A Geek With Guns

Chronicling the depravities of the State.

Archive for the ‘Technology’ tag

One Reason for Social Media Sites to Avoid Censorship

without comments

Facebook, Google, Twitter, and other popular websites are being pressured to censor “undesirable” content (what qualifies as undesirable content differs from person to person). Proponents of censorship believe that some content (which seems to always been content that disagrees with their worldview) is far too dangerous to allow to be posted. Most of the large social media sites have responded to this pressure by implementing some kind of (usually half-assed) censorship system. What has been the result? The proponents bitch that the censorship isn’t severe enough:

Last week, Facebook invited some media outlets to an event to hear what the company plans on doing about misinformation disseminated on its platform.

But many journalists, including CNN’s Oliver Darcy, were left dissatisfied with Facebook’s response.

Facebook invited me to an event today where the company aimed to tout its commitment to fighting fake news and misinformation.

I asked them why InfoWars is still allowed on the platform.

I didn’t get a good answer.https://t.co/WwLgqa6vQ4

— Oliver Darcy (@oliverdarcy) July 12, 2018

In my opinion it’s hypocritical that an individual who works for a media organization that publishes a significant amount of false information bitching that another media organization that publishes a significant amount of false information isn’t being censored but opinions are like assholes, which is also why censorship is a difficult problem to tackle. Why is InfoWars (and for that matter, CNN) not being censored by Facebook? Because the opinion of Facebook’s CEO differs from that of Darcy:

Zuckerberg went on to explain that Facebook would examine sites that were flagged as “potential hoaxes”—in other words, limiting their spread across the site.

“Look, as abhorrent as some of this content can be, I do think that it gets down to this principle of giving people a voice,” he continued.

Zuckerberg has placed himself in a difficult place because he has implemented a censorship system on Facebook, which means he now has to fight in the quagmire that is public opinion on whether or not he’s censoring hard enough. The worst part is that there’s no winning that fight. One of the best arguments against a social media platform implementing a censorship program is that doing so opens them up to having to deal with everybody bitching that they’re not censorship the correct material or not censoring hard enough.

Written by Christopher Burg

July 19th, 2018 at 10:30 am

Posted in News You Need to Know

Tagged with

Another Bang Up Job

with 2 comments

Legacy cellular protocols contained numerous gaping security holes, which is why attention was paid to security when Long-Term Evolution (LTE) was being designed. Unfortunately, one can pay attention to something and still ignore it or fuck it up:

The attacks work because of weaknesses built into the LTE standard itself. The most crucial weakness is a form of encryption that doesn’t protect the integrity of the data. The lack of data authentication makes it possible for an attacker to surreptitiously manipulate the IP addresses within an encrypted packet. Dubbed aLTEr, the researchers’ attack causes mobile devices to use a malicious domain name system server that, in turn, redirects the user to a malicious server masquerading as Hotmail. The other two weaknesses involve the way LTE maps users across a cellular network and leaks sensitive information about the data passing between base stations and end users.

Encrypting data is only one part of the puzzle. Once data is encrypted the integrity of the data must be protected as well. This is because encrypted data looks like gibberish until it is decrypted. The only way to know whether the encrypted data you’ve received hasn’t been tampered with is if some kind of cryptographic integrity verification has been implemented and used.

How can you protect yourself form this kind of attack? Using a Virtual Private Network (VPN) tunnel is probably your best bet. The OpenVPN protocol is used by numerous VPN providers that provide clients for both iOS and Android (as well as other major operating systems such as Windows, Linux, and macOS). OpenVPN, unlike LTE, verifies the integrity of encrypted data and rejects any data that appears to have been tampered with. While using a VPN tunnel may not prevent a malicious attacker from redirecting your LTE traffic, it will ensure that the attacker can’t see your data as a malicious VPN tunnel will fail to provide data that passes your client’s integrity checker and thus your client will cease receiving or transmitting data.

Written by Christopher Burg

July 3rd, 2018 at 11:00 am

Welcome to Postliterate America

with 3 comments

In my opinion the United States shows all the signs of a society beginning a descent into postliteracy. One of the biggest signs is the rapidly declining lack of interest in recreational reading:

The share of Americans who read for pleasure on a given day has fallen by more than 30 percent since 2004, according to the latest American Time Use Survey from the Bureau of Labor Statistics.

In 2004, roughly 28 percent of Americans age 15 and older read for pleasure on a given day. Last year, the figure was about 19 percent.

That steep drop means that aggregate reading time among Americans has fallen, from an average of 23 minutes per person per day in 2004 to 17 minutes per person per day in 2017.

