A Geek With Guns

Chronicling the depravities of the State.

Archive for the ‘Technology’ tag

Insurance. You Keep Using That Word, I Do Not Think It Means What You Think It Means

without comments

Some health insurance companies have started pilot programs where customers can receive a discount for wearing a fitness tracker and sharing the data with the company. This seems like a pretty straight forward idea. But according to Bloomberg it’s a sinister ploy:

Think about what that means for insurance. It’s meant to be a mechanism to pool risk — that is, to equalize the cost of protecting against unforeseen health problems. But once the big data departments of insurance companies have enough information — including about online purchases and habits — they can build a minute profile about each and every person’s current and future health. They can then steer “healthy” people to cheaper plans, while leaving people who have higher-risk profiles — often due to circumstances beyond their control — to pay increasingly unaffordable rates.

Whenever health insurance companies up I’m forced to explain what insurance is. I shouldn’t have to do this but nobody seems to know what it means.

Insurance is a way for multiple people to pool their resources for risk mitigation. Take home owner’s insurance for example. When you buy a home owner’s policy you’re donating some money to a common pool. Any paying customer can withdraw from the pool if they experience a situation, such as a house fire, that is covered by the insurance policy. Those with higher risks are more likely to withdraw from the pool so they pay a higher premium. Those with lower risks pay less.

Automobile insurance is the same way. Higher risk drivers; such as young males, people who have been found guilty of driving while intoxicated, people who have been found guilty of reckless driving, etc.; pay a higher premium because they’re more likely to withdraw from the community pool.

Most people accept that higher risk people should pay a higher premium for home owner’s or automobile insurance. But when they’re talking about health insurance they suddenly have a change of heart and think that higher risk people should pay the same as lower risk people. That makes no sense. Health insurance, like any other form of insurance, is pooled risk mitigation. If you live an unhealthy lifestyle you’re more likely to withdraw from the pool so you pay a higher premium. Oftentimes these risks are outside of your control, which sucks. However, if the pool empties, that is to say there are more withdrawals than deposits over a long enough period of time to completely drain the accounts, everybody loses their coverage. That being the case, higher risk people have to pay more to ensure the pool remains solvent even if the risks are outside of their control.

It’s not a sinister scheme, it’s exactly how insurance works.

Written by Christopher Burg

February 24th, 2017 at 10:30 am

Not All Anonymity is Created Equal

without comments

Whenever I discuss secure communications I try to hammer home the difference between confidentiality and anonymity. Most popular secure communication services such as Signal and WhatsApp provide the former but not the latter. This means unauthorized users cannot read the communications but they can find out which parties are communicating.

Another thing I try to hammer home is that not all forms of anonymity are equal. Several services are claiming to offer anonymous communications. These services don’t claim to offer confidentiality, the posts are public, but they do claim to conceal your identity. However, they tend to use a loose definition of anonymity:

On Sunday, a North Carolina man named Garrett Grimsley made a public post on Whisper that sounded an awful lot like a threat. “Salam, some of you are alright,” the message read, “don’t go to [Raleigh suburb] Cary tomorrow.”

When one user asked for more information, Grimsley (who is white) responded with more Islamic terms. “For too long the the kuffar have spit in our faces and trampled our rights,” he wrote. “This cannot continue. I cannot speak of anything. Say your dua, sleep, and watch the news tomorrow.”

Within 24 hours, Grimsley was in jail. Tipped off by the user who responded, police ordered Whisper to hand over all IP addresses linked to the account. When the company complied, the IP address led them to Time Warner, Grimsley’s ISP, which then provided Grimsley’s address.

There’s a great deal of difference between anonymity as it pertains to other users and anonymity as it pertains to service providers. Whisper’s definition of anonymity is that users of the service can’t identify other users. Whisper itself can identify users. This is different than a Tor hidden service where the user can’t identify the service provider and the service provider can’t identify the user.

When you’re looking at communication services make sure you understand what is actually being offered before relying on it.

Written by Christopher Burg

February 23rd, 2017 at 10:00 am

Posted in Technology

Tagged with ,

What Do You Own

with 4 comments

When you purchase a computer do you own it? What about your cell phone? Or your automobile? At one time the answer to these questions was an absolute yes. Today, not so much:

Cars, refrigerators, televisions, Barbie dolls. When people buy these everyday objects, they rarely give much thought to whether or not they own them. We pay for them, so we think of them as our property. And historically, with the exception of the occasional lease or rental, we owned our personal possessions. They were ours to use as we saw fit. They were free to be shared, resold, modified, or repaired. That expectation is a deeply held one. When manufacturers tried to leverage the DMCA to control how we used our printers and garage door openers, a big reason courts pushed back was that the effort was so unexpected, so out of step with our understanding of our relationship to the things we buy.

