the repeated calls from shipping companies for soldiers or armed police officers to accompany their boats.

Of course the government is going to allow any private security firms that itself hasn’t explicitly blessed:

“We don’t want desperadoes, so we are looking into a certification,” said Otto. He said security firms offering protection would have to meet certain standards. The government had until now always rejected such a solution, unwilling to give up the state’s monopoly on the use of legitimate force.

Being able to defend yourself shouldn’t require government’s permission. Government like to maintain a monopoly on the use of force in all situations and get kind of testy when us peasants decide to take measures to defend our own lives. If most of the ships traversing Somali waters were armed to the teeth the pirates would likely think twice about hijacking ships. Deterring all crime is impossible but if you raise the risk of criminal activity high enough it will deter many criminals. By raising the risks I’m not talking about increasing jail sentences either, I’m talking about people being able to defend themselves against assailants.

It’s good to see German ships will finally be allowed to hire security forces to keep the pirates at bay, but this entire problem could have been mostly avoided had no rule against ships being able to hire security been passed.

NoScript Awarded the $10,000 Dragon Research Group Security Innovation Grant

It’s likely you’ve heard to praise the awesome Firefox plugin that is NoScript. NoScript is the primary reason why I’m still running Firefox instead of Chrome. That’s why I’m glad that the plugin was awarded the Dragon Research Group Security Innovation grant which includes $10,000.

NoScript is kind of a Swiss Army knife in regards to Firefox plugins. The main purpose of the plugin is to block scripting on all domains that you haven’t specifically white listed. This not only improves security by preventing malicious scripts from running but it also makes the web a much nicer place to visit since it blocks those annoying pop-over ads that block the site until you dismiss them. I’m honestly at the point where I can’t even stand visiting many websites unless I block scripting on those domains.

The PATRIOT Act and Cloud Services

I’ve briefly described my attempt to get all of my “cloud” data moved to personal servers that I directly control. Part of my reasoning for doing this is the simple fact that I like having complete control over my property (and I consider my data personal property). The other reason is I don’t like the idea of federal agents being able to obtain my personal information without my knowledge. At the very least if the feds want to take my personal data now they will have to alert me when they come to take my server out of my dwelling (and since the data is all encrypted they’ll need my key to access anything… which will really frustrate them when I claim my fifth amendment right instead of giving over my encryption keys).

Some people have claimed another solution for this is to put your data in a foreign country. I never found that solution viable because the government of the country where your data is stored likely has access to it and will hand it over if the United States government puts in a request. Well Microsoft has confirmed that your data isn’t safe anywhere:

Organisations should be wary when entrusting their data to Cloud providers based in the U.S.

Microsoft, one of the first Cloud providers to come clean, have revealed that the U.S. authorities have the right to access any data stored by them, even if that data resides within the EU.

[…]

In addition, Gordon Frazer CEO of Microsoft admitted that customers would only be informed “whenever possible” with respect to authorities extracting data.

Such an example is where the FBI has the ability to issue a ‘National Security Letter’ demanding a company’s data. Frazer stated that in this case he wouldn’t even be able to admit he had received such an order.

Many people forget that those subject to “National Security Letters” are legally prohibited from even saying they received such a letter (note to the feds: if you hand me one of those letters I’m telling everybody, fuck you and your attempt to shit on the first amendment). This means if the feds to take your data you’ll never be notified because the company hosting said data will be legally muzzled.

I feel the best option in regards to your data is to maintain it all on systems that you have direct control over. Unless you have that direct control you can never be sure who is rummaging through your data (I’m not just talking about government agents at this point) or for what purposes. If you control the systems then you control who does and doesn’t have access to anything on that system.

When the State Won’t Protect You

Whenever I get into a debate about the right to carry firearms the conversation often turns to the person debating me claiming that I should rely on the police for protection. The Supreme Court has ruled on several occasions that the police aren’t required to protect you. The right to self-defense should be universal as should be the right to own the best tool for that job. Thankfully I live in a state where I have access to the ability to carry my firearm but others are not so lucky.

But what can you do if your entire community is vulnerable and the state is unwilling to protect you? In that case you have to band together with the other members of your community and work together in common defense. The Firearm Blog has a link to an article that discusses the method which the people of Obo, a small African village, use to defend themselves against roving marauders:

An old woman had died. Before burying the her, the residents of the village of Obo — in southern Central African Republic, just north of the Congolese border — gathered around a campfire to eat, drink, cry and sing in celebration of the woman’s long life. It was a night in March 2008, just another beat in the slow rhythm of existence in this farming community of 13,000 people.

