Tag: Technology

The Benevolence of Government

Last year the government granted itself permission to widen the scope of warrants when any form of anonymity tools is involved in a case. This expansion, commonly referred to as Rule 41, allows government agents to acquire a warrant that authorizes them to remotely access any computer using, for example, Tor to conceal either its physical location or its users physical locations. Needless to say, the privacy community wasn’t thrilled when news of this expansion broke.

But the privacy community is, unfortunately, relatively small. The government doesn’t really care about it. It’s far more interested in convincing the masses that this expansion of power is a good thing. To demonstrate the value of this power the Federal Bureau of Investigations (FBI) requested and received a warrant to remotely access systems that were infected with a botnet so it could clean the malware:

Mass hacking seems to be all the rage currently. A vigilante hacker apparently slipped secure code into vulnerable cameras and other insecure networked objects in the “Internet of Things” so that bad guys can’t corral those devices into an army of zombie computers, like what happened with the record-breaking Mirai denial-of-service botnet. The Homeland Security Department issued alerts with instructions for fending off similar “Brickerbot malware,” so-named because it bricks IoT devices.

And perhaps most unusual, the FBI recently obtained a single warrant in Alaska to hack the computers of thousands of victims in a bid to free them from the global botnet, Kelihos.

[…]

The FBI sought the 30-day warrant to liberate victims through a new procedural rule change that took effect in December amid worries among privacy advocates that the update would open a new door for government abuse. But the first use of the amendments to Rule 41 of the Federal Rules of Criminal Procedure has assuaged fears, at least for the moment, because the feds used their power to kill a botnet.

How benevolent of the FBI!

This is, of course, a purely propagandistic move. Now when some pesky privacy advocate brings up the heinous nature of Rule 41 the federal government can point to this case and berate the advocate for wanting to help botnet operators. It’s a classic maneuver with a proven track record.

How to Save Yourself $400

How do you take a boring old consumer appliance like a juicer and spice it up? By putting a chip in it, of course! That is the philosophy behind most Internet of Things (IoT) products. But before you can toss a chip in you need to give the consumers a reason why having a chip in their appliance will literally revolutionize their Web 3.0 existences.

Juicero was yet another bad idea made possible by Silicon Valley venture capital. The idea was to take a regular juicer, make it not be a juicer, add Wi-Fi, and charge an arm and a leg for proprietary juice bags. Basically, it’s a juicer that doesn’t actually juice but includes a chip for Wi-Fi and DRM. But wait, there’s more! Not only does the product include a bunch of stupid features but it also costs an arm and a leg! However, some clever super elite hacker has already found a way to bypass the need for Juicero’s expensive appliance:

Doug Evans, the company’s founder, would compare himself with Steve Jobs in his pursuit of juicing perfection. He declared that his juice press wields four tons of force—“enough to lift two Teslas,” he said. Google’s venture capital arm and other backers poured about $120 million into the startup. Juicero sells the machine for $400, plus the cost of individual juice packs delivered weekly. Tech blogs have dubbed it a “Keurig for juice.”

But after the product hit the market, some investors were surprised to discover a much cheaper alternative: You can squeeze the Juicero bags with your bare hands.

Apparently the “Steve Jobs of juicing perfection” didn’t have the resources to hire somebody who could foresee consumers just squeezing the proprietary juice bags. While there are a lot of valid criticisms against Steve Jobs, it’s difficult to deny that he had a knack for hiring talented people. Doug Evens, on the other hand, apparently lacks that knack. But he did managed to sucker $120 million out of backers so his ability to make money is certainly there.

Adding Internet connectivity makes sense for a lot of products but many IoT companies don’t seem to be asking why it makes sense to add connectivity to their products. Instead, they seem to be adding connectivity to regular products for marketing reasons (it’s not just a juicier, it’s a smart juicer) so consumers will buy them in spite of the other limitations put into place to lock users into the manufacturer’s “platform.” Fortunately, clever people tend to find ways to bypass the platform lock-in and all of us can laugh at $120 million being flushed down the toilet.

Man Arrested for Hacking Without Hacking Anybody

One of the more bizarre concepts in the United States legal system is that one can go to jail for providing a means for other people to commit crimes. Take Taylor Huddleston, for example. He was arrested because he wrote some tools used by malicious hackers:

The visitors were from the FBI, and after a 90-minute search of his house, they left with his computers, only to return two months later with handcuffs. Now free on bond, Huddleston, 26, is scheduled to appear in a federal courtroom in Alexandria, Virginia on Friday for arraignment on federal charges of conspiracy and aiding and abetting computer intrusions.

