Is Your Child’s Toy a Snitch

The Internet of Things (IoT) should be called the idiotic attempt to connect every mundane device to the Internet whether there’s a good reason or not. I admit that my more honest version is a mouthful but I believe it would remind people about what they’re actually buying and that could avoid fiasco like this:

Since Christmas day of last year and at least until the first week of January, Spiral Toys left customer data of its CloudPets brand on a database that wasn’t behind a firewall or password-protected. The MongoDB was easy to find using Shodan, a search engine makes it easy to find unprotected websites and servers, according to several security researchers who found and inspected the data.

The exposed data included more than 800,000 emails and passwords, which are secured with the strong, and thus supposedly harder to crack, hashing function bcrypt. Unfortunately, however, a large number of these passwords were so weak that it’s possible to crack them, according to Troy Hunt, a security researcher who maintains Have I Been Pwned and has analyzed the CloudPets data.

When you buy something you should ask yourself what the benefits and costs are. People often make the mistake of thinking that the cost is purely the amount you have to pay at the store. But there are always other hidden costs. In the case of these IoT stuffed animals one of the costs is brining a surveillance apparatus into your home. Sure, most people probably aren’t too worried about toy manufacturers having a bug in their home. But another cost is the risk of the remotely accessible surveillance device being accessed by an unauthorized party, which is what happened here.

The sordid history of security failures that plagues the IoT market should be considered whenever you’re buying an IoT product.

Without Government Who Would Protect the People

When I discuss anarchism with statists they always have a litany of excuses to justify why they believe the violence of the State is necessary. Roads are a popular one but another popular excuse are the police. Statists always want to know who will provide protection in a stateless society. One characteristic of statists that always amuses me is their insistence that anarchists solve problems that their precious government haven’t managed to solve. So my usual response to the question of police is asking who provides protection now.

Let’s consider the security market. If the State’s police were doing an adequate job of providing protection one would expect that the security market would be pretty small. But the security market is booming. Homeowners have subscribed to security services such as alarm systems for decades now. Surveillance cameras have been around for decades as well. At first surveillance cameras were used in stores to deter and identify thieves but now the price of decent quality cameras is low enough that one can find them in homes. Other security products that are becoming popular are films that can be applied to windows to make breaking in by smashing through a windows very difficult. Door locks, padlocks, and other forms of access control have existed for ages. It’s not unusual for companies to hire private security guards. Some companies even hire armed security guards.

Even the personal defense market is booming. Self-defense classes are available in even modestly sized townships. The number of carry permits being issued has continued to increase because many people, such as myself, realize that the only effective form of self-defense is what you have on you. In addition to carry permits, handguns designed to be easy to carry have been selling very well because people realize that the State’s police will take minutes, if you’re lucky, to get to you.

The State hasn’t done an effective job of providing security, which is why the market has stepped in. In the absence of government the market will continue serving the exact same function it’s serving today.

Your Browser is a Snitch

The privacy-surveillance arms race will likely be waged eternally. The State wants to spy on people so it can better expropriate their wealth. Private companies want to spy on people so they can collect data to better serve them and better target ads at them. The State wants the private companies to spy on their users because it can get that information via a subpoena. Meanwhile, users are stuck being constantly watched.

Browser fingerprinting is one of the more effective tools in the private companies’ arsenal. Without having to store data on users’ systems, private companies are able to use the data surrendered by browsers to track users with a surprising degree of accuracy. But fingerprinting has been limited to individual browsers. If a user switches browsers their old fingerprint is no longer valid… until now:

The new technique relies on code that instructs browsers to perform a variety of tasks. Those tasks, in turn, draw on operating-system and hardware resources—including graphics cards, multiple CPU cores, audio cards, and installed fonts—that are slightly different for each computer. For instance, the cross-browser fingerprinting carries out 20 carefully selected tasks that use the WebGL standard for rendering 3D graphics in browsers. In all, 36 new features work independently of a specific browser.

New browser features are commonly used for tracking users. In time those features are usually improved in such a way that tracking becomes more difficult. I have no doubts that WebGL will follow this path as well. Until it is improved through, it wouldn’t be dumb to disable it if you’re trying to avoid being tracked.

Tips for Getting Past Customs

Customs in the United States have become nosier every year. It makes one wonder how they can enter the country without surrendering their life by granting access to their digital devices. Wired put together a decent guide for dealing with customs. Of the tips there is one that I highly recommend:

Make a Travel Kit

For the most vulnerable travelers, the best way to keep customs away from your data is simply not to carry it. Instead, like Lackey, set up travel devices that store the minimum of sensitive data. Don’t link those “dirty” devices to your personal accounts, and when you do have to create a linked account—as with iTunes for iOS devices—create fresh ones with unique usernames and passwords. “If they ask for access and you can’t refuse, you want to be able to give them access without losing any sensitive information,” says Lackey.