I can’t say that I’m surprised by these results. The idea behind a postliterate society is that multimedia technology has advanced to the point where the ability to read and write is unnecessary. In our age of cheap data storage, data transmission, and devices capable of rendering high-definition sound and video, many of which fit in a pocket, we are less reliant on written information than we once were. Moreover, voice dictation is advancing rapidly. When I first tried voice dictation on a computer I wrote it off as useless because at the time it was. Today my phone’s voice dictation is actually pretty decent. What’s probably more amazing than the improvement of voice dictation software is the fact that it’s not nearly as important as it once was because I can just send the audio clip itself to somebody.

Will literacy go the way of shorthand and cursive? It very well could. The technology is already at a point where literacy isn’t as important as it once was. In a few more years it will probably advance to the point where literacy is almost an entirely unnecessary skill. Once that happens it may take only one or two generations until literacy is a skill held exclusive by a handful of individuals who have an interest in archaic knowledge.

Written by Christopher Burg

July 3rd, 2018 at 10:30 am

Posted in Technology

Tagged with

George Orwell Wasn’t Cynical Enough

without comments

George Orwell’s Nineteen Eighty-Four either served as a dire warning or as a blueprint depending on what side of the state you occupy. The Party, the ruling body of Oceania, established a pervasive surveillance state. Helicopters flew around peeking into people’s windows, every home had a two way television that couldn’t be turned off and allowed government agents to snoop on you, children were encourage from a young age to rat out their parents if they did anything seditious, etc. However, as cynical as George Orwell’s vision of the future may have been, it wasn’t cynical enough:

In April, California investigators arrested Joseph James DeAngelo for some of the crimes committed by the elusive Golden State Killer (GSK), a man who is believed to have raped over 50 women and murdered at least 12 people between 1978 and 1986. Investigators tracked him down through an open-source ancestry site called GEDMatch, uploading the GSK’s DNA profile and matching it to relatives whose DNA profiles were also hosted on the website. Now, using those same techniques, a handful of other arrests have been made for unsolved cases, some going as far back as 1981.

The New York Times reports that GEDMatch has been used to track down suspects involved in a 1986 murder of a 12-year-old girl, a 1992 rape and murder of a 25-year-old schoolteacher, a 1981 murder of a Texas realtor and a double murder that took place in 1987. It was even used to identify a man who died by suicide in 2001 but had remained unnamed until now. Many of these suspects were found by CeCe Moore, a genetic genealogist working with forensic consulting firm Parabon, who has previously helped adoptees find their biological relatives. “There are so many parallels,” she told the New York Times about the process of finding a suspect versus a relative.

Genetic databases are a boon for law enforcers. While most people are worried about the commercial databases like Ancestry.com and 23andMe, there is an open source genetics database called GEDMatch that, unlike the commercial products, doesn’t even require a warrant to access. What makes genetic databases even more frightening from a privacy standpoint is that you don’t have to submit your genetics. If a family member submits their genetics, that’s enough for law enforcers to identify you.

Since law enforcers are using this database to go after murderers, rapists, and other heinous individuals, it’s likely that many people will see this strategy as a positive thing. But government agencies have a tendency to expand their activities. While they’ll start using a new technology to identify legitimately terrible people, they quickly begin using the technology to go after people who broke the law but didn’t actually hurt anybody. The scary part about law enforcers using tools like GEDMatch is that they will eventually use it to go after everybody.

Another Processor Vulnerability

without comments

Hardware has received far less scrutiny in the past than software when it comes to security. That has changed in recent times and, not surprisingly, the previous lack of scrutiny has resulted in a lot of major vulnerabilities being discovered. The latest vulnerability relates to a feature found in Intel processors referred to as Hyperthreading:

Last week, developers on OpenBSD—the open source operating system that prioritizes security—disabled hyperthreading on Intel processors. Project leader Theo de Raadt said that a research paper due to be presented at Black Hat in August prompted the change, but he would not elaborate further.

The situation has since become a little clearer. The Register reported on Friday that researchers at Vrije Universiteit Amsterdam in the Netherlands have found a new side-channel vulnerability on hyperthreaded processors that’s been dubbed TLBleed. The vulnerability means that processes that share a physical core—but which are using different logical cores—can inadvertently leak information to each other.

In a proof of concept, researchers ran a program calculating cryptographic signatures using the Curve 25519 EdDSA algorithm implemented in libgcrypt on one logical core and their attack program on the other logical core. The attack program could determine the 256-bit encryption key used to calculate the signature with a combination of two milliseconds of observation, followed by 17 seconds of machine-learning-driven guessing and a final fraction of a second of brute-force guessing.

