Tag: Technology

The Importance of Out-of-Band Verification

Yesterday I received an e-mail that appeared to be from a friend. It was a short e-mail asking what I thought about the contents of a link. The first red flag was that this friend seldom e-mails me. We have other forms of communication that we use. The second red flag was the e-mail address, which was his name at a domain I wasn’t familiar with. The third red flag was the link, it went to a domain I wasn’t familiar with.

Friends asking me about content on unfamiliar domains isn’t unusual. Moreover, friends e-mailing me from unfamiliar domains isn’t without precedence since new “privacy focused” e-mail domains pop up everyday and I have friends who are interested in e-mail providers who respect their users’ privacy. I smelled a scam but wanted to make sure so I contacted my friend through another messaging service and he confirmed that he didn’t send the e-mail.

The combination of social media with people’s general lack of security has made a lot of social information available to malicious individuals. If you want to specifically target somebody, the social information is often available to do it convincingly. Even if you’re not interested in specifically targeting somebody, the social information that is available is often complete enough that it can be fed to an automated tool that sends targeted e-mails to anybody it has information about. These types of scams can be difficult to defend against.

One method for defending against them is establishing multiple channels for communicating with your friends. Between e-mail, Signal, WhatsApp, Facebook Messenger, text messaging, Skype, XMPP, and a slew of other freely available communication tools, it’s easy to ensure that you have at least two separate means of communicating with your friends. If you receive a suspicious message that appears to be from a friend, you can use another form of communications to verify whether or not they sent it. Admittedly, such a tactic isn’t bulletproof. It’s possible for an attacker to compromise multiple communication methods. However, it’s more difficult to compromise two communication methods than to compromise one.

If Your Device Requires a “Cloud” Service, It’s Not Your Device

It’s time for a pop quiz. If you purchase a device and its basic functionality relies on a “cloud” service (somebody else’s computer), do you own it?

No, you don’t:

Bricking a device, which usually happens during firmware update gone wrong, is never a good thing. It’s even worse when companies do it to their devices intentionally. According to emails received by users, Logitech will be intentionally bricking all Harmony Link devices via a firmware update as of March 16th, 2018. The bad news was first reported by Bleeping Computer.

According to this Harmony Link review, the device cost $100.00 when it was released. For that $100.00 I’m sure there were a lot of consumers who mistakenly believed that they were buying the device when, in fact, they were merely renting it. Now the owner of those devices, Logitech, is going to turn them off.

It Was Only a Matter of Time

I figured that it was only a matter of time before somebody decided to marry a drone to an improved explosive. While I’d like to claim to have the power of prescience for this, truth be told it was something common sense would have lead anybody to predict:

Mexican authorities have released photographs of commercial drones armed with improvised explosives caught among cartel members in the central Mexican town of Guanajunto. The improvised explosive was attached to the drone via a string that allows it to be carried to an objective and then remotely detonated, blowing up the drone itself (instead of releasing the device like we are seeing in Syria with some cases).

This is why any belief that weapons can be controlled is foolish. What most people think of as weapons are really just tools. The real weapon is the human mind, which has boundless creativity. One person may look at a truck and see a tool he can use to haul heavy equipment from once site to another. Another person may look at the very same truck and see a tool he can use to kill a bunch of people.

Open Whisper Systems Released Standalone Desktop Client

Signal is my favorite messaging application. It offers very good confidentiality and is easy to use. I also appreciate the fact that a desktop client was released, which meant I didn’t have to pull out my phone every time I wanted to reply to somebody. What I didn’t like though was the fact that the Signal desktop client was a Chrome app. If you use a browser besides Chrome you had to install Chrome just to use Signal’s desktop client. Fortunately, Google announced that it was deprecating Chrome apps and that forced Open Whisper Systems to release a standalone desktop client.

Now you can run the Signal desktop client without having to install Chrome.

Everything Evil is Capitalism, Everything Good is Communism

The release of the iPhone X is nearly upon us. Demand appears to be high and it’s doubtful that Apple will have enough units in its initial shipment to satisfy demand. This has lead to prospective buyers coming up with schemes to ensure they can be one of the first to own the anticipated phone. Some will set their alarms to wake them up in the early hours of the morning when the preorder system goes live and others will plan to camp in front of an Apple store to claim one of the first shipped devices. And, of course, a bunch of communists plan to ruin the fun by pointing out that this capitalist ritual is built on the backs of people who are basically slave laborers.

Every time a highly anticipated electronic device is released the communists try to shit all over everybody else’s good time by blaming capitalism for the poor labor conditions in the countries where these devices are manufactured. What seems get lost in their diatribes against capitalism is the fact that the country that manufacturers a lion’s share of these devices, China, is a communist country.

Why is capitalism getting all of the blame here? Shouldn’t communism at least share in the blame? After all, it has apparently failed to elevate the working class of China above the practically slave labor conditions that communists keep complaining about. Isn’t that exactly what communism was supposed to stop?

You can’t have your cake and eat it too. If the evil capitalist Americans are to blame for the demand, then the holy communist party in China should be blamed for allowing their workers to be “exploited” by said evil capitalists.

