A Geek With Guns

Chronicling the depravities of the State.

Archive for the ‘Technology’ tag

Chip-and-Fail

with one comment

EMV cards, those cards with the chip on the front, were supposed to reduce fraud but credit card fraud is rising. What gives? It turns out that the security provided by Chip-and-PIN doesn’t work when you don’t use it:

The reasons seem to be twofold. One, the US uses chip-and-signature instead of chip-and-PIN, obviating the most critical security benefit of the chip. And two, US merchants still accept magnetic stripe cards, meaning that thieves can steal credentials from a chip card and create a working cloned mag stripe card.

A lot of stores still don’t have credit card readers that can handle cards with a chip so you’re stuck using the entirely insecure magnetic strip. And most credit cards equipped with chips don’t require entering a PIN because Americans are fucking lazy:

The reason banks say they don’t want to issue PINs is that they’re worried it will add too much friction to transactions and make life difficult for their customers. “The credit-card market is pretty brutally competitive, so the first issuer who goes with PINs has to worry about whether the consumers are going to say, ‘Oh, that’s the most inconvenient card in my wallet,’’ says Allen Weinberg, the co-founder of Glenbrook Partners. “There’s this perception that maybe it’s going to be less convenient, even though some merchants would argue that PINs take less time than signatures.”

Since card holders face little in the way of liability for fraudulent transactions, they have little motivation to enter a four to six digit PIN every time they purchase something. If card holders aren’t motivated to enter a PIN, card issuers aren’t likely to require holder to enter a PIN because it might convince them to get a different card. It’s tough to improve security when nobody gives a damn about security.

Eventually the level of fraud will rise to the point where card issuers will take the risk of alienating some holders and mandate the use of a PIN. When that day finally comes, card issuers will discover that Americans are absolutely able to overcome any barrier if doing so allows them to continue buying sneakers with lights in them.

Written by Christopher Burg

November 16th, 2018 at 11:00 am

Bitwarden Completes Security Audit

without comments

In my opinion one of the easiest things an individual can do to improve their overall computer security is use a password manager. I had been using 1Password for years and have nothing but good things to say about it. However, when I decided to move from macOS to Linux, I decide that I needed a different option. 1Password’s support on Linux is only available through 1Password X, which is strictly a browser plugin. Moreover, in order to use 1Password X, you need to pay a subscription (I was using a one-time paid license for 1Password 7 on macOS as well as the one-time paid version for iOS), which I generally prefer to avoid.

Bitwarden bubbled to the top of my list because it’s both open source and can be self-hosted (which is what I ended up doing). While Bitwarden lacks several nice features that 1Password has, using it has been an overall pleasant experience. Besides missing some features that I’ve come to enjoy, another downside to Bitwarden has been the lack of a security audit. Two days ago the Bitwarden team announced that a third-party vendor has completed a code audit and the results were good:

In the interest of providing full disclosure, below you will find the technical report that was compiled from the team at Cure53 along with an internal report containing a summary of each issue, impact analysis, and the actions taken/planned by Bitwarden regarding the identified issues and vulnerabilities. Some issues are informational and no action is currently planned or necessary. We are happy to report that no major issues were identified during this audit and that all issues that had an immediate impact have already been resolved in recent Bitwarden application updates.

The full report can be read here [PDF].

With this announcement I’m of the opinion that Bitwarden should be given serious consideration if you’re looking for a password manager. It’s an especially good option if you want to go the self-hosted route and/or want support for Linux, macOS, and Windows.

Written by Christopher Burg

November 14th, 2018 at 10:00 am

Posted in Technology

Tagged with ,

Jim Crow Never Went Away

without comments

If you ever need an illustration of just how stupid the average voter is, find a voter who is complaining about racist government policies and ask them how they plan to change it. 99 percent (a conservative estimate, it’s probably higher) of the time the voter will tell you that they’re planning to beg the government to change its policies. If you point out how stupid that idea is, they’ll point to the elimination of slavery and the striking down of Jim Crow laws as proof that their strategy works, which should prove to you that the person you’re conversing with is extremely gullible (on the upside you probably just found a buyer for that bridge that you’re trying to offload).

While the government has said that it eliminated slavery and Jim Crow laws, it really just changed some legal definitions. If you’re being held against your will and forced to provide labor, you’re not legally considered a slave, you’re legally considered a prison laborer. Likewise, there are no longer laws that overtly treat people differently based on the color of their skin, instead there are algorithms that do the same thing but provide plausible deniability:

But what’s taking the place of cash bail may prove even worse in the long run. In California, a presumption of detention will effectively replace eligibility for immediate release when the new law takes effect in October 2019. And increasingly, computer algorithms are helping to determine who should be caged and who should be set “free.” Freedom — even when it’s granted, it turns out — isn’t really free.

