Tag: Technology

APFS and FileValut

Apple released macOS High Sierra yesterday. Amongst other changes, High Sierra includes the new Apple File System (APFS), which replaces the decades old Hierarchical File System (HFS). When you install High Sierra, at least if your boot drive is a Solid State Drive (SSD), the file system is supposed to be automatically converted to APFS. Although Apple’s website says that FileVault encrypted drives will be automatically converted, it didn’t give any details.

I installed High Sierra on two of my systems last night. One was a 2012 MacBook Pro and the other was a 2010 Mac Mini. Both contain Crucial SSDs. Since they’re third-party SSDs I wasn’t sure if High Sierra would automatically convert them. I’m happy to report that both were converted automatically. I’m also happy to report that FileVault didn’t throw a wrench into the conversion. I was worried that converting a FileVault encrypted drive would require copying files from one encrypted container to a new encrypted container but that wasn’t necessary.

If you’re installing High Sierra on a FileVault encrypted drive, the conversion from HFS to APFS won’t take a noticeably greater amount of time.

But Wait, There’s More

Equifax already displayed a staggering level of incompetence but like a Billy Mays commercial there’s more:

The official Equifax Twitter account encouraged people to visit a knock-off website that mocks the company’s security practices instead of the site the company created to warn of a massive data breach. That recent breach exposed personal details for as many as 143 million US consumers.

In a tweet on Tuesday afternoon, an Equifax representative using the name Tim wrote: “Hi! For more information about the product and enrollment, please visit: securityequifax2017.com.” The message came in response to a question about free credit monitoring Equifax is offering victims. The site is a knock-off of the official Equifax breach notification site, equifaxsecurity2017.com. A security researcher created the imposter site to demonstrate how easy it is to confuse a legitimate name with a bogus one. The Equifax tweet suggests that even company representatives can be easily fooled. The tweet was deleted late Wednesday morning, more than 18 hours after it went live.

It’s almost as if large credit agencies like Equifax aren’t held accountable for screwing up and therefore aren’t motivated to do an effective job. Weird.

Statists continue to claim that government is necessary to deliver justice when large corporations like this screw up. However, I’m still waiting to see the government do anything more than give a corporation like this a minor slap on the wrist for fuck ups of this magnitude. Hell, I’m still waiting to see the government give Equifax a stern talking to over this series of amateur mistakes. As far as I can tell, government seems exists primarily to protect large corporations like this from competitors that would currently be tearing it apart if there was a free market.

NSA Told to Sod Off

After the National Security Agency (NSA) was caught cryptographic algorithms to enhance its surveillance abilities, trust for the agency fell to an all time low. This distrust lead the International Standards Organization (ISO) to reject two encryption algorithms recently submitted by the NSA:

SAN FRANCISCO (Reuters) – An international group of cryptography experts has forced the U.S. National Security Agency to back down over two data encryption techniques it wanted set as global industry standards, reflecting deep mistrust among close U.S. allies.

In interviews and emails seen by Reuters, academic and industry experts from countries including Germany, Japan and Israel worried that the U.S. electronic spy agency was pushing the new techniques not because they were good encryption tools, but because it knew how to break them.

The NSA has now agreed to drop all but the most powerful versions of the techniques – those least likely to be vulnerable to hacks – to address the concerns.

The dispute, which has played out in a series of closed-door meetings around the world over the past three years and has not been previously reported, turns on whether the International Organization of Standards should approve two NSA data encryption techniques, known as Simon and Speck.

This is an appropriate response. The NSA has a track record of manipulating standards organizations in order to make its surveillance apparatus more effective. In security trust is everything. Since the NSA has proven itself to be untrustworthy, it only makes sense to reject any proposals from the agency.

The EFF Resigns from the W3C

The World Wide Web Consortium (W3C) officially published its recommendation for a digital rights management (DRM) scheme. By doing so it put an end to its era of promoting an open web. After fighting the W3C on this matter and even proposing a very good compromise, which was rebuffed, the Electronic Frontier Foundation (EFF) has resigned from the W3C:

We believe they will regret that choice. Today, the W3C bequeaths an legally unauditable attack-surface to browsers used by billions of people. They give media companies the power to sue or intimidate away those who might re-purpose video for people with disabilities. They side against the archivists who are scrambling to preserve the public record of our era. The W3C process has been abused by companies that made their fortunes by upsetting the established order, and now, thanks to EME, they’ll be able to ensure no one ever subjects them to the same innovative pressures.

[…]

Effective today, EFF is resigning from the W3C.

Since the W3C no longer serves its intended purpose I hope to see many other principled members resign from the organization as well.