But in the decade or so that followed those first bumbling attempts, we’ve witnessed a subtler and more effective strategy for convincing people to cede control over everyday purchases. It relies less—or at least less obviously—on DRM and the threat of DMCA liability, and more on the appeal of new product features, and in particular those found in the smart devices that make up the so-called Internet of Things (IoT).

I’ve annoyed many electrons criticizing the concept of intellectual property. The idea that somebody has a government granted monopoly on something simply because they were the first to receive a patent is absurd in my opinion. But we live with much more absurd ideas today. Due to the way software copyright and patent laws work, if a company loads software onto a device they can effectively prevent anybody from owning it. At most a buyer can acquire a limited use license for those devices.

Combining software copyright and patent laws with the Internet of Things (IoT) just amplifies this. Now there are a bunch of devices on the market that rely on continuous Internet access to the manufacturers’ servers. If the manufacture decides to drop support for the product it stops working. This wouldn’t be as big of an issue if laws such as the Digital Millennium Copyright Act (DMCA) didn’t make it illegal for you to hack the device and load your own software onto it that allowed it to continue working.

Right now we’re dealing with relatively cheap IoT devices. If your $99 Internet connected thermostat stops working it sucks but it’s not something that is so expensive that it can’t be replaced. But what happens when IoT comes to, say, automobiles? What happens when critical functions on an automobile cease to work because the manufacturer decides to drop support for one of the Internet connected components. Suddenly you’re not talking about throwing away a $99 device but a machine that cost you tens of thousands of dollars. Although this scenario might sound absurd to some I guarantee that it will happen at some point if software copyright and patent laws continue to be enforced as they have been.

The Future is Awesome

without comments

People don’t appreciate how awesome the future we live in today really is. Compare the life you live with the life lived by some of history’s wealthiest people:

If you were a 1916 American billionaire you could, of course, afford prime real-estate. You could afford a home on 5th Avenue or one overlooking the Pacific Ocean or one on your own tropical island somewhere (or all three). But when you traveled from your Manhattan digs to your west-coast palace, it would take a few days, and if you made that trip during the summer months, you’d likely not have air-conditioning in your private railroad car.

And while you might have air-conditioning in your New York home, many of the friends’ homes that you visit — as well as restaurants and business offices that you frequent — were not air-conditioned. In the winter, many were also poorly heated by today’s standards.

To travel to Europe took you several days. To get to foreign lands beyond Europe took you even longer.

Might you want to deliver a package or letter overnight from New York City to someone in Los Angeles? Sorry. Impossible.
You could neither listen to radio (the first commercial radio broadcast occurred in 1920) nor watch television. You could, however, afford the state-of-the-art phonograph of the era. (It wasn’t stereo, though. And — I feel certain — even today’s vinylphiles would prefer listening to music played off of a modern compact disc to listening to music played off of a 1916 phonograph record.) Obviously, you could not download music.”

While I spend a lot of time complaining about horrors statism has wrought upon us, we do live better today than anybody did in any point of history thanks to the wonders of the market. And since technology is cumulative the rate of advancement is even more rapid, which means our lives are improving faster than the lives of people in the past. For example, in my fairly short lifetime home Internet access went from nonexistent to dial-up to fiber directly into the home. The computing power available in my phone wasn’t available to the consumer market for any price when I was young. Even simple toys, such as Nerf guns, improve a lot since my childhood. Kids today have electrically powered fully automatic Nerf guns, something young me could only dream of. Although various diseases such as cancer are still a scourge our chances of surviving it have increased significantly.

While there’s a lot of terrible things going on in this world don’t forget that our present is an overall great time to be alive.

Written by Christopher Burg

February 22nd, 2017 at 10:00 am

Your Browser is a Snitch

with one comment

The privacy-surveillance arms race will likely be waged eternally. The State wants to spy on people so it can better expropriate their wealth. Private companies want to spy on people so they can collect data to better serve them and better target ads at them. The State wants the private companies to spy on their users because it can get that information via a subpoena. Meanwhile, users are stuck being constantly watched.

