Tag: Technology

Pointless Judicial Decrees

A bunch of states decided to sue Cody Wilson’s company Defense Distributed after the Justice Department gave up its futile fight against the company. As part of this ongoing lawsuit a federal judge has extended the ban against Defense Distributed distributing its 3D printer designs for firearms:

A federal judge in Seattle issued an injunction today that blocks Defense Distributed from publishing its 3D-printed gun designs online. The move extends a temporary ban issued last month and the injunction will remain in place until a lawsuit brought forth by a number of state attorneys general is resolved. Washington, New York, New Jersey, Pennsylvania, Connecticut, Oregon, Maryland and Washington, DC signed onto the suit last month in an effort to reverse a US Department of State settlement that allowed the 3D gun designs to be published online. Eleven additional states joined the lawsuit earlier this month.

Gun control advocates, who have never been the sharpest tools in the shed, are celebrating this ruling. In their fantasy land where laws have power they view this judge’s ruling as a strike against 3D printed firearms. The problem is that this ruling, just like the previous ruling it extends, is meaningless because you can find the designs all over the Internet.

What gun control advocates and the states that are bringing this lawsuit against Defense Distributed fail to understand is that the gun control debate is over. Once guns became data that could be uploaded to the Internet the ability to control them ceased to exist. It doesn’t matter what the outcome of this lawsuit is, the files released by Defense Distributed will remain available.

How Quickly People Forget

There has always been a cat and mouse game between game developers and pirates. Over the years developers have tried various tricks to prevent people from pirating their games. My earliest experience with piracy prevention the original MechWarrior. When you first loaded the game it presented you with a prompt that required entering information based on what was prompted. That information was found in the game manual. Of course this method was a pain in the ass if you either lost the manual or bought the game used without the manual because you didn’t realize that you needed it in order to play the game. Therein lies the problem with piracy prevention mechanisms, they always inconvenience paying customers.

Piracy prevention mechanisms continued to evolved after MechWarrior. Not too long ago computer games started including what amounted to literal kill switches. These mechanisms were referred to as Digital Rights Management (DRM). The name was idiotic since rights should need to be managed but it sounded friendlier than Developer Kill Switch so the marketing teams went with it. As you might expect, these kill switches didn’t sit well with a lot of games. However, time heals all wounds and now many games are unaware that their games include a kill switch.

Enter GOG. GOG is my favorite game distributor because, unlike Steam, it provides titles without DRM. And it has decided to make modern gamers aware of the fact that they don’t own many of their games, they merely rent them:

The landscape has changed since 2008, and today many people don’t realize what DRM even means. And still the DRM issue in games remains – you’re never sure when and why you can be blocked from accessing them. And it’s not only games that are affected, but your favourite books, music, movies and apps as well.

To help understand what DRM means, how it influences your games and other digital media, and what benefits come with DRM-free approach, we’re launching the FCK DRM initiative. The goal is to educate people and ignite a discussion about DRM. To learn more visit https://fckdrm.com, and share your opinions and stories about DRM and how it affects you.

This is the kind of marketing I like. GOG is telling gamers why its service is superior by pointing out the very real flaws that exist in many of their competitors’ services. It’s also important for everybody to understand exactly what DRM is, especially since it can render a legitimate copy of a game unplayable. DRM mechanisms usually involve a phone home system where the game contacts a DRM server to get authorization to load. If that server cease to exist, say if the developer goes out of business or decides that maintaining the server is costlier than an old game warrants, then legitimate copies of the game can no longer be played.

Going the Way of Cable

Cable companies have been feeling pressure from Internet streaming services. Every day more people appear to be waking up to the fact that paying money to watch a bit of interesting content between commercials isn’t a great proposition. The glory days of ad-free subscription streaming services may be coming to and end though. Last week Netflix began experimenting with display ads to customers:

Now Netflix users might start to see ads for other shows during those countdown seconds, as the streaming giant has said it is testing out recommendations.

“We are testing whether surfacing recommendations between episodes helps members discover stories they will enjoy faster,” it said in a statement given to the website Cord Cutters.

Following in Netflix’s footsteps is Twitch, which announced that it will soon be stripping paying subscribers of their ad-free experience:

As we have continued to add value to Twitch Prime, we have also re-evaluated some of the existing Twitch Prime benefits. As a result, universal ad-free viewing will no longer be part of Twitch Prime for new members, starting on September 14.

Twitch Prime members with monthly subscriptions will continue to get ad-free viewing until October 15. If you already have an annual subscription, or if you upgrade to an annual subscription before September 14, you will continue with ad-free viewing until your next renewal date.