Under new policies in California, New Jersey, New York and beyond, “risk assessment” algorithms recommend to judges whether a person who’s been arrested should be released. These advanced mathematical models — or “weapons of math destruction” as data scientist Cathy O’Neil calls them — appear colorblind on the surface but they are based on factors that are not only highly correlated with race and class, but are also significantly influenced by pervasive bias in the criminal justice system.

As O’Neil explains, “It’s tempting to believe that computers will be neutral and objective, but algorithms are nothing more than opinions embedded in mathematics.”

For the record, when people were celebrating California’s decision to eliminate cash bail, I predicted that it would result in this outcome (although I didn’t predict the use of algorithms, I did predict that since the decision to let somebody out on bail would be the sole decision of some bureaucrats, nothing would actually change).

Plausible deniability is the staple of modern politics. A politician who wants to pass a racist policy just needs to make sure that race is never mentioned in their law and when the policy results in the politician’s desired outcome, they can claim that they had no way to predict such a result. Additional plausible deniability can be added by handing decisions over to algorithms. Most people think of algorithms as mysterious wizardry performed by the high priests of science and are therefore impartial and infallible (because, you know, scientists are always impartial and never wrong).

However, algorithms do exactly what they’re created to do. If you want a machine learning algorithm to perform in a certain way, you either write it to do exactly what you want or you provide it learning data that will skew it towards the results you want. When the masses wise up and realize that the algorithm is racially biases, you can just claim that the complexity of the algorithm prevented anybody from accurately predicting what it would do. Their ignorance will make your explanation believable to them and you can claim that you’ve now made improvements that should (i.e. won’t) lead to more impartial results.

Written by Christopher Burg

November 13th, 2018 at 11:00 am

Lockdown

without comments

I’ve always treated mobile devices differently than desktops and laptops. Part of this is because mobile devices tend to be restrictive. Most mobile devices are closed platforms that don’t allow you to load a different operation system. And while you can load custom firmware on a few mobile devices, it often requires some hackery. It appears as though I jumped ship at the proper time though because Apple is bringing the restrictive nature of iOS to its desktops and laptops:

Apple’s MacBook Pro laptops have become increasingly unfriendly with Linux in recent years while their Mac Mini computers have generally continued working out okay with most Linux distributions due to not having to worry about multiple GPUs, keyboards/touchpads, and other Apple hardware that often proves problematic with the Linux kernel. But now with the latest Mac Mini systems employing Apple’s T2 security chip, they took are likely to crush any Linux dreams.

[…]

Update 2: It looks like even if disabling the Secure Boot functionality, the T2 chip is reportedly still blocking operating systems aside from macOS and Windows 10.

I know a lot of people have expressed the feeling that buying an Apple computer and installing Linux on it is rather foolish. After all, you can buy a computer for far less that is fully supported by Linux (Linux support on Apple computers has always been a bit hit or miss). I mostly agree with that attitude. However, there comes a time in every Mac’s life where Apple drops support for it in macOS. While it’s possible to coax macOS onto a lot of unsupported Macs, there are also quite a few older Macs where installing a modern version of macOS is impossible. In such cases Linux offers an option to continue using the hardware with an operating system that has current security updates.

I prefer to repurpose old computers rather than throw them away. Having the option to install Linux on older Macs has always been a desirable option to me. For me losing that ability severely limits the functional lifetime of a Mac. Moreover, I worry that the limitations put into place by the T2 chip will make installing future versions of macOS on these machines impossible when they fall out of support.

Secure Boot functionality is a good security measure. However, Secure Boot on a vast majority of PCs can be disabled (in fact Microsoft requires that Secure Boot can be disabled for logo-certificate). Even if you don’t disable it, many Linux distributions have signed bootloaders that work with Secure Boot (unfortunately, even these signed bootloaders don’t work on Apple computers with a T2 chip). So it is possible to provide boot-time security while supporting third-party operating systems. Apple is simply choosing not to do so.

Written by Christopher Burg

November 7th, 2018 at 10:30 am

Posted in Technology

Tagged with ,

Meet the Modern Military

with one comment

The United States military has a problem. OK, it has a lot of problems, but the problem I’m specifically referring to is the trend as of late of acquiring unfinished or flawed technology. From a $1 trillion jet that doesn’t seem capable of doing anything well to stealthy destroyers with flawed engines to fancy new aircraft carriers with nonfunctional munition elevators:

The $13 billion Gerald R. Ford aircraft carrier, the U.S. Navy’s costliest warship, was delivered last year without elevators needed to lift bombs from below deck magazines for loading on fighter jets.