Huddleston, though, isn’t a hacker. He’s the author of a remote administration tool, or RAT, called NanoCore that happens to be popular with hackers. NanoCore has been linked to intrusions in at least 10 countries, including an attack on Middle Eastern energy firms in 2015, and a massive phishing campaign last August in which the perpetrators posed as major oil and gas company. As Huddleston sees it, he’s a victim himself—hackers have been pirating his program for years and using it to commit crimes. But to the Justice Department, Huddleston is an accomplice to a spree of felonies.

Brian Krebs offered a bit more legal analysis than the Daily Beast article. If you’re wondering why the Federal Bureau of Investigations (FBI) went after Huddleston for writing a remote administration tool and not, say, TeamViewer, it’s because he advertised his product on a hacker forum:

Huddleston makes the case in Poulsen’s story that there’s a corporate-friendly double standard at work in the government’s charges, noting that malicious hackers have used commercial remote administration tools like TeamViewer and VNC for years, but the FBI doesn’t show up at their corporate headquarters with guns drawn.

But Nixon notes that RATs sold on Hackforums are extremely dangerous for the average person to use on his personal computer because there are past cases when RAT authors divert infected machines to their own botnet.

Now that you have the history of the case and the legal analysis, I’m going to provide the libertarian analysis.

Let’s assume the FBI’s accusation that Huddleston build a remote administration tool specifically for the malicious hacker market is true. Under libertarianism a crime doesn’t exist unless a victim exists so who were Huddleston’s victims? The people whose computers were hacked? While they were victims, they were victims of the malicious hackers, not Huddleston.

“But, Chris,” I hear some statist exclaim, “he built a tool used by hackers?!” That doesn’t matter. The existence of the tool itself is not a crime. A gun manufacturer isn’t charged with conspiracy and aiding and abetting a murderer when one of its guns is used by a murderer. An automobile manufacturer isn’t charged with conspiracy and aiding and abetting a bank robbery when one of its automobiles is used as a getaway car for a gang of bank robbers. So why are software tools treated differently?

I can hear our statist interrupting us again, “But, Chris, guns and automobiles have legitimate purposes! Hacker tools don’t!” First of all, that’s not true. Hacker tools have legitimate purposes. They’re often used by penetration testers. Second of all, that doesn’t matter. Every tool can be used for legitimate and illegitimate purposes. A gun can be used to defend an innocent life or to take one. An automobile can be used to drive to work or as a getaway vehicle for a crime. A remote administration tool can be used by a support technician to fix a user’s problem remotely or to configure a computer for botnet activities. Tools have no morality, only users do.

Under the arbitrary legal system us denizens of the United States suffer, manufacturers of certain tools can be charged for aiding and abetting criminals who used those tools while manufacturers of other tools can’t be. The only thing that determines whether a manufacturer can or can’t be charged is the opinion of a body of politicians. If they believe that the tools you manufacture have legitimate purposes, you might enjoy legal protections. If not, you might find yourself being arrested by the FBI because somebody used one of the tools you made to commit a crime. Under libertarian principles, a person can only be charged with a crime when a victim can be directly tied to their actions. What I can’t figure out is why most people seem to find an entirely arbitrary legal system more favorable than a consistent one.

The Internet of Things Means Not Owning Your Devices

Every consumer product can be made better by connecting it to the Internet, right? If you prefer licensing your products instead of owning them then that may be the case. However, if you’re like me and believe that you should own the products you buy, then that may not be the best idea.

A poor schmuck purchased an Internet connected garage door opener then later ran afoul with the company’s support has learned a valuable lesson about the difference between licensing and ownership:

Denis Grisak, the man behind the Internet-connected garage opener Garadget, is having a very bad week. Grisak and his Colorado-based company SoftComplex launched Garadget, a device built using Wi-Fi-based cloud connectivity from Particle, on Indiegogo earlier this year, hitting 209 percent of his launch goal in February. But this week, his response to an unhappy customer has gotten Garadget a totally different sort of attention.

On April 1, a customer who purchased Garadget on Amazon using the name R. Martin reported problems with the iPhone application that controls Garadget.

[…]

Grisak then responded by bricking Martin’s product remotely, posting on the support forum:

Martin,
The abusive language here and in your negative Amazon review, submitted minutes after experiencing a technical difficulty, only demonstrates your poor impulse control. I’m happy to provide the technical support to the customers on my Saturday night but I’m not going to tolerate any tantrums.

At this time your only option is return Garadget to Amazon for refund. Your unit ID 2f0036… will be denied server connection.

Welcome to the Internet of Things where any device can be remotely bricked by an angry service provider!