Like the last slew of processor vulnerabilities, the software workaround for this vulnerability involves a performance hit. Unfortunately, the long term fix to these vulnerabilities involves redesigning hardware, which could destroy an assumptions on which modern software development relies: hardware will continue to become faster.

This assumption has been at risk for a while because chip designers are running into transistor size limitations, which could finally do away with Moore’s Law. But designing secure hardware may also require surrendering a bit on the performance front. It’s possible that the next generation of processors won’t have the same raw performance as the current generation of processors. What would this mean? Probably not much for most users. However, it could impact software developers to some extent. Many software development practices are based on the assumption that the next generation of hardware will be faster and it is therefore unnecessary to focus on writing performant code. If the next generation of processors have the same performance as the current generation or, even worse, less performance, an investment in performant code could pay dividends.

Obviously this is pure speculation on my behalf but it’s an interesting scenario to consider.

Written by Christopher Burg

June 27th, 2018 at 11:00 am

Avoid E-Mail for Security Communications

with one comment

The Pretty Good Privacy (PGP) protocol was created to provide a means to securely communicate via e-mail. Unfortunately, it was a bandage applied to a protocol that has only increased significantly in complexity since PGP was released. The ad-hoc nature of PGP combined with the increasing complexity of e-mail itself has lead to rather unfortunate implementation failures that have left PGP users vulnerable. A newly released attack enables attackers to spoof PGP signatures:

Digital signatures are used to prove the source of an encrypted message, data backup, or software update. Typically, the source must use a private encryption key to cause an application to show that a message or file is signed. But a series of vulnerabilities dubbed SigSpoof makes it possible in certain cases for attackers to fake signatures with nothing more than someone’s public key or key ID, both of which are often published online. The spoofed email shown at the top of this post can’t be detected as malicious without doing forensic analysis that’s beyond the ability of many users.

[…]

The spoofing works by hiding metadata in an encrypted email or other message in a way that causes applications to treat it as if it were the result of a signature-verification operation. Applications such as Enigmail and GPGTools then cause email clients such as Thunderbird or Apple Mail to falsely show that an email was cryptographically signed by someone chosen by the attacker. All that’s required to spoof a signature is to have a public key or key ID.

The good news is that many PGP plugins have been updated to patch this vulnerability. The bad news is that this is the second major vulnerability found in PGP in the span of about a month. It’s likely that other major vulnerabilities will be discovered in the near future since the protocol appears to be receiving a lot of attention.

PGP is suffering from the same fate as most attempts to bolt security onto insecure protocols. This is why I urge people to utilize secure communication technology that was designed from the start to be secure and has been audited. While there are no guarantees in life, protocols that were designed from the ground up with security in mind tend to fair better than protocols that were bolted on after the fact. Of course designs can be garbage, which is where an audit comes in. The reason you want to rely on a secure communication tool only after it has been audited is because an audit by an independent third-party can verify that the tool is well designed and provides effective security. And audit isn’t a magic bullet, unfortunately those don’t exist, but it allows you to be reasonably sure that the tool you’re using isn’t complete garbage.

Written by Christopher Burg

June 15th, 2018 at 10:00 am

When Your Smart Lock Isn’t Smart

without comments

My biggest gripe with so-called smart products is that they tend to not be very smart. For example, the idea of a padlock that can be unlocked with your phone isn’t a bad idea in of itself. It would certainly be convenient since most people carry a smartphone these days. However, if it’s designed by people who paid no attention to security, the lock quickly because convenient for unauthorized parties as well:

Yes. The only thing we need to unlock the lock is to know the BLE MAC address. The BLE MAC address that is broadcast by the lock.

I was so astounded by how bad the security was that I ordered another and emailed Tapplock to check the lock and app were genuine.

I scripted the attack up to scan for Tapplocks and unlock them. You can just walk up to any Tapplock and unlock it in under 2s. It requires no skill or knowledge to do this.

I wish that this was one of those findings that is so rare that it’s newsworthy. Unfortunately, a total lack of interest in security seems to be a defining characteristic for developers of “smart” products. While this lack of awareness isn’t unexpected for a company developing, say, a smart thermostat (after all, I wouldn’t expect somebody who is knowledgeable about thermostats to necessarily be an expert in security as well), it’s an entirely different matter when the product being developed is itself a security product.

The problem with this attack is how trivial it is to perform. The author of the article notes that they’re porting the script they developed to unlock these “smart” locks to Android. Once the attack is available for smartphones, anybody can potentially unlock any of these locks with a literal tap of a button. This makes them even easier to bypass than those cheap Masterlock padlocks that are notorious for being insecure.

