NSA Told to Sod Off

After the National Security Agency (NSA) was caught cryptographic algorithms to enhance its surveillance abilities, trust for the agency fell to an all time low. This distrust lead the International Standards Organization (ISO) to reject two encryption algorithms recently submitted by the NSA:

SAN FRANCISCO (Reuters) – An international group of cryptography experts has forced the U.S. National Security Agency to back down over two data encryption techniques it wanted set as global industry standards, reflecting deep mistrust among close U.S. allies.

In interviews and emails seen by Reuters, academic and industry experts from countries including Germany, Japan and Israel worried that the U.S. electronic spy agency was pushing the new techniques not because they were good encryption tools, but because it knew how to break them.

The NSA has now agreed to drop all but the most powerful versions of the techniques – those least likely to be vulnerable to hacks – to address the concerns.

The dispute, which has played out in a series of closed-door meetings around the world over the past three years and has not been previously reported, turns on whether the International Organization of Standards should approve two NSA data encryption techniques, known as Simon and Speck.

This is an appropriate response. The NSA has a track record of manipulating standards organizations in order to make its surveillance apparatus more effective. In security trust is everything. Since the NSA has proven itself to be untrustworthy, it only makes sense to reject any proposals from the agency.

The EFF Resigns from the W3C

The World Wide Web Consortium (W3C) officially published its recommendation for a digital rights management (DRM) scheme. By doing so it put an end to its era of promoting an open web. After fighting the W3C on this matter and even proposing a very good compromise, which was rebuffed, the Electronic Frontier Foundation (EFF) has resigned from the W3C:

We believe they will regret that choice. Today, the W3C bequeaths an legally unauditable attack-surface to browsers used by billions of people. They give media companies the power to sue or intimidate away those who might re-purpose video for people with disabilities. They side against the archivists who are scrambling to preserve the public record of our era. The W3C process has been abused by companies that made their fortunes by upsetting the established order, and now, thanks to EME, they’ll be able to ensure no one ever subjects them to the same innovative pressures.

[…]

Effective today, EFF is resigning from the W3C.

Since the W3C no longer serves its intended purpose I hope to see many other principled members resign from the organization as well.

While content creators are interested in restricting the distribution of their products, the proposal put forth by the W3C will return us to the dark days of ActiveX. Since the proposal is really an application programming interface (API), not a complete solution, content creators can require users to install any DRM scheme. These DRM schemes will be native code. If you remember the security horrors of arbitrary native code being required by websites using Active X, you have an idea of what users are in for with this new DRM scheme. At this point I hope that the W3C burns to the ground and a better organization rises from its ashes.

iOS 11 Makes It More Difficult for Police to Access Your Device

One reason I prefer iOS over Android is because Apple has invested more heavily in security than Google has. Part of this comes from the fact Apple controls both the hardware and software so it can implement hardware security features such as its Secure Enclave chip whereas the hardware security features available on an Android device are largely dependent on the manufacturer. However, even the best security models have holes in them.

Some of those holes are due to improperly implemented features while others are due to legalities. For example, here in the United States law enforcers have a lot of leeway in what they can do. One thing that has become more popular, especially at the border, are devices that copy data from smartphones. This has been relatively easy to do on Apple devices if the user unlocks the screen because trusting a knew connection has only required the tapping of a button. That will change in iOS 11:

For the mobile forensic specialist, one of the most compelling changes in iOS 11 is the new way to establish trust relationship between the iOS device and the computer. In previous versions of the system (which includes iOS 8.x through iOS 10.x), establishing trusted relationship only required confirming the “Trust this computer?” prompt on the device screen. Notably, one still had to unlock the device in order to access the prompt; however, fingerprint unlock would work perfectly for this purpose. iOS 11 modifies this behaviour by requiring an additional second step after the initial “Trust this computer?” prompt has been confirmed. During the second step, the device will ask to enter the passcode in order to complete pairing. This in turn requires forensic experts to know the passcode; Touch ID alone can no longer be used to unlock the device and perform logical acquisition.