Social media accounts, admittedly, can’t be so easily ditched. Some security experts recommend creating secondary personas that can be offered up to customs officials while keeping a more sensitive account secret. But if CBP agents do link your identity with an account you tried to hide, the result could be longer detention and, for non-citizens, even denial of entry.

I believe that I first came across this advice on Bruce Schneier’s blog. Instead of traveling with a device that contains all of your information you should consider traveling with a completely clean device and accessing the information you need via a Virtual Private Network (VPN) when you reach your destination. When you’re ready to return home wipe all of the data.

The most effective way to defend against the snoops at the border is to not have any data for them to snoop.

The other tips are good to follow as well but aren’t as effective as simply not having any data in the first place. But I understand that isn’t always feasible. In cases where you’re traveling somewhere that has unreliable Internet connectivity, for example, you will need to bring the data you need with you. If you’re in such a situation I recommend only brining the data you absolutely need.

Social Media for Activists

After eight years of unexplained absence, neoliberals who are critical of the State have returned. I’m not sure where they were hiding but I’m glad to see that they’re safe and sound. But a lot has change in eight years so I’m sure many of them are out of the loop when it comes to online security. For example, what if you’re a federal employee who was told by your employer to shut up and you wanted to criticize them for it but didn’t want to be fired from your parasitic job? This isn’t as easy as opening a Twitter account and blasting criticisms out 140 characters at a time. Your employer has massive surveillance powers that would allow it to discover who you are and fire you for disobedience. Fortunately, The Grugq has you covered.

The information in his post regarding Twitter is applicable to any activist who is utilizing social media and might raise the ire of the State. I think the most important piece of information in that article though is that you shouldn’t immediately jump in with the sharks:

These are a lot of complicated operational rules and guides you’ll have to follow strictly and with discipline. If you “learn on the job” your mistakes will be linked to the account that you’re trying to protect. It would be best that you go through the steps and practice these rules on a non sensitive account. Make sure you’re comfortable with them, that you know how to use the tools, that you understand what you’re supposed to do and why.

Some underground organisations have something they call “the first and last mistake,” which is when you break a security rule and it leads to discovery and exposure. You’re the resistance, you need to make sure you can use the tools of resistance without mistakes – so practice where it is safe, get the newbie mistakes out of the way, and then implement and operate safely where it matters.

If you’re planning to partake in activism you should do a few trail runs of creating and maintaining pseudonymous social media accounts. Maintaining the discipline necessary to avoid detection is no easy feat. It’s best to screw up when it doesn’t matter than to screw up when you could face real world consequences.

You Don’t Have Any Rights

If you read the Bill of Rights; which really is a bill of temporary privileges, all of which appear to have expired; you might get the impression that you have some kind of right against self-incrimination. At least that’s what a plain reading of the Fifth Amendment would lead one to believe. But self-incrimination means whatever the man in the muumuu says it means. In Minnesota one of those muumuu clad men decided that being compelled to provide the cryptographic key that unlocks your phone isn’t protected under the Fifth Amendment:

The Minnesota Court of Appeals ruled Tuesday that a judge’s order requiring a man to provide a fingerprint to unlock his cellphone was constitutional, a finding that is in line with similar rulings across the U.S.

What does this mean for us Minnesotans? It means that the first thing you should do in a police encounter is deauthorize your fingerprint reader. How do you do that? I’m not familiar enough with the various Android devices to know how they handle fingerprint readers. On the iPhone rebooting the phone will deauthorize the fingerprint reader until the password is entered. So iPhone users should hold down their home and lock buttons (or volume down and lock buttons if you’re using an iPhone 7) for a few seconds. That will cause the phone to reboot. If the phone is confiscated the fingerprint reader won’t unlock the phone so even if you’re compelled to press your finger against the sensor it won’t be an act of self-incrimination.

Why do I say deauthorize your fingerprint reader during a police encounter instead of disabled it entirely? Because disabling the fingerprint reader encourages most people to reduce their security by using a simple password or PIN to unlock their phone. And I understand that mentality. Phones are devices that get unlocked numerous times per day. Having to enter a complex password on a crappy touchscreen keyboard dozens of times per day isn’t appealing. Fingerprint readers offer a compromise. You can have a complex password but you only have to enter it after rebooting the phone or after not unlocking the phone for 48 hours. Otherwise you just press your finger to the reader to unlock your phone. So enabling the fingerprint reader is a feasible way to encourage people to use a strong password, which offers far better overall security (PINs can be brute forced with relative ease and Android’s unlock patterns aren’t all that much better).

The Public Private Data Cycle

Just as the Austrian school of economics has a business cycle I have a data cycle. The Public Private Data Cycle (catchier web 3.0 buzzword compliant name coming later) states that all privately held data becomes government data with a subpoena and all government data becomes privately held data with a leak.