Browser fingerprinting is one of the more effective tools in the private companies’ arsenal. Without having to store data on users’ systems, private companies are able to use the data surrendered by browsers to track users with a surprising degree of accuracy. But fingerprinting has been limited to individual browsers. If a user switches browsers their old fingerprint is no longer valid… until now:

The new technique relies on code that instructs browsers to perform a variety of tasks. Those tasks, in turn, draw on operating-system and hardware resources—including graphics cards, multiple CPU cores, audio cards, and installed fonts—that are slightly different for each computer. For instance, the cross-browser fingerprinting carries out 20 carefully selected tasks that use the WebGL standard for rendering 3D graphics in browsers. In all, 36 new features work independently of a specific browser.

New browser features are commonly used for tracking users. In time those features are usually improved in such a way that tracking becomes more difficult. I have no doubts that WebGL will follow this path as well. Until it is improved through, it wouldn’t be dumb to disable it if you’re trying to avoid being tracked.

Written by Christopher Burg

February 15th, 2017 at 10:30 am

Tips for Getting Past Customs

with 3 comments

Customs in the United States have become nosier every year. It makes one wonder how they can enter the country without surrendering their life by granting access to their digital devices. Wired put together a decent guide for dealing with customs. Of the tips there is one that I highly recommend:

Make a Travel Kit

For the most vulnerable travelers, the best way to keep customs away from your data is simply not to carry it. Instead, like Lackey, set up travel devices that store the minimum of sensitive data. Don’t link those “dirty” devices to your personal accounts, and when you do have to create a linked account—as with iTunes for iOS devices—create fresh ones with unique usernames and passwords. “If they ask for access and you can’t refuse, you want to be able to give them access without losing any sensitive information,” says Lackey.

Social media accounts, admittedly, can’t be so easily ditched. Some security experts recommend creating secondary personas that can be offered up to customs officials while keeping a more sensitive account secret. But if CBP agents do link your identity with an account you tried to hide, the result could be longer detention and, for non-citizens, even denial of entry.

I believe that I first came across this advice on Bruce Schneier’s blog. Instead of traveling with a device that contains all of your information you should consider traveling with a completely clean device and accessing the information you need via a Virtual Private Network (VPN) when you reach your destination. When you’re ready to return home wipe all of the data.

The most effective way to defend against the snoops at the border is to not have any data for them to snoop.

The other tips are good to follow as well but aren’t as effective as simply not having any data in the first place. But I understand that isn’t always feasible. In cases where you’re traveling somewhere that has unreliable Internet connectivity, for example, you will need to bring the data you need with you. If you’re in such a situation I recommend only brining the data you absolutely need.

Written by Christopher Burg

February 15th, 2017 at 10:00 am

CryptoPartyMN Meeting Tonight

without comments

I don’t have a lot of material for you today since I was busy prepping for tonight’s CryptoPartyMN meeting.

Tonight we’ll be discussing how cryptography can be used to defend against phishing scams. Everybody is welcome. We’re meeting at Rudolphs Bar-B-Que at 6:30 pm.

Written by Christopher Burg

February 7th, 2017 at 10:00 am

Posted in Events

Tagged with , ,

The New York Civil Liberties Union Hates Cops

without comments

Our brave boys and girls in blue are out there everyday putting their lives on the line! They are they only thing that stands between us and anarchy! Knowing this, how can we stand idly by while organizations like the New York Civil Liberties Union spew their hatred of our glorious officers by demanding they abide by the Fourth Amendment:

The New York Civil Liberties Union is pushing a new state bill that would require law enforcement to obtain a warrant prior to deploying a cell-site simulator, or stingray. The bill also includes other new restrictions.

[…]

The bill, which was first reported by ZDNET, doesn’t mention stingrays specifically. However, it specifically forbids law enforcement from accessing “electronic device information by means of physical interaction or electronic communication with the device” unless they have a warrant. There are a few narrow exceptions, such as exigent circumstances.

Requiring a warrant before a search can be performed or a wiretap put into place? What is this world coming to?

I’m sure there are cop apologists out there who believe this restriction is a terrible affront to law enforcers. But cell-site simulators are both searches and wiretaps wrapped up into one convenient package. Historically warrants have been required before law enforcers could perform a search or install a wiretap. For some reason that requirement was seen as unnecessary when the searches and wiretaps could be done wirelessly. I’m not sure what the logic there was other than it was slightly different therefore the rules must not apply.

Written by Christopher Burg

January 26th, 2017 at 10:00 am

Snitches Get Dents

without comments

Is your vehicle a snitch? If you have a modern vehicle, especially one with Internet connectivity, the answer is almost certainly yes:

One of the more recent examples can be found in a 2014 warrant that allowed New York police to trace a vehicle by demanding the satellite radio and telematics provider SiriusXM provide location information. The warrant, originally filed in 2014 but only recently unsealed (and published below in full), asked SiriusXM “to activate and monitor as a tracking device the SIRIUS XM Satellite Radio installed on the Target Vehicle for a period of 10 days.” The target was a Toyota 4-Runner wrapped up in an alleged illegal gambling enterprise.