Moreover, Apple has also included a way for users to quickly disable the fingerprint sensor:

In iOS 11, Apple has added an new emergency feature designed to give users an intuitive way to call emergency by simply pressing the Power button five times in rapid succession. As it turns out, this SOS mode not only allows quickly calling an emergency number, but also disables Touch ID.

These two features appear to be aimed at keeping law enforcers accountable. Under the legal framework of the United States, a police officer can compel you to provide your fingerprint to unlock your device but compelling you to provide a password is still murky territory. Some courts have ruled that law enforcers can compel you to provide your password while others have not. This murky legal territory offers far better protection than the universal ruling that you can be compelled to provide your fingerprint.

Even if you are unable to disable the fingerprint sensor on your phone, law enforcers will still be unable to copy the data on your phone without your password.

New Levels of Incompetence

Equifax, one of the largest consumer credit report agencies, recently suffered a major database breech. Of course, you wouldn’t know it if the media wasn’t giving it heavy coverage because Equifax seems to want to keep things hush hush and I understand why. After reading this it would appear that Equifax implemented worse security than most college students in an introductory web development class:

It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

[…]

Each employee record included a company username in plain text, and a corresponding password that was obfuscated by a series of dots.

However, all one needed to do in order to view said password was to right-click on the employee’s profile page and select “view source,” a function that displays the raw HTML code which makes up the Web site. Buried in that HTML code was the employee’s password in plain text.

This is an impressive level of incompetence and I mean that sincerely. Most amateur websites have better security than this. The fact that a company as large as Equifax could implement worse security practices than even the most amateur of amateur web developers is no small feat. Unfortunately, its piss poor security practices has put a lot of people’s sensitive information in the hands of unknown parties.

The FCC’s Free File Hosting Service

Who says government agencies can’t innovate? The Fascist Communications Club Federal Communications Commission (FCC) has an online commenting systems that allows individuals to give their input on proposed rule changes. In addition to being a commenting system, the system also served as a file hosting service:

The application programming interface for the FCC’s Electronic Comment Filing System that enables public comment on proposed rule changes—such as the dropping of net neutrality regulations currently being pushed by FCC Chairman Ajit Pai—has been the source of some controversy already. It exposed the e-mail addresses of public commenters on network neutrality—intentionally, according to the FCC, to ensure the process’ openness—and was the target of what the FCC claimed was a distributed denial of service (DDoS) attack. But as a security researcher has found, the API could be used to push just about any document to the FCC’s website, where it would be instantly published without screening. That was demonstrated by a PDF published with Microsoft Word that was uploaded to the site, now publicly accessible.

I guess the FCC decided that since you’re already paying taxes to find it, it didn’t need to charge you for file hosting services.

The level of incompetency displayed by the government never ceases to amaze me. Commenting systems aren’t exactly rocket science, they have been available on websites for ages now. Most of those commenting systems managed to implement basic protections against uploading arbitrary files. Why didn’t the FCC just go with one of those services or at least hire a developer with some basic understanding of how to develop a commenting system that isn’t vulnerable to such a trivial exploit?

From what I’ve read, it doesn’t appear that the FCC has fixed this hole yet. While uploading arbitrary files to the FCC’s commenting service might cause you to run afoul with the Computer Fraud and Abuse Act, you still have access to a government provided free file hosting service.

Pieces of Paper Are Just Pieces of Paper

There appears to have been an honest to goodness axe murder in the Twin Cities:

Gallagher’s wife told police that she had been lying on the couch in the living room when she heard a noise at the front door and saw Hoogenakker breaking into the house. She ran to call 911 and saw Hoogenakker pull her husband into the living room and onto the floor, where he hit Gallagher, swinging the tool with both arms, before pulling him outside.

A man who is a renter in the Gallagher home said he heard a fight downstairs that then spilled outside. The renter told police he saw the attacker walking away from the house. Police used a dog to track the man to a house a few blocks away, in the 300 block of Ninth Avenue.

Hoogenakker came outside and was arrested by police, who found the ax-like tool in a closet. ” Hoogenakker” was etched into the handle. Hoogenakker also admitted that he attacked Gallagher, who had an active harassment restraining order in effect against the suspect.

