Tag: Technology

Apple Tells The Feds To Pound Sand

The technology industry has a long history of being run by antiauthoritarians who bark a lot but roll over as soon as Uncle Sam commands it. This has lead to a great deal of disappointment for me. Fortunately, after the Edward Snowden leaks, some technology companies have started developing a bit of a spine.

Yesterday a robed one in a court room commanded Apple to produce a custom firmware that would allow the Federal Bureau of Investigations (FBI) to more easily brute force the passcode on a suspect’s iPhone:

On Tuesday, a federal judge in Riverside, California, ordered Apple to help the government unlock and decrypt the iPhone 5C used by Syed Rizwan Farook, who shot up an office party in a terrorist attack in nearby San Bernardino in December 2015.

Specifically, United States Magistrate Judge Sheri Pym mandated that Apple provide the FBI a custom firmware file, known as an IPSW file, that would likely enable investigators to brute force the passcode lockout currently on the phone, which is running iOS 9.

By issuing this order Judge Pym openly stated that he believes Apple is a slave to the federal government and therefore can be forced to perform labor against its will. This is the point where a lot of technology companies would simply roll over and accept their place. Apple has decided it doesn’t want to play ball:

The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.

[…]

Rather than asking for legislative action through Congress, the FBI is proposing an unprecedented use of the All Writs Act of 1789 to justify an expansion of its authority.

The government would have us remove security features and add new capabilities to the operating system, allowing a passcode to be input electronically. This would make it easier to unlock an iPhone by “brute force,” trying thousands or millions of combinations with the speed of a modern computer.

The implications of the government’s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.

Opposing this order is not something we take lightly. We feel we must speak up in the face of what we see as an overreach by the U.S. government.

It will be interesting to see how far Apple can go in resisting this order but even if it does end up folding under the threat of government guns I want to give the company a hell of a lot of credit for this.

As Apple’s letter notes, this ruling as consequences far greater than this case alone. First, it would set a precedence that everybody is little more than a slave to the robed overlords of the courtrooms. Second, it would introduce an officially signed firmware that is purposely weakened to allow law enforcers to bypass built-in security mechanisms.

The first consequence isn’t anything new since the State has always viewed the people as slaves. But the second consequence is severe. I’m sure the FBI has pinky swore that it will never use this firmware again but anybody familiar with the agency’s history knows such a promise will be broken. And the state of the federal government’s network security means this custom firmware will almost certainly end up online at some point. Then it will be available to nongovernmental terrorists, domestic abusers, and other violent individuals with a vested interest in snooping on their targets.

Whether you like Apple or not, I believe the company deserves a lot of credit for this. I hope it inspires other companies to follow suit.

Everything Is Better With Internet Connectivity

I straddle that fine line between an obsessive love of everything technologically advanced and a curmudgeonly attitude that results in me asking why new products ever see the light of day. The Internet of Things (IoT) trend has really put me in a bad place. There are a lot of new “smart” devices that I want to like but they’re so poorly executed that I end up hating their existence. Then there are the products I can’t fathom on any level. This is one of those:

Fisher-Price’s “Smart Toys” are a line of digital stuffed animals, like teddy bears, that are connected to the Internet in order to offer personalized learning activities. Aimed at kids aged 3 to 8, the toys actually adapt to children to figure out their favorite activities. They also use a combination of image and voice recognition to identify the child’s voice and to read “smart cards,” which kick off the various games and adventures.

According to a report released today by security researchers at Rapid7, these Smart Toys could have been compromised by hackers who wanted to take advantage of weaknesses in the underlying software. Specifically, the problem was that the platform’s web service (API) calls were not appropriately verifying the sender of messages, meaning an attacker could have sent requests that should not otherwise have been authorized.

I’m sure somebody can enlighten me on the appeal of Internet connected stuffed animals but I can only imagine these products being the outcome of some high level manager telling a poor underling to “Cloud enable our toys!” In all likelihood no specialists were brought in to properly implement the Internet connectivity features so Fisher-Price ended up releasing a prepackaged network vulnerability. Herein lies the problem with the IoT. Seemingly every company has become entirely obsessed with Internet enabled products but few of them know enough to know that they don’t know what they’re doing. This is creating an Internet of Bad Ideas.

There’s no reason the IoT has to be this way. Companies can bring in people with the knowledge to implement Internet connectivity correctly. But they’re not. Some will inevitably blame each company’s desire to keep overhead as low as possible but I think the biggest part of the problem may be rooted in ignorance. Most of these companies know they want to “cloud enable” their products to capitalize on the new hotness but are so ignorant about network connectivity that they don’t even know they’re ignorant.