Written by Christopher Burg

June 14th, 2018 at 11:00 am

The End of Enforceable Prohibitions

with one comment

I’m fond of pointing out to prohibitionists that the era of enforceable prohibitions is over:

In the very near future, governments will lose the ability to keep guns, drones, and other forbidden goods out of the hands of their subjects. They’ll also be rendered impotent to enforce trade and technology embargoes. Power is shifting from the state to individuals and small groups courtesy of additive manufacturing—aka 3D printing—technology.

Additive manufacturing is poised to revolutionize whole industries—destroying some jobs while creating new opportunities. That’s according to a recent report from the prestigious RAND Corporation, and there’s plenty of evidence to support the dynamic and “disruptive” view of the future that the report promises.

Throughout history power has ebbed and flowed. At times centralized authorities are able to wield their significant power to oppress the masses. At other times events weaken those centralized authorities and the average person once again finds themselves holding a great deal of power.

Technological advancements are quickly weakening the power of the centralized nation-states. Encryption technology is making their surveillance apparatus less effective. Cryptocurrencies are making it difficult for nation-states to monitor and block transactions. Manufacturing technology is allowing individuals to make increasingly complex objects from the comfort of their own homes. The Internet has made freely trading information so easy that censorship is quickly becoming impossible.

We live in exciting times.

Written by Christopher Burg

June 12th, 2018 at 11:00 am

You Must Guard Your Own Privacy

without comments

People often make the mistake of believing that they can control the privacy for content they post online. It’s easy to see why they fall into this trap. Facebook and YouTube both offer privacy controls. Facebook along with Twitter also provide private messaging. However, online privacy settings are only as good as the provider makes them:

Facebook disclosed a new privacy blunder on Thursday in a statement that said the site accidentally made the posts of 14 million users public even when they designated the posts to be shared with only a limited number of contacts.

The mixup was the result of a bug that automatically suggested posts be set to public, meaning the posts could be viewed by anyone, including people not logged on to Facebook. As a result, from May 18 to May 27, as many as 14 million users who intended posts to be available only to select individuals were, in fact, accessible to anyone on the Internet.

Oops.

Slip ups like this are more common than most people probably realize. Writing software is hard. Writing complex software used by billions of people is really hard. Then after the software is written, it must be administered. Administering complex software used by billions of people is also extremely difficult. Programmers and administrators are bound to make mistakes. When they do, the “confidential” content you posted online can quickly become publicly accessible.

Privacy is like anything else, if you want the job done well, you need to do it yourself. The reason services like Facebook can accidentally make your “private” content public is because they have complete access to your content. If you want to have some semblance of control over your privacy, your content must only be accessible to you. If you want that content to be available to others, you must post it in such a way where only you and them can access it.

This is the problem that public key cryptography attempts to solve. With public key cryptography each person has a private and public key. Anything encrypted with the public key can only be decrypted with the private key. Needless to say, as the names implies, you can post your public key to the Internet but must guard the security of your private key. When you want to make material available to somebody else, you encrypt it with their public key so hey can decrypted it with their private key. Likewise, when they want to make content available to you they must encrypt it with your public key so you can decrypt it with your private key. This setup gives you the best ability to enforce privacy controls because, assuming no party’s private key has been compromised, only specifically authorized parties have access to content. Granted, there are still a lot of ways for this setup to fall apart but a simple bad configuration isn’t going to suddenly make millions of people’s content publicly accessible.

Written by Christopher Burg

June 8th, 2018 at 10:30 am

The Government Is Us

without comments

Worshipers of democracy continue to tell me that the government is us. I’m not sure why they try to drag me into being part of the government but they’re very adamant. Anyways, when somebody tries to claim that the government is us I like to point to stories like this one:

A young hacker reeling from the Philando Castile case and the acquittal of the officer who killed him broke into several state databases last year and boasted about his exploits.

“An innocent man is dead, while a guilty man is free,” the hacker, known as “Vigilance” tweeted in part last year.

Here’s the thing, if Vigilance is the government (because, after all, he’s part of “us”), he would have every right to access any government computer he so desired. It is, according to worshipers of democracy, his computer after all. But the fact that he’s been arrested for accessing those computers indicates that he isn’t the government, especially in the eyes of the government.

You aren’t he government. If you disagree with me, try strolling into a National Security Agency (NSA) building. You’ll be provided a free education regarding your misunderstanding.

Written by Christopher Burg

June 7th, 2018 at 10:00 am