Previously undisclosed problems with the 11 elevators for the ship built by Huntington Ingalls Industries Inc. add to long-standing reliability and technical problems with two other core systems — the electromagnetic system to launch planes and the arresting gear to catch them when they land.

The Advanced Weapons Elevators, which are moved by magnets rather than cables, were supposed to be installed by the vessel’s original delivery date in May 2017. Instead, final installation was delayed by problems including four instances of unsafe “uncommanded movements” since 2015, according to the Navy.

I guess when the deck is used to launch $1 trillion jets that don’t function reliably, getting munitions to the desk isn’t terribly important.

The modern United States military is addicted to high-tech bells and whistles. While those bells and whistles look great on paper, they are often plagued with problems in real world testing and on the battlefield.

At the rate things are going the United States’ military will win the war for its enemies.

Written by Christopher Burg

November 7th, 2018 at 10:00 am

Your Vote Matters

without comments

After the last election the Democrats were throwing a fit over supposed Russian interference with the presidential election (funny how politicians here get bent out of shape when somebody interferes with their elections). Implied in the accusation is that an extremely sophisticated enemy such as a state actor is necessary to interfere with a United States election. However, the security of many election machines and election-related sites is so bad that an 11-year-old can break into them:

An 11-year-old boy on Friday was able to hack into a replica of the Florida state election website and change voting results found there in under 10 minutes during the world’s largest yearly hacking convention, DEFCON 26, organizers of the event said.

Thousands of adult hackers attend the convention annually, while this year a group of children attempted to hack 13 imitation websites linked to voting in presidential battleground states.

The boy, who was identified by DEFCON officials as Emmett Brewer, accessed a replica of the Florida secretary of state’s website. He was one of about 50 children between the ages of 8 and 16 who were taking part in the so-called “DEFCON Voting Machine Hacking Village,” a portion of which allowed kids the chance to manipulate party names, candidate names and vote count totals.

Florida’s website isn’t an isolated incident. The entire infrastructure supporting elections here in the United States is a mess:

Even though most states have moved away from voting equipment that does not produce a paper trail, when experts talk about “voting systems,” that phrase encompasses the entire process of voting: how citizens register, how they find their polling places, how they check in, how they cast their ballots and, ultimately, how they find out who won.

Much of that process is digital.

“This is the problem we always have in computer security — basically nobody has ever built a secure computer. That’s the reality,” Schneier said. “I want to build a robust system that is secure despite the fact that computers have vulnerabilities, rather than pretend that they don’t because no one has found them yet. And people will find them — whether it’s nation-states or teenagers on a weekend.”

And before you think that you’re state is smart for not using voting machines, you should be aware that computers are involved in various steps of any modern voting process. Minnesota, for example, uses paper ballots but they’re fed into an electronic machine. Results from local ballot counts are transmitted electronically. Those results are then eventually transmitted electronically to media sources and from there to the masses.

If you go to cast your ballot today, know that there is no reason to believe that it will matter. There are far too many pieces of the voting infrastructure that are vulnerable to the machinations of 11-year-olds.

Written by Christopher Burg

November 6th, 2018 at 11:00 am

Making Surveillance Easy

without comments

We’re only a few days away from yet another “most important election in our lifetime.” Since the Republicans are in power, the Democrats and their sympathizers are pissed and when they’re pissed it’s not uncommon for them to protest (Remember the last time they were out of power? They actually protested the wars that the party in power started! Those were the days!). Nobody likes it when people protest again them so the party in power wants to keep tabs on the people who might take action against them. Fortunately for them, most protesters make this easy:

The United States government is accelerating efforts to monitor social media to preempt major anti-government protests in the US, according to scientific research, official government documents, and patent filings reviewed by Motherboard. The social media posts of American citizens who don’t like President Donald Trump are the focus of the latest US military-funded research. The research, funded by the US Army and co-authored by a researcher based at the West Point Military Academy, is part of a wider effort by the Trump administration to consolidate the US military’s role and influence on domestic intelligence.

The vast scale of this effort is reflected in a number of government social media surveillance patents granted this year, which relate to a spy program that the Trump administration outsourced to a private company last year. Experts interviewed by Motherboard say that the Pentagon’s new technology research may have played a role in amendments this April to the Joint Chiefs of Staff homeland defense doctrine, which widen the Pentagon’s role in providing intelligence for domestic “emergencies,” including an “insurrection.”