Even An Air Gap Won’t Save You

Security is a fascinating field that is in a constant state of evolution. When new defenses are created new attackers follow and vice versa. One security measure some people take is to create and store their cryptography keys on a computer that isn’t attached to any network. This is known as an air gap and is a pretty solid security measure if implemented correctly (which is harder than most people realize). But even air gaps can be remotely exploited under the right circumstances:

In recent years, air-gapped computers, which are disconnected from the internet so hackers can not remotely access their contents, have become a regular target for security researchers. Now, researchers from Tel Aviv University and Technion have gone a step further than past efforts, and found a way to steal data from air-gapped machines while their equipment is in another room.

“By measuring the target’s electromagnetic emanations, the attack extracts the secret decryption key within seconds, from a target located in an adjacent room across a wall,” Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer write in a recently published paper. The research will be presented at the upcoming RSA Conference on March 3.

It needs to be stated up front that this attack requires a tightly controlled environment so isn’t yet practical for common real world exploitation. But attacks only improve over time so it’s possible this attack will become more practical with further research. Some may decry this as the end of computer security, because that’s what people commonly do when new exploits are created, but it will simply cause countermeasures to be implemented. Air gapped machines may be operated in a Faraday cage or computer manufacturers may improve casings to better control electromagnetic emissions.

This is just another chapter in the never ending saga of security. And it’s a damn impressive chapter no matter how you look at it.

You Can’t Stop The Signal

What would happen if the United States government passed a bill mandating the inclusion of backdoors in cryptographic algorithms? Not much. The politicians in Washington DC, like many denizens of this nation, forget that there is an entire world outside of this nation’s borders. A recent report put together by actual security experts shows that any domestic laws hindering encryption will be futile because a lot of cryptography software comes from abroad:

An estimated 63 percent of the encryption products available today are developed outside US borders, according to a new report that takes a firm stance against the kinds of mandated backdoors some federal officials have contended are crucial to ensuring national security.

The report, prepared by security researchers Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar, identified 865 hardware or software products from 55 countries that incorporate encryption. Of them, 546 originated from outside the US. The most common non-US country was Germany, a country that has publicly disavowed the kinds of backdoors advocated by FBI Director James Comey and other US officials. Although the Obama administration is no longer asking Congress for legislation requiring them, it continues to lobby private industry to include ways law enforcement agencies can decrypt encrypted data sent or stored by criminal or terrorism suspects.

We’re told that mandatory backdoors are necessary to make the lives of law enforcers easier. But passing a law mandating backdoors in systems that utilize cryptography would only effect domestic companies. Most devices are manufactured outside of the United States. Any law mandating ineffective cryptography would only applies to domestic devices, which means the mandated backdoors would likely only be included in devices meant for sale in the United States. That means avoiding a purposely weakened device would be as simple as ordering it from a foreign reseller.

Most of the boogeymen the politicians point to to justify mandating backdoors are primarily based in foreign countries. The terrorist and sex trafficking organizations are already buying their communication equipment outside of the United States so they will be entirely unaffected by any new domestic laws. Furthermore, being criminal organizations, nothing will change for them since they’re already breaking numerous laws.

At most a mandatory backdoor law will put the denizens here, at least those dumb enough to continue buying domestic devices, at risk of being exploited by domestic and foreign governments as well as malware producers.

Freely Accessing Scientific Publications Behind A Paywall

On the one hand we’re told that pure science can only be performed under the “neutrality” of government funding while on the other hand we’re told the research we were forced to fund isn’t ours to access. Having to pay to access research papers that I was forced to fund has been a pet peeve of mine since college. Even though I enjoyed free access to most scientific papers in college the simple fact that I would lose that access as soon as I graduated really rubbed me the wrong way. Fortunately I’m not alone. A group of people have developed a service aimed at pirating scientific research papers:

Sci-Hub uses university networks to access subscription-only academic papers, generally without the knowledge of the academic institutions. When a user asks Sci-Hub to access a paid article, the service will download it from a university that subscribes to the database that owns it. As it delivers the user a pdf of the requested article, it also saves a copy on its own server, so that next time someone requests the paper, they can download the cached version.

Unsurprisingly, Elbakyan’s project has drawn the ire of publishers. Last year, Elsevier sued Sci-Hub and an associated website called Library Genesis for violating its copyright. The two websites “operate an international network of piracy and copyright infringement by circumventing legal and authorized means of access to the ScienceDirect database,” Elsevier’s lawyers wrote in a court filing, referring to the company’s subscription database.

[…]

But even if the new domain gets shut down, too, Sci-Hub will still be accessible on the dark web, a part of the Internet often associated with drugs, weapons, and child porn. Like its seedy dark-web neighbors, the Sci-Hub site is accessible only through Tor, a network of computers that passes web requests through a randomized series of servers in order to preserve visitors’ anonymity.

Sci-Hub can be accessed via the normal Internet here and via Tor here. That second link is important to have since Sci-Hub was already shutdown once. While it’s feasible for the State to censor the normal Internet it’s not feasible for it to censor Tor hidden services since there is no centralized name server to threaten.