There are two important points to take away from this story. First, a restraining order is not a self-defense tool, it’s a legal tool. While a restraining order grants certain legal benefits that can make them a valuable tool in the courtroom, it is entirely incapable of actually protecting anybody.

Second, the police are more often than not cleanup and retribution, not protectors. When you call 911 a police officer doesn’t immediately teleport to your location. You have to wait for an officer to get from wherever they are to wherever you are, which generally takes minutes. When you’re being attacked by somebody, you usually don’t have minutes. Oftentimes, as in this case, when the police do arrive the attack has already concluded so their job is to find the perpetrator so vengeance can be had. While vengeance may have a certain appeal, it’s not as appealing as still being alive.

When you’re being attacked you’re usually on your own. That being the case, it would be wise to invest in some self-defense training as well as tools to better enable you to defend yourself.

The Best Option for You

A lot of electrons have been annoyed by people writing scathing diatribes because the various governmental bodies responsible for Houston, Texas didn’t issue an evacuation order. I think that this article did a good job of pointing out just how much of a clusterfuck planning and responding to disasters on this scale are.

There was obviously disagreement between the various governmental bodies responsible for Houston. Some bodies wanted to perform an evacuation, other bodies didn’t. As with most things in our modern age, the disagreement was taken to the Internet. Governor Greg Abbott advised people in the lower areas of Houston to get the fuck out. Meanwhile, the local and country government officials were telling residents to shelter in place. Who was right? With the 20/20 vision offered by hindsight, a lot of people are saying that evacuating would have been the correct choice. But they are missing a critical piece of information. When Hurricane Rita was making a beeline for Houston in 2005, the order to evacuate was given. More than 100 people died in that evacuation. As of this writing, five people are known to have died in the aftermath of Harvey. If we judge results by death toll, the decision to not evacuate Houston is still significantly ahead of the decision to evacuate the city in 2005.

Realistically, evacuating a city the size (in both geographic area and number of people) of Houston isn’t feasible. There are too many people and too few exits to get everybody out at the same time. Neither the roadways or public transit systems are designed to handle everybody using them simultaneously. If you’re in an area that is about to be nailed by a natural disaster and an evacuation order is given, it’s already too late to get out.

Instead of arguing about whether or not Houston should have been evacuated, you might want to consider, if you haven’t already, developing your own disaster survival plan and begin implementing it. Having a plan head of time makes surviving much easier. Furthermore, you shouldn’t rely on the orders issued by government bodies to decide whether or not you’re going to evacuate an area. They’re (assuming their intentions are good, which may not be the case but I’ll give the benefit of the doubt here) going to look at the big picture. Their concern is going to be what’s the best option for the largest number of people. You should be concerned about you and yours. An evacuation may not be the best option for the largest number of people, but it might very well be the best option for you.

The State Doesn’t Provide Protection

The Supreme Court has ruled that law enforcers have no obligation to protect you even though you have an obligation to pay them. Being paid for services that haven’t been rendered leads to some unfortunate situations. For example, law enforcers refused to provide protection to a Jewish synagogue during the Charlottesville fiasco so they had to hire professionals:

The Jewish community in Charlottesville hired armed security to protect its synagogue for the first time after local police declined to provide a guard for the site despite hundreds of white supremacists congregating on the town over the weekend for a rally that resulted in the murder of counter-protester Heather Heyer.

Unlike law enforcers, private security providers are motivated to provide protection because if they don’t then they don’t get paid.

This situation is a counterargument to the people who claim that the State is necessary to provide protection. These statists usually argue that in a society without a government poor people would be preyed upon because they wouldn’t be able to hire protective services. However, that situation doesn’t differ from the situation we currently live under. Even though there is a government people still have to hire private security if they want security because the State has exempted its own security providers from having to actually provide it.