When it comes to Internet connected devices I ask two questions. First, is the device being provided by a company that has a good security track record? Second, what benefits would I derive from connecting that device to the Internet?

The first question is important to ask about any device that will be connected to the Internet because you don’t want your Internet connected coffee pot to become part of a botnet or act as a gateway for a malicious actor to access your network. While the second question is subjective, I believe it’s important to consider. Why, for example, would I want my garage door opener to connect to the Internet? I only want the garage door to open when I’m entering or leaving the garage. For me, there is no value in being able to open my garage door while I’m sitting at work. Furthermore, having to unlock my phone and open an app takes longer than pressing a button on a remote control attached to my vehicle’s visor. So an Internet connected garage door ends up being less convenient for me than a regular one. Answering the second question just saved me a potential security vulnerability in my network and the possibility of having my device bricked by a pissy provider (not to mention it probably saved me some money).

CryptoPartyMN Meeting Tonight

For those of you who don’t know, CryptoPartyMN is a group that focuses on teaching individuals how to utilize secure communication tools. We meet every other week and host a few hands-on workshops each year. With the sudden concern about privacy as it related to Internet Service Providers (ISP) tonight’s meeting will discuss Virtual Private Networks (VPN).

If you’re interested in learning about defending your privacy against your ISP please feel free to join us.

Private Solutions to Government Created Problems

Earlier this week the United States Congress decided to repeal privacy protection laws that it had previous put into place on Internet Service Providers (ISP). While a lot of people have been wasting their time begging their representatives masters with phone calls, e-mails, and petitions, private companies have begun announcing methods to actually protect their users’ privacy. In the latest example of this, Pornhub announced that it will turn on HTTPS across its entire site:

On April 4, both Pornhub and its sister site, YouPorn, will turn on HTTPS by default across the entirety of both sites. By doing so, they’ll make not just adult online entertainment more secure, but a sizable chunk of the internet itself.

The Pornhub announcement comes at an auspicious time. Congress this week affirmed the power of cable providers to sell user data, while as of a few weeks ago more than half the web had officially embraced HTTPS. Encryption doesn’t solve your ISP woes altogether—they’ll still know that you were on Pornhub—but it does make it much harder to know what exactly you’re looking at on there.

As the article points out, your ISP will still be able to tell that you accessed Pornhub, since Domain Name Server (DNS) lookups are generally not secured, but it won’t be able to see what content you’re accessing. As for DNS lookups, solutions are already being worked on to improve their security. Projects like DNSCrypt, which provides encrypted DNS lookups, are already available.

If you want to protect your privacy you can’t rely on the State’s regulations. First, the State is the worst offender when it comes to surveillance and the consequences of its surveillance are far worse. Sure, your ISP might sell some of your data but the State will send men with guns to your home to kidnap you and probably shoot your dog. Second, as this situation perfectly illustrates, government regulations are temporary. The government implemented the privacy regulations and then took them away. It may restore them again in the future but there’s no guarantee it won’t repeal them again. Any government solution is temporary at best.

Cryptography offers a permanent solution that can protect Internet users from both their snoopy ISP and government. HTTPS and DNSCrypt will continue to work regardless of the state of privacy regulations.

Incompetency Will Solve Everything

Computer security has become a hot topic, which I appreciate since it was almost completely ignored for such a long time. Unfortunately, as with any hot topic, politicians are forcing themselves into the conversation. Two members of Congress have come up with the wonderful idea of putting the Federal Communications Commission (FCC) in charge of regulating computer security:

Two Democrats in Congress are imploring FCC head Ajit Pai to address cybersecurity issues in the United States, arguing vulnerabilities in cellular networks infringe on citizens’ liberties and pose a “serious threat” to national security. Sen. Ron Wyden and Rep. Ted Lieu penned a letter to Pai laying out known issues in modern communications systems and asking the FCC to step in. However, that’s unlikely to happen.

Putting an agency of one of the single most incompetent organizations, one with networks that are supposedly too old to secure, on Earth in charge of computer security? What could go wrong!

This is the problem with letting people who are clueless about a subject talk seriously about regulating it. I’ll at least give Mr. Lieu some credit for having a degree that involves computers. But a computer science degree alone doesn’t make one an expert in computer security and, as far as I know, Mr. Lieu didn’t work in the industry so his knowledge on the subject, if he has any, is likely entirely theoretical.

But we live in a democracy, which means that whatever the plurality of voters, in this case members of Congress, say is literally law. It doesn’t matter how unqualified the voters are. It doesn’t matter how idiotic the idea being voted on is. The only thing that matters is whether the majority of voters say yay or nay.