I don’t hide my opposition to intellectual property in all forms but I especially detest copyright applying to criminally funded research. A thief should make reparations to right the wrong they have caused so the only way to right the wrong of the State stealing money to fund favored researchers it to make the findings of their research freely available to everybody.

Using Technology To Avoid The Morality Police

As with every other government on the planet, Iran has a body of law enforcers whose primary job is to exploit wealth from the general populace. Just as in the United States, many of the law in Iran are based around morality. For example, if your manner of dress is deemed inappropriate the law enforcers have an excuse to expropriate wealth from you. The natural tendency of an exploited people is to find a way to avoid as much exploitation as possible. To that end a group of Iranian developers have created an app to help their fellows avoid the morality police:

Ershad’s mobile checkpoints which usually consist of a van, a few bearded men and one or two women in black chadors, are deployed in towns across Iran and appear with no notice.

Ershad personnel have a very extensive list of powers ranging from issuing warnings and forcing those they accuse of violating Iran’s Islamic code of conduct, to make a written statement pledging to never do so again, to fines or even prosecuting offenders.

The new phone app which is called “Gershad” (probably meaning get around Ershad instead of facing them) however, will alert users to checkpoints and help them to avoid them by choosing a different route.

The data for the app is crowdsourced. It relies on users to point out the location of the Ershad vans on maps and when a sufficient number of users point out the same point, an alert will show up on the map for other users. When the number decreases, the alert will fade gradually from the map.

Gershad sounds a lot like Waze, which is a traffic app that lets you report, amongst other things, police. Both are amongst the family of applications that allow the people to fight back against the State. Through crowdsourcing the much larger population of exploited individuals can enjoy a major information advantage over the State. As they used to say at the end of each episode of G.I. Joe, knowing is half the batter.

It’s easy to fall into the trap of believing the State, because of its sheer power, is an undefeatable foe. In reality the State is greatly disadvantages by the fact it is massively outnumbered. Being a bureaucracy it is also much slower to adapt to changes than the general population. Those two facts combined means the State will always lose in the long run. By the time the Ershad adapt to this application a countermeasure to its adaptions will almost certainly already be in place.

Rules Are Different For The King’s Men

When the Federal Bureau of Investigations (FBI) breaks into 1,300 computers with a single, vaguely written warrant it’s labeled justice. But when somebody breaks into the FBI’s computers it’s labeled criminal:

A hacker, who wishes to remain anonymous, plans to dump the apparent names, job titles, email addresses and phone numbers of over 20,000 supposed Federal Bureau of Investigation (FBI) employees, as well as over 9,000 alleged Department of Homeland Security (DHS) employees, Motherboard has learned.

The hacker also claims to have downloaded hundreds of gigabytes of data from a Department of Justice (DOJ) computer, although that data has not been published.

This is something that fascinates me about statism. It’s relies on the belief that humans are inherently bad and that the only solution is to absolve a handful of those humans of any responsibilities for their actions so they can control the rest.

A lot of people are willing to give the FBI a pass in breaking into 1,300 computers because the operation was dealing with combating child pornography. While I detest child pornography I also detest throwing due process out the window whenever it becomes inconvenient. There’s no way the FBI could know that all 1,300 computers it broke into were involved in the child pornography site. Not every visitor to a site is a user. Sometimes people are tricked into visiting a site, sometimes they’re curious if a site is actually as terrible as people are claiming (and often report sites containing illegal content to law enforcers if they find those claims to be true), etc. Due process involves identifying suspects based on evidence and investigating them specifically.

Further compounding the issue is the fact the FBI was knowingly distributing child pornography from its own servers. The agency was quite literally doing the exact same thing it was supposedly trying to stop.

Yet many people are calling what the FBI did justice while labeling what the hacker did as criminal.

Detecting Wrongthink Early

1984 taking place in London was very appropriate. The United Kingdom (UK) has become the granddaddy of the surveillance state. Surveilling an entire nation isn’t easy, which is why the UK, like every other surveillance state, is desperately searching for new way to automate its activities. I’m sure that desperation is what lead to this idiocy:

London, United Kingdom – Schoolchildren in the UK who search for words such as “caliphate” and the names of Muslim political activists on classroom computers risk being flagged as potential supporters of terrorism by monitoring software being marketed to teachers to help them spot students at risk of radicalisation.

The “radicalisation keywords” library has been developed by the software company Impero as an add-on to its existing Education Pro digital classroom management tool to help schools comply with new duties requiring them to monitor children for “extremism”, as part of the government’s Prevent counterterrorism strategy.

[…]

The keywords list, which was developed in collaboration with the Quilliam Foundation, a counter-extremism organisation that is closely aligned with the government, consists of more than 1,000 trigger terms including “apostate”, “jihadi” and “Islamism”, and accompanying definitions.