The Public Private Data Cycle is important to note whenever somebody discusses keeping data on individuals. For example, many libertarians don’t worry much about the data Facebook collects because Facebook is a private company. The very same people will flip out whenever the government wants to collect more data though. Likewise, many statists don’t worry much about the data the government collects because the government is a public entity. The very same people will flip out whenever Facebook wants to collect more data though. Both of these groups have a major misunderstanding about how data access works.

I’ve presented several cases on this blog illustrating how privately held data became government data with a subpoena. But what about government data becoming privately held data? The State of California recently provided us with such an example:

Our reader Tom emailed me after he had been notified by the state of California that his personal information had been compromised as a result of a California Public Records Act. Based on the limited information that we have at this time, it appears that names, the instructor’s date of birth, the instructor California driver’s license number and/or their California ID card number.

When Tom reached out to the CA DOJ he was informed that the entire list of firearms trainers in California had been released in the public records act request. The state of California is sending letters to those affected with the promise of 12 months or identity protection, but if you are a CA firearms instructor and haven’t seen a letter, might bee a good idea to call the DOJ to see if you were affected.

This wasn’t a case of a malicious hacker gaining access to California’s database. The state accidentally handed out this data in response to a public records request. Now that government held data about firearm instructors is privately held by an unknown party. Sure, the State of California said it ordered the recipient to destroy the data but as we all know once data has be accessed by an unauthorized party there’s no way to control it.

If data exists then the chances of it being accessed by an unauthorized party increases from zero. That’s why everybody should be wary of any attempt by anybody to collect more data on individuals.

It’s Checkpoints All the Way Down

The shooting at the Fort Lauderdale airport last week has the media once again asking the wrong questions. Take this moron for example. His little article is asking whether or not air travelers should still be allowed to have declared firearms in their checked luggage. What would a prohibition against firearms in checked luggage accomplish? It would serve to punish people like myself who often have firearms in their checked luggage but it would do absolutely nothing to enhance security (since, if you want to attack an airport, you can still drive to it with your personal vehicle).

This is the trend amongst the media. Since most reports are clueless about the topics they’re reporting on they ask idiotic questions and make equally idiotic suggestions. I’ve heard a lot of people suggest establishing security checkpoints to get into the airport so you can go through the Transportation Security Administration (TSA) checkpoint. Of course, when somebody shoots up the checkpoint to get into the airport there will be demands for a checkpoint to get near the airport so you can go through the checkpoint to get into the airport so you can go through the TSA checkpoint. If we listened to these yokels it would be checkpoints all the way down.

If you haven’t already, the next time you go through a TSA checkpoint pay attention to how many people are in line with you and how tightly packed together you all are. You’ll probably notice that there are quite a few people packed into a small space. Concentrations of people are a byproduct of security checkpoints and concentrations of people are tempting targets. There’s always going to be a beginning checkpoint where the line of people remain in an insecure area and that line will be vulnerable.

Adding a checkpoint to guard a checkpoint just moves the vulnerability to a different location. What’s needed to guard against threats like the Fort Lauderdale airport shooting is a decentralized force in the insecure area of the airport. Yes, I’m talking about armed personnel. An important part of any security model is an ability to respond to a failure. Insecure areas are always a problem in a security model but even a secure area needs personnel able to respond to a checkpoint failure. So long as the nearest force able to respond to an attack are minutes away an attacker will have a period of free reign. If people really want to harden airports they need to look at both allowing staff members to carry concealed weapons and/or hiring armed private security personnel.

The Walls Have Ears

Voice activated assistances such as the Amazon Echo and Google Home are becoming popular household devices. With a simple voice command these devices can allow you to do anything from turning on your smart lightbulbs to playing music. However, any voice activated device must necessarily be listening at all times and law enforcers know that:

Amazon’s Echo devices and its virtual assistant are meant to help find answers by listening for your voice commands. However, police in Arkansas want to know if one of the gadgets overheard something that can help with a murder case. According to The Information, authorities in Bentonville issued a warrant for Amazon to hand over any audio or records from an Echo belonging to James Andrew Bates. Bates is set to go to trial for first-degree murder for the death of Victor Collins next year.

Amazon declined to give police any of the information that the Echo logged on its servers, but it did hand over Bates’ account details and purchases. Police say they were able to pull data off of the speaker, but it’s unclear what info they were able to access.

While Amazon declined to provide any server side information logged by the Echo there’s no reason a court order couldn’t compel Amazon to provide such information. In addition to that, law enforcers also managed to pull some unknown data locally from the Echo. Those two points raise questions about what kind of information devices like the Echo and Home collect as they’re passively sitting on your counter awaiting your command.

As with much of the Internet of Things, I haven’t purchased one of these voice activated assistances yet and have no plans to buy one anytime in the near future. They’re too big of a privacy risk for my tastes since I don’t even know what kind of information they’re collecting as they sit there listening.