A couple of years ago a few friends and I had the opportunity to advise some protesters on avoiding government surveillance. They were using Facebook to organize and plan their protests. We had to explain to them that using Facebook for that purpose meant that every local law enforcement agency was likely receiving real-time updates on their plans. We made several recommendations, most of which involved moving planning from social media to more secure forms of communications (Signal, RetroShare, etc.). In the end they thanked us for our advice, decided that using anything but Facebook was too difficult (which made me suspect that there were undercover law enforcers amongst them), and kept handing law enforcement real-time information.

The moral of the story is that government agencies pour resources into social media surveillance because it works because most protesters are more concerned about convenience than operational security.

Security for Me, Not for Thee

without comments

Google has announced several security changes. However, it’s evident that those changes are for its security, not the security of its users:

According to Google’s Jonathan Skelker, the first of these protections that Google has rolled out today comes into effect even before users start typing their username and password.

In the coming future, Skelker says that Google won’t allow users to sign into accounts if they disabled JavaScript in their browser.

The reason is that Google uses JavaScript to run risk assessment checks on the users accessing the login page, and if JavaScript is disabled, this allows crooks to pass through those checks undetected.

Conveniently JavaScript is also used to run a great deal of Google’s tracking software.

Disabling JavaScript is a great way to improve your browser’s security. Most browser-based malware and a lot of surveillance capabilities rely on JavaScript. With that said, disabling JavaScript entirely also makes much of the web unusable because web developers love to use JavaScript for everything, even loading text. But many sites will provide at least a hobbled experience if you choose to disable JavaScript.

Mind you, I understand why Google would want to improve its security and why it would require JavaScript if it believed that doing so would improve its overall security. But it’s important to note what is meant by improving security here and what potential consequences it has for users.

Written by Christopher Burg

November 2nd, 2018 at 10:30 am

Posted in Technology

Tagged with ,

Deafening the Bug

with 2 comments

I know a lot of people who put a piece of tape over their computer’s webcam. While this is a sane countermeasure, I’m honestly less worried about my webcam than the microphone built into my laptop. Most laptops, unfortunately, lack a hardware disconnect for the microphone and placing a piece of tap over the microphone input often isn’t enough to prevent it from picking up sound in whatever room it’s located. Fortunately, Apple has been stepping up its security game and now offers a solution to the microphone problem:

Little was known about the chip until today. According to its newest published security guide, the chip comes with a hardware microphone disconnect feature that physically cuts the device’s microphone from the rest of the hardware whenever the lid is closed.

“This disconnect is implemented in hardware alone, and therefore prevents any software, even with root or kernel privileges in macOS, and even the software on the T2 chip, from engaging the microphone when the lid is closed,” said the support guide.

The camera isn’t disconnected, however, because its “field of view is completely obstructed with the lid closed.”

While I have misgivings with Apple’s recent design and business decisions, I still give the company credit for pushing hardware security forward.

Implementing a hardware cutoff for the microphone doesn’t require something like Apple’s T2 chip. Any vendor could put a hardware disconnect switch on their computer that would accomplish the same thing. Almost none of them do though, even if they include hardware cutoffs for other peripherals (my ThinkPad, for example, has a build in cover for the webcam, which is quite nice). I hope Apple’s example encourages more vendors to implement some kind of microphone cutoff switch because being able to listen to conversations generally allows gathering more incriminating evidence that merely being able to look at whatever is in front of a laptop.

Written by Christopher Burg

November 1st, 2018 at 11:00 am

What Part of Free Didn’t You Understand?

with 2 comments

Did you know that a majority of apps targeted at children contain ads:

(Reuters Health) – Those cute little apps your child plays with are most likely flooded with ads – some of which are totally age-inappropriate, researchers have found.

A stunning 95 percent of commonly downloaded apps that are marketed to or played by children age five and under contain at least one type of advertising, according to a new report in the Journal of Developmental & Behavioral Pediatrics. And that goes for the apps labeled as educational, too, researchers say.

That’s just terrible… oh:

The researchers scrutinized 135 of the most downloaded free and paid apps in the “age five and under” category in the Google Play app store. Among them were free apps with 5 to 10 million downloads and paid apps with 50,000 to 100,000 downloads.

Emphasis mine.

To once again quote The Moon is a Harsh Mistress, there ain’t no such thing as a free lunch (TANSTAAFL). If you can download an app without paying upfront, the developer is making money in some other way. Advertisements are the quick and easy go to. In app purchases are the more sophisticated method although more difficult to execute because you need to incentivize users to buy your in app purchases. When your target audience is children, in app purchases are even more difficult because parental controls often prevent children from making purchases directly.

Instead of performing a study with an obvious result such as determining how many free apps display ads (almost all of them), a better study would be to learn why people are so foolish as to believe that they can get something for free.

Written by Christopher Burg

November 1st, 2018 at 10:30 am