The FBI’s Performance Issues

When the Federal Bureau of Investigations (FBI) isn’t pursuing terrorists that it created, the agency tends to have a pretty abysmal record. The agency recently announced, most likely as propaganda against effective encryption, that it has failed to obtain the contents of 7,000 encrypted devices:

Agents at the US Federal Bureau of Investigation (FBI) have been unable to extract data from nearly 7,000 mobile devices they have tried to access, the agency’s director has said.

Christopher Wray said encryption on devices was “a huge, huge problem” for FBI investigations.

The agency had failed to access more than half of the devices it targeted in an 11-month period, he said.

The lesson to be learned here is that effective cryptography works. Thanks to effective cryptography the people are able to guarantee their supposed constitutional right to privacy. The restoration of rights should be celebrated but politicians never do because our rights are directly opposed to their goals. I guarantee that this announcement will lead to more political debates in Congress that will result in more bills being introduced to ban the plebs (but not the government, of course) from having effective cryptography. If one of the bills is passed into law, the plebs will have to personally patch their devices to fix the broken cryptography mandated by law (which, contrary to what politicians might believe, is what many of us plebs will do).

If you don’t want government goons violating your privacy, enable the cryptographic features on your devices such as full disk encryption.

When You’re Trying to Be Very Smartâ„¢ but End Up Looking Stupid

The announcement of the iPhone X was one of the biggest product announcements of the year. Not only is it the latest iPhone, which always captures headlines, but it includes a new facial recognition feature dubbed Face ID. With the popularity of the iPhone it’s inevitable that politicians will try to latch onto it to capture some headlines of their own. Al Franken, one of Minnesota’s congress critters, decided to try to latch onto the iPhone X by expressing concern about the privacy implications of the Face ID feature. This may appear to have been a smart political maneuver but the senator only managed to make himself appear illiterate since Apple had already published all of the technical information about Face ID:

Apple has responded to Senator Al Franken’s concerns over the privacy implications of its Face ID feature, which is set to debut on the iPhone X next month. In his letter to Tim Cook, Franken asked about customer security, third-party access to data (including requests by law enforcement), and whether the tech could recognize a diverse set of faces.

In its response, Apple indicates that it’s already detailed the tech in a white paper and Knowledge Base article — which provides answers to “all of the questions you raise”. But, it also offers a recap of the feature regardless (a TL:DR, if you will). Apple reiterates that the chance of a random person unlocking your phone is one in a million (in comparison to one in 500,000 for Touch ID). And, it claims that after five unsuccessful scans, a passcode is required to access your iPhone.

Franken should feel fortunate that Apple even bothered entertaining his concerns. Were I Tim Cook I would have directed a member of my staff to send Franken links to the technical publications with a request to have a member of his staff read them to him and not bothered giving him a TL;DR. After all, Apple’s time is worth far more money than Franken’s since it’s actually producing products and services that people want instead of being a parasite feeding off of stolen money.

Still I admit that it was pretty funny seeing Franken make an ass of himself yet again.

Another Evolution of the 3D Printed Handgun

While politicians in Washington DC have been discussing gun control, denizens on the Internet have been busy evolving the 3D printed handgun. The WASHBEAR is a newly released 3D printed .22LR revolver:

It looks very similar to numerous Nerf guns. Like the Pepperbox handgun created by Hexen, the WASHBEAR has steel sleeves inserted into the chambers to reduce stress on the plastic. While this means that the entire gun isn’t 3D printable, steel inserts can be had at any hardware store.

Politicians and advocates of gun control can continue wasting their time but the truth is gun control is a fantasy. Granted, it has always been a fantasy but now we’re at the point where a person with even modest means can acquire everything necessary to build firearms. Gun control is dead. Technology killed it.

Safari 11, Multiline HTTP Headers, and NSPOSIXErrorDomain:100.

I was happy when Mozilla announced that it was going to take a serious stab at the browser market again and released Firefox Quantum, a beta version of Firefox that runs significantly faster than the current stable version. So far I’ve been mostly impressed by it. However, Firefox Quantum has one significant flaw, it hogs the CPU. Even when idling I’ve noticed Firefox Quantum processes taking anywhere from five to 20 percent of the available power on one of my CPU cores. I decide to compare this CPU usage against Chrome and Safari, which lead me down quite the rabbit hole.

It all started when I tried to load my blog in Safari. Previous versions of Safari haven’t had any difficulty loading my site but when I tried to load it in Safari 11 I received the following error:

NSPOSIXErrorDomain:100 is about as useless as an error message can get. Unfortunately, Google didn’t provide me much insight. After a series of Google searches I did come across this article, which discusses some problems previous versions of Safari have had with Content Security Policies (CSP). Since I implemented a CSP for this site, I figured it was a good place to start. Low and behold, when I disabled my CSP the site loaded in Safari again.