Then the dreadlocked fighters from the Lord’s Resistance Army rebel group — tongo-tongo, the villagers call them — rose from their hiding places in the shadows and advanced toward the fire. Others blocked the paths leading from town. The rebels killed anyone who resisted, kidnapped 100 others and robbed everyone in sight.

The LRA forced the captured men and women to carry stolen goods into the jungle before releasing them. Boys and girls, they kept. The boys would be brainwashed, trained as fighters and forced to kill. The girls would be given to LRA officers as trophies, raped and made to bear children who would represent the next generation of LRA foot soldiers.

Much of Africa consists of poor farming villages such as this one. In addition to that many of this villages fall under various ineffective governments (lucky buggers there) that will refuse to offer aid to those who take defense into their own hands but also are unwilling or unable to provide defense for those who comply with the state’s demands of being disarmed and easy prey. Well the people of Obo had enough shit from the LRA and decided that shit was going to end:

Instead, Obo’s surviving villagers raised their own volunteer scout force (depicted above), armed it with homemade shotguns, and began disseminating intelligence on the LRA’s movements using the village’s sole, short-range FM radio transmitter.

The results of this do-it-yourself approach were encouraging. Since the attack three years ago, Obo has not suffered another major LRA invasion.

I think this proves the point that you can do a great deal of things with very little money or equipment. The citizens of Obo may not be able to afford shotguns but they certainly are willing to make them. They’ve been able to stave off any other major invasions from a likely superior fighting force. I did chuckle a bit when I read the following though:

But there’s a downside to DIY security. In arming itself and taking on intelligence tasks, Obo is essentially giving up on ever receiving help from Central African Republic’s impoverished government. That can only further undermine the government’s tenuous legitimacy — and could fuel wider instability in the future.

That doesn’t sound like much of a downside to me. Obo’s government did do jack shit to protect the villagers from the LRA so I have no idea why it would be a disadvantage to not receive any help from that state in the future. Of course this could lead to the Central African Republic’s eventual invasion and disarming of Obo but let’s hope it doesn’t come to that.

You know what another benefit of having a means of self-defense is? Being able to defend yourself against outside threats usually does amazing things are removing your fears:

The morning after the LRA’s March 2008 attack, the sun rose on a transformed community. Before, the tongo-tongo had been able to terrorize an entire village, kill scores of people and take more than 100 prisoners using just their machetes. During the 2008 raid, the LRA reportedly didn’t fire a single bullet.

After the attack, the surviving villagers were determined to never again be defenseless. “We are not afraid,” an Obo resident named Joseph told Invisible Children’s Adam Finck. “We are not afraid because we are the victims. They attacked us. They took our children. They killed others of us. That motivates us not to be afraid of them.”

This goes for both villages and individuals. Given a means of self-defense most people become less fearful for they have a means of controlling a situation involving an attacker. People generally fear that which they can’t control and if somebody is mugging your while you’re defenseless you have no control over the situation. On the other hand if you have an effective means of self-defense you gain some semblance of control over bad situations and thus are less fearful. It’s a great bonus to being able to save your own life as well.

I’m also impressed with Obo’s determination of keeping their fellow villagers safe. Some people often cry because they can’t afford a proper means of self-defense. Guess what? The people of Obo are very poor as well but that didn’t stop them either:

But the men of Obo knew they needed more than courage and manpower. Too poor for military-grade weapons or even the kind of firearms American hunters take for granted, Obo set about building an arsenal of homemade, single-barrel shotguns loaded with hand-packed shells.

Anything can be a weapon in the right hands which is why making possession of weapons illegal is pointless. But even if you can’t afford a proper tool for self-defense the chances are you can build something that will work in a pinch. If you can’t afford to buy a proper self-defense tool do as the people of Obo and build something that will work.

The Obo scouts represent a phenomenon found in many conflict zones. When government or occupying armies fail to provide security, vulnerable communities often organize their own forces. It has happened in northern Iraq’s besieged Christian communities, across Afghanistan and, most famously, in Sunni-dominated north-central Iraq, where volunteer “Sons of Iraq” groups helped turn the tide against Iraqi insurgents.