While content creators are interested in restricting the distribution of their products, the proposal put forth by the W3C will return us to the dark days of ActiveX. Since the proposal is really an application programming interface (API), not a complete solution, content creators can require users to install any DRM scheme. These DRM schemes will be native code. If you remember the security horrors of arbitrary native code being required by websites using Active X, you have an idea of what users are in for with this new DRM scheme. At this point I hope that the W3C burns to the ground and a better organization rises from its ashes.

iOS 11 Makes It More Difficult for Police to Access Your Device

One reason I prefer iOS over Android is because Apple has invested more heavily in security than Google has. Part of this comes from the fact Apple controls both the hardware and software so it can implement hardware security features such as its Secure Enclave chip whereas the hardware security features available on an Android device are largely dependent on the manufacturer. However, even the best security models have holes in them.

Some of those holes are due to improperly implemented features while others are due to legalities. For example, here in the United States law enforcers have a lot of leeway in what they can do. One thing that has become more popular, especially at the border, are devices that copy data from smartphones. This has been relatively easy to do on Apple devices if the user unlocks the screen because trusting a knew connection has only required the tapping of a button. That will change in iOS 11:

For the mobile forensic specialist, one of the most compelling changes in iOS 11 is the new way to establish trust relationship between the iOS device and the computer. In previous versions of the system (which includes iOS 8.x through iOS 10.x), establishing trusted relationship only required confirming the “Trust this computer?” prompt on the device screen. Notably, one still had to unlock the device in order to access the prompt; however, fingerprint unlock would work perfectly for this purpose. iOS 11 modifies this behaviour by requiring an additional second step after the initial “Trust this computer?” prompt has been confirmed. During the second step, the device will ask to enter the passcode in order to complete pairing. This in turn requires forensic experts to know the passcode; Touch ID alone can no longer be used to unlock the device and perform logical acquisition.

Moreover, Apple has also included a way for users to quickly disable the fingerprint sensor:

In iOS 11, Apple has added an new emergency feature designed to give users an intuitive way to call emergency by simply pressing the Power button five times in rapid succession. As it turns out, this SOS mode not only allows quickly calling an emergency number, but also disables Touch ID.

These two features appear to be aimed at keeping law enforcers accountable. Under the legal framework of the United States, a police officer can compel you to provide your fingerprint to unlock your device but compelling you to provide a password is still murky territory. Some courts have ruled that law enforcers can compel you to provide your password while others have not. This murky legal territory offers far better protection than the universal ruling that you can be compelled to provide your fingerprint.

Even if you are unable to disable the fingerprint sensor on your phone, law enforcers will still be unable to copy the data on your phone without your password.

New Levels of Incompetence

Equifax, one of the largest consumer credit report agencies, recently suffered a major database breech. Of course, you wouldn’t know it if the media wasn’t giving it heavy coverage because Equifax seems to want to keep things hush hush and I understand why. After reading this it would appear that Equifax implemented worse security than most college students in an introductory web development class:

It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

[…]

Each employee record included a company username in plain text, and a corresponding password that was obfuscated by a series of dots.

However, all one needed to do in order to view said password was to right-click on the employee’s profile page and select “view source,” a function that displays the raw HTML code which makes up the Web site. Buried in that HTML code was the employee’s password in plain text.

This is an impressive level of incompetence and I mean that sincerely. Most amateur websites have better security than this. The fact that a company as large as Equifax could implement worse security practices than even the most amateur of amateur web developers is no small feat. Unfortunately, its piss poor security practices has put a lot of people’s sensitive information in the hands of unknown parties.

Subscriptions for Everything

The Apple Watch Series 3 was announced. Its hot new feature is built-in LTE, which means uses no longer have to have it tethered to their phone for it to function. However, enabling LTE requires yet another subscription:

An Apple Watch Series 3 will cost you $10 per month on your cell plan, and it appears that all US carriers will offer three months of free service (a $30 credit). However, we’re still waiting for confirmation from Sprint.

AT&T and Verizon are also offering free activation (a $25 and $30 fee, respectively). T-Mobile will waive its $25 new SIM card kit fee. We’ve reached out to Sprint for their activation fee policies and will update when we have more. It’s interesting that the Apple Watch Series 3 is $10/month on Verizon, when other smartwatches cost $5 on their plan.

I’m starting to think that I’m the last person on Earth who doesn’t want a subscription plan tied to every damned thing I own.

This is a slight digression from yesterday’s post but it seems to be that more and more products are finding ways of tying subscriptions to them. Ulysses, a popular text editor, announced last month that it was changing to a subscription model. Several years before that Adobe announced that its products would change to a subscription model. We’re entering an era where ownership, even in a limited form, is being replaced by renting.

Don’t get me wrong, subscriptions make sense for some services. For example, cellular services rely on an infrastructure that needs constant maintenance. But we’re quickly approaching a point where every manufacturer is finding some way to attach a subscription plan to every product they sell. At this rate we’ll soon have to pay a subscription to keep our cars running.