This confused me since, as I mentioned earlier, my site, with its current CSP, loaded in previous versions of Safari. I thought that maybe one of the fields in my CSP had been deprecated or was misconfigured, which lead me to testing with a very simple one line CSP. When I tested with the simplified CSP my site loaded again. When I added an additional line to my CSP the site stopped loading again. That lead me to suspect the line feed characters. I split my CSP into multiple lines to make it easier to read and edit so it looked like this:

add_header Content-Security-Policy "default-src 'self';
  script-src 'self' 'unsafe-inline' 'unsafe-eval' https://s0.wp.com https://s1.wp.com https://s2.wp.com https://stats.wp.com;
  img-src 'self' https://secure.gravatar.com https://s0.wp.com https://s1.wp.com https://s2.wp.com https://chart.googleapis.com;
  style-src 'self' 'unsafe-inline' https://fonts.googleapi.com;
  font-src 'self' data: https://fonts.gstatic.com;
  object-src 'none';
  media-src 'self';
  child-src 'self' https://www.youtube-nocookie.com https://akismet.com;
  form-action 'self';";

I know it looks a little wonky since it includes unrecommended values like ‘unsafe-inline’ and ‘unsafe-eval’ for script-src but those, as well as a few other odd values such as the ‘data:’ font-src value, are needed by WordPress, which was developed before CSPs were a thing. But I digress. I decided to collapse the entire HTTP header value into a single line so it looked like this:

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://s0.wp.com https://s1.wp.com https://s2.wp.com https://stats.wp.com; img-src 'self' https://secure.gravatar.com https://s0.wp.com https://s1.wp.com https://s2.wp.com https://chart.googleapis.com; style-src 'self' 'unsafe-inline' https://fonts.googleapi.com; font-src 'self' data: https://fonts.gstatic.com; object-src 'none'; media-src 'self'; child-src 'self' https://www.youtube-nocookie.com https://akismet.com; form-action 'self';";

After I did that my site loaded in Safari again. Then I reverted my configuration to the original multiline version but changed the standard UNIX new line character \n to the Windows (which is also the standard for the web) \r\n. After I did that my site failed to load again. Safari simply didn’t like new line characters appearing in a header entry.

It seemed that Safari 11 was unhappy with something that every other browser, including its predecessors, are still perfectly happy with. I suspected this was a bug in Safari but decided to do some digging before submitting a bug report. This was a good choice because I was mistaken. Searching for information about multiline headers lead me to this entry on Stack Overflow, which lead me to RFC 7230. Amongst other things, RFC 7230 deprecated multiline header fields:

Historically, HTTP header field values could be extended over multiple lines by preceding each extra line with at least one space or horizontal tab (obs-fold). This specification deprecates such line folding except within the message/http media type (Section 8.3.1). A sender MUST NOT generate a message that includes line folding (i.e., that has any field-value that contains a match to the obs-fold rule) unless the message is intended for packaging within the message/http media type.

It turns out that Safari 11 is adhering strictly to RFC 7230. And as of this writing it’s the only browser doing so. It also turns out that I’ve been unknowingly writing my CSP against the HTTP standard all along.

The moral of the story is if Safari 11 throws an NSPOSIXErrorDomain:100 error, check your HTTP headers to ensure they don’t contain multiline values.

Oh, and if you’re wondering, Safari 11 uses significantly less CPU power than Firefox Quantum. Chrome also uses significantly less CPU power than Firefox Quantum. But it’s worth noting that Firefox Quantum is beta software and its CPU usage may improve before its final release.

Updating the Propaganda

The current administration, just like the previous administration, doesn’t like the fact that the plebs have the ability to keep secrets from it. When the previous administration pushed prohibit effective cryptography, it was met with a great deal of resistance. Hoping to avoid the same failure, the current administration is updating its propaganda. It’s not seeking to prohibit effective cryptography, it’s seeking to promote responsible cryptography:

A high-ranking Department of Justice official took aim at encryption of consumer products today, saying that encryption creates “law-free zones” and should be scaled back by Apple and other tech companies. Instead of encryption that can’t be broken, tech companies should implement “responsible encryption” that allows law enforcement to access data, he said.

“Warrant-proof encryption defeats the constitutional balance by elevating privacy above public safety,” Deputy Attorney General Rod Rosenstein said in a speech at the US Naval Academy today (transcript). “Encrypted communications that cannot be intercepted and locked devices that cannot be opened are law-free zones that permit criminals and terrorists to operate without detection by police and without accountability by judges and juries.”

Encrypted communications that cannot be intercepted and locked devices that cannot be opened are law-free zones? He just made effective cryptography sound even more awesome!

Once again this administration is telling the plebs that they have no right to privacy, which tends to go over about as well as a lead balloon with the plebs. Moreover, this recommendation is one way. Notice how under these proposals the plebs aren’t allowed to have any privacy from the government but the government gets to maintain its privacy from the plebs by having legal access to effective cryptography? If the United States government is supposed to be accountable to the people, then by the government’s logic the people should have a means of breaking the government’s encryption as well.

There are two facts about the United States of America. Anybody can sue anybody else for any reason and high ranking officials can make any demands they want. Just as many lawsuits get tossed out due to lack of merit, many demands from high ranking officials are technically impossible. “Responsible encryption,” to use the euphemism, is not technically possible. Encryption is either effective or ineffective. If there is an intentional weakness added to an encryption algorithm then it will be exploited by unintended actors, not just intended actors.