I like how they call this a phenomenon. I’d call it common sense as nobody likes to be victimized and those who live in conflict zones haven’t spent their entire lives being told that self-defense is impossible and you should rely on the government to protect your life. Of course the article also spews the following statist bullshit:

The downside of these DIY militias is the risk they pose to the long-term stability of their countries. Baghdad and the U.S. military struggled to stand down and reintegrate Sons of Iraq groups after security improved and they became unnecessary. NATO has canceled several Sons of Iraq-style initiatives in Afghanistan after sedition-minded warlords co-opted some of the militia groups.

The Obo scouts could entail a similar long-term liability to Central African Republic’s weak government. “The very act of civilians taking up arms outside of their government’s direct control is a potentially problematic issue without an easy answer,” Finck admitted.

Fuck you you statist pieces of shit. This is a great example of governments wanting control. If you are able to defend yourself that means the government has that much less control as you no longer rely entirely on them for your self-defense. Being capable of independence is what tyrannical statists fear most because it takes away their control over the lives of those living under them. On top of this the Central African Republic didn’t do shit to defend these villages so I don’t see where they have the right to talk about how it’s improper for civilians to defend themselves. It’s not like the government was rushing in to offer help.

iOS 5 Supports S/MIME Encrypted Email

Here is an interesting iOS 5 feature that Apple doesn’t seem to be advertising very much (since most people probably don’t care), the ability to use S/MIME to sign and/or encrypt e-mails sent from you iOS device. This is actually a pretty killer feature for me as I like to sign e-mails I send (of course I used a self-signed certificate so it shows up as invalid unless I send my public key to recipients).

The Wall Street Journal and Al-Jazeera Offering False Anonymity to Whistle Blowers

Lately people have been holding Al-Jazeera up as some kind of Greek god of journalism. I never subscribed to that idea and find Al-Jazeera to be yet another news source with commercial interests (which I have absolutely nothing against). As a commercial entity Al-Jazeera have to play by certain rules of the state will take away their ability to do business.

When I heard that both the Wall Street Journal and Al-Jazeera were going to offer means for whistle blowers to submit documents anonymously I assumed there was some kind of catch and the Electronic Frontier Foundation (EFF) once again proved my concerns correct:

Despite promising anonymity, security and confidentiality, AJTU can “share personally identifiable information in response to a law enforcement agency’s request, or where we believe it is necessary.” SafeHouse’s terms of service reserve the right “to disclose any information about you to law enforcement authorities” without notice, then goes even further, reserving the right to disclose information to any “requesting third party,” not only to comply with the law but also to “protect the property or rights of Dow Jones or any affiliated companies” or to “safeguard the interests of others.” As one commentator put it bluntly, this is “insanely broad.” Neither SafeHouse or AJTU bother telling users how they determine when they’ll disclose information, or who’s in charge of the decision.

So if you submit any information to either of these services they reserve the right to turn your ass in upon request. If you wish to submit anonymous information as a whistle blower you’re better off using WikiLeaks as they have a pretty good track record of keeping their sources anonymous and have no terms or agreements that state they will turn your ass over to anybody upon request. In addition to reserving the right to turn your ass in both sites also lack anonymity:

Despite their public claims to the contrary, both SafeHouse and AJTU disclaim all promises of confidentiality, anonymity, and security.

SafeHouse offers users three upload options: standard, anonymous, and confidential. The “standard” SafeHouse upload “makes no representations regarding confidentiality.” Neither does the “anonymous” upload which, as Appelbaum pointed out, couldn’t technically provide it anyway. For “confidential” submissions, a user must first send the WSJ a confidentiality request. The request itself, unsurprisingly, is neither confidential nor anonymous. And until the individual user works out a specific agreement with the paper, nothing is confidential.

Similarly, AJTU makes clear that “AJTU has no obligation to maintain the confidentiality of any information, in whatever form, contained in any submission.” Worse, AJTU’s website by default plants a trackable cookie on your web browser which allows them “to provide restricted information to third parties.” So much for anonymity!

Yes neither of these systems allow for anonymity or legal protection against government (and in the case of the Wall Street Journal any third-party) requests for personal information about submitters. If you want to blow the whistle on something make sure you don’t use either the Wall Street Journal’s or Al-Jazeera’s services.

It’s Time to Use Pass Phrases

As computers have become more powerful shorter passwords have become more useless. This story does a good job of driving home the fact that short passwords are becoming meaningless:

The results are startling. Working against NTLM login passwords, a password of “fjR8n” can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second.

Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU.

And it doesn’t stop there:

It gets worse. Throw in a nine-character, mixed-case random password, and while a CPU would take a mind-numbing 43 years to crack this, the GPU would be done in 48 days.