I’m always amused by how marketing departments try to spin the fact that their customers will be paying the same amount and receiving less. Netflix’s department has the easier task because at the moment the ads are house ads, not for third-party products. But if the company’s subscribers don’t revolt over this those house ads will begin to feature “favored partners” and if subscribers don’t revolt after that, anybody with some money in hand will be able to buy ads.

Twitch Prime’s marketing department had to justify its company’s actions by claiming that its move is good for streamers, err, creators (goddamn I love marketing speak) and then pointing out that all of the other benefits will remain as they were… until they’re eventually stripped or watered down as well.

The only solace to the cablefication of Internet streaming services is that a competitor will likely arise that will provide content without ads to paying customers, at least long enough to steal a bunch of disgruntled Netflix and Twitch customers. Then, of course, the cycle will begin anew.

Getting Close to the Action

Body cameras have proven to be a bust as far as holding law enforcers accountable. However, they have provided law enforcers with a wonderful tool that provides prosecutors additional evidence when they record a regular person doing something illegal and unexplained malfunctions when they would have recorded a law enforcer doing something illegal. With that kind of success it’s not surprise that law enforcers want to get even closer to the action:

MAPLE PLAIN, Minn. (KMSP) – Instead of equipping officers with body cameras, the West Hennepin Public Safety Department is mounting cameras on its officers’ guns.

The department announced the rollout of the new technology Thursday. With no buttons to press, the camera automatically starts recording as soon as the gun leaves the holster.

“And it will not turn off while you and I are talking until it is put back into a holster,” said Gary Kroells of the West Hennepin Public Safety Department.

The camera automatically starts recording when the gun leaves the holster, which means it will conveniently miss everything that lead up to the shooting. And the law enforcers can cheer and high-five each other as they watch the close up take of the back of the handcuffed dude’s skull explode in amazing high-definition! Win-win!

Stupid Shit Politicians Say

The Australian government is once again pushing to make effective cryptography illegal by demanding that companies that utilize cryptography compromise their security model by implementing some kind of government backdoor. If you have any familiarity with cryptography, you know that what the Australian government wants, a backdoor that ensures only law enforcers and authorized individuals can access the encrypted information, is impossible. Once you compromise a cryptographic protocol, anybody who discovers the compromise can bypass the encryption as well.

However, that fact is merely a mathematical law. As the Australian prime minister noted, the laws of mathematics don’t apply in his country:

“Well the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia,” he said.

This realization will put Australia decades if not centuries ahead of other nations. Imagine how quickly Australia’s space program will advance when the politicians prohibit gravity and therefore eliminate the need for expensive rockets to reach space! Imagine how quickly the country’s electronics manufacturing market will advance when the politicians rule the laws of energy illegal and all of their electronics can run indefinitely without needing to be recharged! Now that Australia can simply render natural laws null and void with the stroke of a pen, there’s nothing the country can’t achieve!

Living in the Freest Country on Earth

A lot of people living here in the United States remain adamant that it is the freest country on Earth. Even those who don’t believe that it is the freest country on Earth are skittish about calling it a police state. However, I can’t think of any other term that describes the state of a nation where this kind of nonsense takes place:

Los Angeles will be the first US city to start equipping its subways with body scanners. But the Southern California metropolis isn’t using the bulky, slow-operating models that populate US airports: Instead, LA’s Metropolitan Transit Authority will deploy portable trunk-sized scanners that can survey people from 30 feet away at a rate of 2,000 individuals an hour.

This shouldn’t surprise anybody. When the Transportation Security Administration installed body scanners at airports, there was a short period where people expressed outrage at the idea. After that short period almost everybody rolled over and accepted it. Now that practice is coming to subways in Los Angeles and I predict a similar result. There will be a short period of outrage but everybody will roll over like the good little slaves they are in short order. Then this system will come to trains (including municipal light rail) and buses and eventually you won’t be able to go anywhere without being subjected to a full body scan.

Another Day, Another Exploit Discovered in Intel Processors

The last couple of years have not been kind to processor manufacturers. Ever since the Meltdown and Specter attacks were discovered, the speculative execution feature that is present on most modern processors has opened the door to a world of new exploits. However, Intel has been hit especially hard. The latest attack, given the fancy name Foreshadow, exploits the speculative execution feature on Intel processors to bypass security features meant to keep sensitive data out of the hands of unauthorized processes:

Foreshadow is a speculative execution attack on Intel processors which allows an attacker to steal sensitive information stored inside personal computers or third party clouds. Foreshadow has two versions, the original attack designed to extract data from SGX enclaves and a Next-Generation version which affects Virtual Machines (VMs), hypervisors (VMM), operating system (OS) kernel memory, and System Management Mode (SMM) memory.