The Death of a Scoundrel

I was extremely happy when all of the major browsers started dropping supported for the Netscape Plugin Application Programming Interface (NPAPI). NPAIP, for those who don’t know, is the plugin architecture that allows things like Java applets and Flash to run in your browser. With support for NPAPI going away Java applets have been effectively killed off and Flash has been relegated to a very restricted plugin included with the browser. Due to this wonderful change Oracle announced that support for Java applets was going away and now Adobe is joining Oracle and announcing that Flash will be killed in 2020:

Given this progress, and in collaboration with several of our technology partners – including Apple, Facebook, Google, Microsoft and Mozilla – Adobe is planning to end-of-life Flash. Specifically, we will stop updating and distributing the Flash Player at the end of 2020 and encourage content creators to migrate any existing Flash content to these new open formats.

I want to give Apple its due credit here. When Apple announced that Flash wouldn’t be supported on Mobile Safari most people were up in arms. Flash, at the time, was still frequently used by web developers. However, the lack of Flash didn’t hurt the popularity of the iPhone or iPad. The devices actually sold so well that web developers were forced to replace their Flash applications with HTML5 applications. In the end Apple played a major part in killing a major security nightmare.

Although Adobe has promised to improve Flash’s security and, to its credit, has improved its security to a point, the Flash Player still continues to be a security nightmare. Microsoft, Mozilla, and Google applied a bandage to the problem by including a sandboxed version of Flash with their browsers (In Microsoft’s case, with the Edge browser. Internet Explorer still relies on the NPAPI as far as I know). But the bandage was meant to be temporary and now Adobe has given us an execution date. While I wish the execution date was closer I’m just happy to know that there is an execution date now.

Survival Tips for Minnesotas for the Next Two Weeks

For the next two weeks the road pirates are going to be increasing their fund raising efforts enforcement of the arbitrarily set speed limits:

On Wednesday, Zak, a lieutenant with the State Patrol, joined with officials from the Minnesota Department of Public Safety to put on the demonstration to show how long it takes to stop while traveling at various speeds and how drivers’ reaction time goes down the faster they go. It comes as law enforcement from 300 agencies statewide begin a two-week speeding enforcement campaign from Friday through July 23.

[…]

The state’s crackdown on speeding coincides with a national effort and is paid for using funds allocated by the National Highway Traffic Safety Administration.

While officers will be on the lookout for lead-footed drivers statewide, target teams will be stationed along routes known to see fast drivers, including I-494 in Bloomington, near the Minneapolis-St. Paul International Airport and on I-94 in the construction zone from Minneapolis to Brooklyn Center.

Since the threat of violence against motorists is going to increase I feel the need to point out some survival tips.

  1. Don’t be black. Studies have shown that road pirates tend to respond more violently to black individuals.
  2. Use Waze to both report any road pirates and to receive warnings about any reported road pirates.
  3. Turn on your smartphone’s camera, preferably to livestream the stop, and lock the screen. You want to have a record of the entire stop in case you’re murdered but you don’t want the phone unlocked because the officer might decided to rummage through it for evidence of more crimes. While such a search may be illegal the Supreme Court has ruled that illegally collected evidence is admissible in court.
  4. If you are a permit holder remember that Minnesota law only requires you to disclose if you’re carrying a firearm to an officer if they specifically asks. Don’t volunteer such information. If you do the police officer may panic and fire multiple rounds into you at point blank range. If this happens the officer will be acquitted of any wrongdoing.
  5. During a traffic stop make sure you have your license and proof of insurance out before the officer gets to your window. Failing to do so will require you to move your hands when the police officer is at your window and that might spook them. Like any wild animal, a spooked police officer is unpredictable.
  6. Have both hands firmly of your steering wheel at all times. By firmly I mean gripping your steering wheel so hard that your knuckles turn white. Only consider moving from this position if the officer gives you a direct order to do so.
  7. Assume the most submissive position possible. Police officers like to feel dominant. If they feel that their authority is being questioned in any way they might “fear for their life” and shoot you dead.

While this list could be extended I’m going to keep it brief in the hopes that you’ll be able to remember every point if you’re pulled over. If you follow these tips your chances of surviving a police encounter should increase. If for some reason, say due to your genetic makeup, you’re unable to follow one or more of these tips, well…