Digital Serfdom

Do you own your phone? How about your thermostat or even your car? I would guess that most people would reflexively respond that they do own those things. However, due to intellectual property laws, you don’t:

One key reason we don’t control our devices is that the companies that make them seem to think – and definitely act like – they still own them, even after we’ve bought them. A person may purchase a nice-looking box full of electronics that can function as a smartphone, the corporate argument goes, but they buy a license only to use the software inside. The companies say they still own the software, and because they own it, they can control it. It’s as if a car dealer sold a car, but claimed ownership of the motor.

This sort of arrangement is destroying the concept of basic property ownership.

I’ve hit on this topic numerous times but it bears repeating. Copyright laws don’t apply to purely mechanical goods so when you buy an older car or a mechanical watch you actually own it. Copyright laws do apply to software so when you buy anything that runs software you are licensing it. The difference between ownership and licensing is significant.

If you own something, you have the right to do whatever you want with it. If a product that you own breaks, you can hire anybody you want to repair it. If you are unhappy with the performance of a product that you own, you can modify it to your heart’s content. If you license something, you have a limited set of privileges. If your licensed product breaks, you might be restricted on where you can take it for repairs. If your are unhappy with the performance of your licensed product, you might be restricted on what kind of modifications, if any, you are allowed to make.

As software becomes more pervasive, ownership will become more endangered. It doesn’t have to be this way though. If copyrights didn’t apply to software, manufacturers wouldn’t have a legal foundation to restrict buyers. If manufacturers used free (as in freedom) software, buyers would be able to own their products. Unfortunately, I don’t think manufacturers will make any major move to utilize free software since most of them probably enjoy the fact that the State is subsidizing them by enforcing their ability to license instead of sell their products to buyers. Until that changes, digital serfdom will remain the norm and buyers won’t be able to claim that they own the products that they spend money on.

The FCC’s Free File Hosting Service

Who says government agencies can’t innovate? The Fascist Communications Club Federal Communications Commission (FCC) has an online commenting systems that allows individuals to give their input on proposed rule changes. In addition to being a commenting system, the system also served as a file hosting service:

The application programming interface for the FCC’s Electronic Comment Filing System that enables public comment on proposed rule changes—such as the dropping of net neutrality regulations currently being pushed by FCC Chairman Ajit Pai—has been the source of some controversy already. It exposed the e-mail addresses of public commenters on network neutrality—intentionally, according to the FCC, to ensure the process’ openness—and was the target of what the FCC claimed was a distributed denial of service (DDoS) attack. But as a security researcher has found, the API could be used to push just about any document to the FCC’s website, where it would be instantly published without screening. That was demonstrated by a PDF published with Microsoft Word that was uploaded to the site, now publicly accessible.

I guess the FCC decided that since you’re already paying taxes to find it, it didn’t need to charge you for file hosting services.

The level of incompetency displayed by the government never ceases to amaze me. Commenting systems aren’t exactly rocket science, they have been available on websites for ages now. Most of those commenting systems managed to implement basic protections against uploading arbitrary files. Why didn’t the FCC just go with one of those services or at least hire a developer with some basic understanding of how to develop a commenting system that isn’t vulnerable to such a trivial exploit?

From what I’ve read, it doesn’t appear that the FCC has fixed this hole yet. While uploading arbitrary files to the FCC’s commenting service might cause you to run afoul with the Computer Fraud and Abuse Act, you still have access to a government provided free file hosting service.

Voluntary Association Strikes Again

A white supremacist website, the Daily Stormer, ran into a hiccup yesterday. The website’s domain registrar, GoDaddy, informed the site administrators that it no longer wished to associate with them and that they had 24 hours to move to another registrar. So the administrators moved the domain name to Google and was then informed by Google that it had no desire to associate with them:

For years, the website Daily Stormer has promoted hatred against Jews, black people, LGBT people, and other minorities, making it one of the Internet’s most infamous destinations. But on Sunday, editor Andrew Anglin outdid himself by publishing a vulgar, slut-shaming article about Heather Heyer, a woman who was killed when someone rammed a car into a crowd of anti-racism protestors in Charlottesville.

The article prompted a response from the site’s domain registrar, GoDaddy. “We informed The Daily Stormer that they have 24 hours to move the domain to another provider, as they have violated our terms of service,” GoDaddy wrote in a tweet late Sunday night.

On Monday, the Daily Stormer switched its registration to Google’s domain service. Within hours, Google announced a cancellation of its own. “We are cancelling Daily Stormer’s registration with Google Domains for violating our terms of service,” the company wrote in an statement emailed to Ars.

As the article points out, the website isn’t likely to go offline because of this. Both Wikileaks and The Pirate Bay have a long history of having to jump from registrar to registrar to stay online. However, it is nice that GoDaddy and Google have the ability to decide that they no longer wish to associate with the Daily Stormer. But voluntary association is one of those things that people seem to love only when it benefits them or their causes. As soon as voluntary association clashes with people or their causes they quickly move to demand that the association be mandated by government.