It should be noted that, as the site says, this exploit is not known to work against ARM or AMD processors. However, it would be wise to keep an eye on this site. The researchers are still performing research on other processors and it may turn out that this attack works on processors not made by Intel as well.

As annoying as these hardware attacks are, I’m glad that the security industry is focusing more heavily on hardware. Software exploits can be devastating but if you can’t trust the hardware that the software is running on, no amount of effort to secure the software matters.

The Body Camera Didn’t Record the Summary Execution Because It Was Hacked

The aftermath of DEF CON when the high profile exploits discussed at the event hit the headlines is always fun. Most of the headlines have focused on the complete lack of security that exists on electronic voting machines. I haven’t touch on that because it’s an exercise in beating a dead horse at this point. A story that I found far more interesting due to its likely consequences is the news about the exploits found in popular law enforcer body cameras:

At Def Con this weekend, Josh Mitchell, a cybersecurity consultant with Nuix, showed how various models of body cameras can be hacked, tracked and manipulated. Mitchell looked at devices produced by five companies — Vievu, Patrol Eyes, Fire Cam, Digital Ally and CeeSc — and found that they all had major security flaws, Wired reports. In four of the models, the flaws could allow an attacker to download footage, edit it and upload it again without evidence of any of those changes having occurred.

I assume that these exploits are a feature, not a bug.

Law enforcers already have a problem with “malfunctioning” body cameras. There are numerous instances where multiple law enforcers involved in a shooting with highly questionable circumstances all claimed that their body cameras malfunctioned simultaneously. What has been missing up until this point is a justification for those malfunctions. I won’t be surprised if we start seeing law enforcers claim that their body cameras were hacked in the aftermath of these kinds of shootings. Moreover, the ability of unauthorized individuals to download, edit, and upload footage is another great feature because footage that reflects poorly on law enforcers can be edited and if the edit is discovered, officials can claim that it must have been edited by evil hackers.

Nothing But the Best

What’s the worst that could happen if the programmer for your pacemaker accepts software updates that aren’t digitally signed or delivered via a security connection? It could accept a malicious software update that when pushed to your pacemaker could literally kill you. With stakes so high you might expect the manufacturer of such a device to have a vested interest in fixing it. After all, people keeling over dead because you didn’t implement basic security features on your product isn’t going to make for good headlines. But it turns out that that isn’t the case:

At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device maker Medtronic to the hacking vulnerabilities in January 2017. So far, they said, the proof-of-concept attacks they developed still work. The duo on Thursday demonstrated one hack that compromised a CareLink 2090 programmer, a device doctors use to control pacemakers after they’re implanted in patients.

Because updates for the programmer aren’t delivered over an encrypted HTTPS connection and firmware isn’t digitally signed, the researchers were able to force it to run malicious firmware that would be hard for most doctors to detect. From there, the researchers said, the compromised machine could cause implanted pacemakers to make life-threatening changes in therapies, such as increasing the number of shocks delivered to patients.

Killing people through computer hacks has been a mainstay of Hollywood for a long time. When Hollywood first used that plot point, it was unlikely. Today software is integrated into so many critical systems that that plot point is feasible. Security needs to be taken far more seriously, especially by manufacturers to develop such critical products.

The Cost of Centralization

Alex Jones is having a lot of fun as of late. On top of recent court battles he now gets to add the pain of having his content removed from several major aggregators:

Apple, Facebook, YouTube and Spotify took their most aggressive steps yet to penalize conspiracy theorist and prominent right-wing talk show host Alex Jones for violating their hate speech policies.

Apple, Facebook, Spotify, and Google are all private businesses that have every right to refuse service to anybody. Moreover, I understand why any company would want to refuse service to Alex Jones. However, this is yet another lesson on the cost of centralization.

The aggregation of a majority of people’s information is now controlled by a handful of companies. This situation would be egregious if those companies used heavy handed tactics to coerce creators into relying on their services for distribution. But the power that companies like Apple, Facebook, and Google hold was given to them by creators who didn’t want to deal with the hassle of distribution themselves. Now that those companies have that power, they can make creators who don’t have their own distribution channel disappear.

Alex Jones is better off than many in this case because he, as far as I know, maintains his own infrastructure so his content is still available to his fan base. But other creators should be paying attention. If you don’t maintain your own infrastructure, everything you’ve created and your connection with your fans would vanish with the snap of a few companies’ fingers.