[…]

So it was that in December 2009 police asked GM to cough up OnStar data from a Chevrolet Tahoe rented by a suspected crack cocaine dealer Riley Dantzler. The cops who were after Dantzler had no idea what the car looked like or where it was, but with OnStar tracking they could follow him from Houston, Texas, to Ouchita Parish, Louisiana. OnStar’s tracking was accurate too, a court document revealing it was able to “identify that vehicle among the many that were on Interstate 20 that evening.” They stopped Dantzler and found cocaine, ecstasy and a gun inside.

[…]

In at least two cases, individuals unwittingly had their conversations listened in on by law enforcement. In 2001, OnStar competitor ATX Technologies (which later became part of Agero) was ordered to provide “roving interceptions” of a Mercedes Benz S430V. It initially complied with the order in November of that year to spy on audible communications for 30 days, but when the FBI asked for an extension in December, ATX declined, claiming it was overly burdensome. (The filing on the FBI’s attempt to find ATX in contempt of court is also published below).

As a quick aside, it should also be noted that the cell phone you carry around contains the hardware necessary to perform these same forms of surveillance. So don’t start bragging about the old vehicle you drive if you’re carrying around a cell phone.

There are two major problems here. The first problem is technological and the second is statism. There’s nothing wrong with adding more technological capabilities to a vehicle. However, much like the Internet of Things, automobile manufacturers have a terrible track record when it comes to computer security. For example, having a builtin communication system like OnStar isn’t bad in of itself but when it can be remotely activated a lot of security questions come into play.

The second problem is statism. Monitoring technologies that can be remotely activated are dangerous in general but become even more dangerous in the hands of the State. As this story demonstrated, the combination of remotely activated microphones and statism leads to men with guns kidnapping people (or possibly worse).

Everything in this story is just the tip of the iceberg though. As more technology is integrated into automobiles the State will also integrate itself more. I have no doubt that at some point a law will be passed that will require all automobiles to have a remotely activated kill switch. It’ll likely be proposed shortly after a high speed chase that ends in an officer getting killed and will be sold to the public as necessary for protecting the lives of our heroes in blue. As self-driving cars become more popular there will likely be a law passed that requires self-driving cars to have a remotely accessible autopilot mode so police can command a car to pull over for a stop or drive to the courthouse if somebody is missing their court date.

Everything that could be amazing will end up being shit because the State will decided to meddle. The State is why we can’t have nice things.

The Public Private Data Cycle

without comments

Just as the Austrian school of economics has a business cycle I have a data cycle. The Public Private Data Cycle (catchier web 3.0 buzzword compliant name coming later) states that all privately held data becomes government data with a subpoena and all government data becomes privately held data with a leak.

The Public Private Data Cycle is important to note whenever somebody discusses keeping data on individuals. For example, many libertarians don’t worry much about the data Facebook collects because Facebook is a private company. The very same people will flip out whenever the government wants to collect more data though. Likewise, many statists don’t worry much about the data the government collects because the government is a public entity. The very same people will flip out whenever Facebook wants to collect more data though. Both of these groups have a major misunderstanding about how data access works.

I’ve presented several cases on this blog illustrating how privately held data became government data with a subpoena. But what about government data becoming privately held data? The State of California recently provided us with such an example:

Our reader Tom emailed me after he had been notified by the state of California that his personal information had been compromised as a result of a California Public Records Act. Based on the limited information that we have at this time, it appears that names, the instructor’s date of birth, the instructor California driver’s license number and/or their California ID card number.

When Tom reached out to the CA DOJ he was informed that the entire list of firearms trainers in California had been released in the public records act request. The state of California is sending letters to those affected with the promise of 12 months or identity protection, but if you are a CA firearms instructor and haven’t seen a letter, might bee a good idea to call the DOJ to see if you were affected.

This wasn’t a case of a malicious hacker gaining access to California’s database. The state accidentally handed out this data in response to a public records request. Now that government held data about firearm instructors is privately held by an unknown party. Sure, the State of California said it ordered the recipient to destroy the data but as we all know once data has be accessed by an unauthorized party there’s no way to control it.

If data exists then the chances of it being accessed by an unauthorized party increases from zero. That’s why everybody should be wary of any attempt by anybody to collect more data on individuals.

Written by Christopher Burg

January 17th, 2017 at 11:00 am