Surely throwing symbols in there keeps you safe, right? Wrong! Take a password consisting of seven characters, mixed-case/symbols random password like ‘F6&B is’ (note the space), that’s gotta be tough for a bruteforce attack. Right? A CPU will take some 75 days to churn through the possibilities, while a GPU is done with it in 7 hours.

Basically short passwords are worthless and offer little if any security. Of course this isn’t the end of the world as other patches have been added to password-based authentication systems. For instance most systems have a time delay tossed in if you enter the wrong password too many times and other devices like the IronKey self-destruct if the wrong password is entered too many times. The first technique can greatly hinder the rate at which an attacker can access your system unless they’re working directly from a file containing password hashes (as they wouldn’t be hindered by operating system behavior). Most systems also use a value known as a salt which is tossed in with a password to create a hash making it far more difficult to brute force (as you have to try every possible combination of salt values and passwords).

It’s finally come time to begin using more complex passwords. This is difficult for many people as few are going to remember a password like “8*7wFWE12@#$iwkf” or anything similar. This is where the idea of pass phrases comes into play. Instead of using a word you use a sentence. For instance it’s going to be far more difficult to brute force a pass phrase like “This is my pass phrase which should be hard to brute force” than a ten character password. On the other hand pass phrases are potentially susceptible to dictionary attacks if the phrase you use is common so throwing in random characters for good measure is still, well, a good measure.

I will be completely honest in saying that passwords and pass phrases are becoming less and less viable as means of authentication. Some day we will have to move beyond them but as of right now the easiest option is to make more difficult passwords.

iOS 5 May Warn About Unsecured Calls

Some chatter has been going around the iOS community about a possible feature in iOS 5 that would warn users of unsecured calls. The encryption used by GSM was cracked and a great presentation and demonstration (which I had the privilege of attending) were given about the crack at Defcon last year. The presentation is available on YouTube for free and is split up into four segments:

[youtube=http://www.youtube.com/watch?v=rXVHPNhsOzo]

[youtube=http://www.youtube.com/watch?v=Fo1OPoBS5Q8]

[youtube=http://www.youtube.com/watch?v=RXqQioV_bpo]

[youtube=http://www.youtube.com/watch?v=a4-KAvWUiDA]

Obviously this feature won’t be able to detect if a government agent at the phone company is listening into your phone call (this is why we need secure point-to-point communication capabilities on all phones) it would at least let you know if your phone call is being intercepted locally.

iPhone Encryption “Cracked”

One of the features I really like about the iPhone that Android appears to lack is the ability to encrypt the data on the device. Well news has been floating around that a company has found a means of cracking the iPhone’s encryption but from everything I’ve read it appears as through they are just brute forcing the password of the backups.

From the feature list it seems the program attempts to brute force the encrypted iPhone backups on your computer using the Graphics Processor Unit (GPU) to speed up the process. What I find funny is one of the listed features is “Decrypt iPhone/IPad/iPod backup (with known password).” Oh look at that if the application knows the password to decrypt the backup is can… decrypt the backup. No fucking shit. You know how I decrypt encrypted information? By using my password.

Two solutions exist to prevent this application from working on your phone; use a strong pass phrase to encrypt your backup and encrypt the hard drive of your computer for additional security. I’m not sure if the software is able to brute force the passkey on the phone but as my phone wipes all it’s data after 10 failed attempts to unlock it I feel as through I don’t have to worry about this particular problem.

Spammers Utilizing Their Own URL Shortening Services

I’ve explained my hatred for URL shortening services in the past and it seems that hatred continues to be justified. I feel that URL shortening services are a security threat as they prevent a user from knowing where a link will actually take them. This is why I have a policy on this website to delete any and all comments that continue a link to a URL shortening service. Well it appears as through spammers are now using their own shortening services:

Under this scheme, shortened links created on these fake URL-shortening sites are not included directly in spam messages. Instead, the spam emails contain shortened URLs created on legitimate URL-shortening sites.

These shortened URLs lead to a shortened-URL on the spammer’s fake URL-shortening Web site, which in turn redirects to the spammer’s own Web site.

This shouldn’t come as a surprise to anybody. The obvious danger here is a link that appears legitimate (a known URL shortening service link) could redirect you to a spammer controlled shortening service link which could redirect you to a site that attempts to compromise your computer.

Before anybody brings this up I do realize that my Twitter feed uses a URL shortening service. I can’t do anything about that and if you don’t like it then subscribe to the RSS feed instead like normal people.