I’m not sure if schools in the UK have deteriorated as far as the schools here but if they haven’t then it’s quite plausible that many of the keywords being looked for would appear quite frequently in a history class. What’s more interesting is that they keywords don’t seem to so much be targeting terrorism as Islam.

It must be noted that using keywords to detect wrongthink is a fruitless endeavor. Because terrorism is currently the biggest target of the State’s propaganda it is a topic of general interest. A lot of people searching for keywords related to terrorism aren’t interested in becoming terrorists but merely want to learn about events related to terrorism. The number of false positives such a system will throw out are going to be far greater than any potentially useful information. Drowning out the signal in noise is counterproductive but it seems to be the strategy most automated surveillance systems rely on.

The Next Stage In 3D Printed Firearms

Proving once again that technology overcomes legal restrictions, a new stage in 3D printed firearms has been reached. Instead of a single shot pistol that’s difficult to reload we now have a 3D printed semiautomatic 9mm handgun:

Last weekend a 47-year-old West Virginia carpenter who goes by the pseudonym Derwood released the first video of what he calls the Shuty-MP1, a “mostly” 3-D printed semi-automatic firearm. Like any semi-automatic weapon, Derwood’s creation can fire an actual magazine of ammunition—in this case 9mm rounds—ejecting spent casings one by one and loading a new round into its chamber with every trigger pull. But unlike the typical steel semi-automatic rifle, Derwood says close to “95 percent” of his creation is 3-D printed in cheap PLA plastic, from its bolt to the magazine to the upper and lower receivers that make up the gun’s body.

Heres a video of it firing:

As the article notes, the gun isn’t perfect. The plastic around the barrel apparently starts to melt after firing 18 rounds if sufficient cooling time isn’t given. But the pace at which 3D printed firearms are evolving is staggering. In a few short years we’ve gone from the single shot Liberator pistol to a fully functional semiautomatic pistol. It won’t be long until practical 3D printed firearms are designed.

What does this mean? It means prohibitions against firearms are less relevant. Prohibiting something that any schmuck can make in their home isn’t possible. Alcohol prohibition and the current war on drugs have proven that.

Building A Mesh Network In New York City

One of the biggest weaknesses of today’s Internet is its reliance on centralized providers. Getting Internet access at home usually requires signing up with one of the few, if you’re even lucky to have more than one, Internet service providers (ISPs). In my area, for example, the only real options are Comcast or CenturyLink. CenturyLink only offers Digital subscriber line (DSL) services so the only actual option for me, assuming I want access speeds above 1Mbps, is Comcast. My situation isn’t unique. In fact it’s the norm.

The problem with highly centralized systems such as this are numerous, especially when you consider how cozy most ISPs are with the State. Censorship and surveillance are made much easier when a system is centralized. Instead of having to deal with a bunch of individuals to censor or surveil Internet users the State only has to make a few sweetheart deals with the handful of ISPs. Another issue with heavily centralized systems is that users are at a severe disadvantage. The entire debate surrounding net neutrality is really only an issue because so little competition exists in the Internet provision market. If Comcast wants to block access to Netflix unless I pay an additional fee there really isn’t much I can do about it.

Many consider to this nightmare proof that the market has failed. But such accusations are nonsense because the market isn’t at work here. The reason so little competition exists in the Internet provision market is because the State protects current ISPs from competition. It’s too easy for a massive regulatory entity such as the State to put its boot down on the fact of centralized service providers.

Does all this mean an uncensored, secured Internet is impossible to achieve? Not at all. The trick is to move away from easily identified centralized providers. If, for example, every Internet users was also a provider it would make it practically impossible for the State to effectively control it. That’s what mesh networks can offer and the idea is becoming more popular every day. Denizens of New York City have jumped onboard the mesh network bandwagon and are trying to make local ISPs irrelevant:

The internet may feel free, but it certainly isn’t. The only way for most people to get it is through a giant corporation like Comcast or Time Warner Cable, companies that choke your access and charge exorbitant prices.

In New York City, a group of activists and volunteers called NYC Mesh are trying to take back the internet. They’re building something called a mesh network — a makeshift system that provides internet access. Their goal is to make TWC totally irrelevant.

The hardest part about establishing a mesh network is achieving critical mass. A mesh network needs a decent number of nodes to begin being truly useful. That’s why it makes sense to start building mesh networks in very densely populated areas such as New York City. If the necessary critical mass is achieved in a few major metropolitan areas it will become feasible to bypass centralized ISPs by connecting various regional mesh networks together.

Looking at NYC Mesh’s map of active nodes it seems like they’ve already established pretty decent coverage considering the organization has only been around since January of 2014. If they can keep up this pace they could soon become a viable alternative to local centralized ISPs.