Political Solutions Don’t Work

A lot of people here in the United States are flipping out because the rulers are voting to allow Internet Service Providers (ISP) to sell customer usage data:

A US House committee is set to vote today on whether to kill privacy rules that would prevent internet service providers (ISPs) from selling users’ web browsing histories and app usage histories to advertisers. Planned protections, proposed by the Federal Communications Commission (FCC) that would have forced ISPs to get people’s consent before hawking their data – are now at risk. Here’s why it matters.

It amazes me that more people seem to be upset about private companies selling their usage information for profit than providing their usage data to law enforcers so the wrath of the State’s judicial system can be brought upon them. Personally, I’m far more concerned about the latter than the former. But I digress.

This vote demonstrates the futility of political solutions. At one point the privacy laws were put into place by the State. The process of getting those laws put into place probably involved a lot of begging and kowtowing from the serfs. But Congress and the presidency have been shuffled around and the new masters disagree with what the former masters did so all of that begging and kowtowing was for nothing.

The problem with political solutions is that they’re temporary. Even if you can get the current Congress and president to pass laws that will solve your particular problems, it’s only a matter of time until Congress and the presidency changes hands and undoes the laws you begged so hard to have passed.

If you want a problem solved you have to solve it yourself. In the case of Internet privacy, the best defense against snoopy ISPs is to utilize a foreign Virtual Private Network (VPN) provider that respects your privacy and is in a country that is difficult for domestic law enforcement to coerce. Using a VPN will deprive your ISP, and by extent domestic law enforcement, of your usage data.

Facebook Wants You to Be Part of the Problem

Anybody who was using Facebook during the presidential election probably remembers being encouraged to go to the polls so they could force their will upon their fellow human beings. Facebook wasn’t content with encouraging bad behavior for just the presidential election though. Now it’s planning to harass you about local elections:

Facebook isn’t limiting its get-out-the-vote initiatives to federal elections. The social network is now offering reminders to vote in local US elections, whether they’re at the county, municipal or state level. You’ll see these notices as long as you’re in an area with over 10,000 people, and they’ll include primaries in addition to general elections. It could be crucial to spurring interest in frequently neglected regional elections, especially in tandemn with Facebook’s officially launched Town Hall feature.

Facebook wants you to be part of the problem and that problem is forcing your will upon other people.

Voting is sacred in this country. If you speak ill of it the State’s true believers will descend upon you like starving hyenas. They’ll spout bullshit about voting being the peaceful way to implement change but it’s not peaceful. Voting is very violent. When you vote you are telling the State that you would greatly appreciate it if it used its capacity for violence to enforce your desires. It’s like hiring a thug to beat the shit out of people who aren’t doing what you want them to do except you’re making everybody pay for your thug.

This chunk of land called the United States of America probably wouldn’t be half bad if people weren’t so busy threatening each other with votes. But they are and it has turned this chunk of land into a festering shithole. If you really want to implement change, stop being part of the problem.

Living Under a Criminal Enterprise

Will you look at that, it’s a day ending in “y.” You know what that means, right? It means another Internet scam is afoot! This time the scam involves a flaw in Mobile Safari that was just patched yesterday:

The flaw involved the way that Safari displayed JavaScript pop-up windows. In a blog post published Monday afternoon, researchers from mobile-security provider Lookout described how exploit code surreptitiously planted on multiple websites caused an endless loop of windows to be displayed in a way that prevented the browser from being used. The attacker websites posed as law-enforcement actions and falsely claimed that the only way users could regain use of their browser was to pay a fine in the form of an iTunes gift card code to be delivered by text message. In fact, recovering from the pop-up loop was as easy as going into the device settings and clearing the browser cache. This simple fix was possibly lost on some uninformed targets who were too uncomfortable to ask for outside help.

Patch your shit, folks.

I had a friend comment that he couldn’t believe that anybody would be stupid enough to fall for this since law enforcement would never highjack a phone and demand payment in iTunes gift cards. Although demanding payment in iTunes gift cards would be unusual for law enforcement, the actions being taken by the scammers aren’t that different than many actions taken by law enforcement. The scammers used a threat in order to extort wealth from their victim just as law enforcement agents do. When people have lived their entire life worrying about being pulled over and threatened with violence if they don’t pay a fine for driving too fast or, worse yet, having their vehicle and cash confiscated under civil forfeiture laws, the idea that police officers would highjack your browser and demand payment probably doesn’t seem that odd.

We all live under a massive criminal enterprise known as the State. It has taught us that being extorted is just a way of life. With that in mind, it’s not too surprising to me that there are people who fall for these kinds of scams.