Technology – Page 47 – A Geek With Guns

Advances In Technology Creates New Markets Which Creates New Jobs Which Creates New Wealth

One of the most idiotic claims I hear, usually from members of the labor movement, is that automation is taking American jobs. They get made when I use self-checkout kiosks at the grocery store because they think that mindless machine is eliminating a human worker permanently. Ironically they rant at me as they’re demanding the minimum wage be increased. If anything encourages a business owner to seek a way to automate labor it’s forcing them to pay a laborer more than they make for the company. Another irony is they often post their rants online using a machine that has done more to wipe out manual labor than anything else.

Here’s the thing, when automation obsoletes human labor the people who are displaced aren’t eliminated from the workforce forever. Us humans are adaptable. In fact we wouldn’t be the dominant species on this planet if we weren’t. When our set of skills is obsoleted by automation we can learn new skills. In fact the replacement of human labor by automation has lead to the increase in the number of skills needed and therefore the number of laborers needed. That’s right, technology has actually created more jobs than it has destroyed:

In the 1800s it was the Luddites smashing weaving machines. These days retail staff worry about automatic checkouts. Sooner or later taxi drivers will be fretting over self-driving cars.

The battle between man and machines goes back centuries. Are they taking our jobs? Or are they merely easing our workload?

A study by economists at the consultancy Deloitte seeks to shed new light on the relationship between jobs and the rise of technology by trawling through census data for England and Wales going back to 1871.

Their conclusion is unremittingly cheerful: rather than destroying jobs, technology has been a “great job-creating machine”. Findings by Deloitte such as a fourfold rise in bar staff since the 1950s or a surge in the number of hairdressers this century suggest to the authors that technology has increased spending power, therefore creating new demand and new jobs.

Their study, shortlisted for the Society of Business Economists’ Rybczynski prize, argues that the debate has been skewed towards the job-destroying effects of technological change, which are more easily observed than than its creative aspects.

Computers may have eliminated the need for most secretarial labor but it created the need for hardware developers, programmers, technical support specialists, network engineers, and a ton of other jobs that exist only because computers are now pervasive throughout our society.

Automation is a wonderful thing. It creates more wealth that can be invested in more ventures that employs more people. Librarians well-versed in the Dewey Decimal Classification system may not be in high demand anymore but Google, Microsoft, and DuckDuckGo have employed a lot of people to build, improve, and maintain their search engines. In addition to creating those jobs automation also lead to entirely new markets. Data mining, for example, wouldn’t exist if massive amounts of searchable data didn’t.

3D printing is an emerging technology that stands to replace a lot of human labor in manufacturing. But it also stands to open up markets for improving 3D printer technology, material engineering for 3D printers, engineering goods so they can be more easily manufactured with 3D printers, designing 3D models to print, etc.

Advances in technology creates new markets which creates new jobs which creates new wealth which leads to advances in technology. It’s a beautiful cycle of creation. The people who claim automation eliminates jobs are bloody idiots. Automation creates new jobs.

CryptoParty On August 30th

I don’t have much for you today because I spend my evening at a meeting hammering out the final details of an upcoming CryptoParty. On August 30_th CryptoPartyMN will be hosting a CryptoParty at the Hack Factory. We’re still figuring out a few final details but we will be discussing public-private key cryptography, Off-the-Record (OTR) messaging, full disk encryption, and Tor for certain. We may cover other topics as time permits.

For those who don’t know these events are meant to be hands-on. You bring your laptops, tablets, and phones and learn how to utilize secure communication tools. Hopefully I’ll see a few of you there.

You Have Something To Hide Even If you Don’t Do Anything Illegal

The federal government’s non-military networks are a mess, which is why attackers have been focusing their efforts on hacking them. One of the agencies bitten in the ass was the Internal Revenue Service (IRS). Personal information for 100,000 people was leaked through one of the IRS’s online services. I’m sorry, did I say 100,000? I meant 334,000:

WASHINGTON (AP) — A computer breach at the IRS in which thieves stole tax information from thousands of taxpayers is much bigger than the agency originally disclosed.

An additional 220,000 potential victims had information stolen from an IRS website as part of a sophisticated scheme to use stolen identities to claim fraudulent tax refunds, the IRS said Monday. The revelation more than doubles the total number of potential victims, to 334,000.

The breach also started earlier than investigators initially thought. The tax agency first disclosed the breach in May.

The thieves accessed a system called “Get Transcript,” where taxpayers can get tax returns and other filings from previous years. In order to access the information, the thieves cleared a security screen that required knowledge about the taxpayer, including Social Security number, date of birth, tax filing status and street address, the IRS said.

We again see why even if you have nothing to hide you have plenty to worry about. You may not have done anything wrong, although that’s highly improbable, but any data collected on you can easily wind up in the wrong hands. In this case Social Security numbers, birth dates, street addresses, and tax filing statuses for 334,000 people ended up in unknown hands. Had that data not been collected in the first place it wouldn’t have been available to steal.

Manufacturer Included Malware

When we buy a computer we are necessarily trusting the manufacturer to some extent. One of the things we trust the manufacturer to do is deliver a system free of malware. This trust isn’t always properly placed since many manufacturers include a lot of software that is indistinguishable from malware but we usually trust the manufacturer to not make that malware persistent. What happens when the manufacturer not only includes malware but also makes it so persistent that a clean installation of Windows won’t remove it?

Windows 8 and Windows 10 contain a surprising feature that many users will find unwelcome: PC OEMs can embed a Windows executable in their system firmware. Windows 8 and 10 will then extract this executable during boot time and run it automatically. In this way, the OEM can inject software onto a Windows machine even if the operating system was cleanly installed.

The good news is that most OEMs fortunately do not seem to take advantage of this feature. The bad news is that “most” is not “all.” Between October 2014 and April of this year, Lenovo used this feature to preinstall software onto certain Lenovo desktop and laptop systems, calling the feature the “Lenovo Service Engine.”

[…]

Making this rather worse is that LSE and/or OKO appear to be insecure. Security issues, including buffer overflows and insecure network connections, were reported to Lenovo and Microsoft by researcher Roel Schouwenberg in April. In response, Lenovo has stopped including LSE on new systems (the company says that systems built since June should be clean). It has provided firmware updates for affected laptops and issued instructions on how to disable the option on desktops and clean up the LSE files.

This is an example of a manufacturer using a legitimate feature for nefarious purposes. The feature, as far as Microsoft intended it, was meant to be an anti-theft measure:

And in its own awful way, it’s a feature that makes sense. The underlying mechanism is simple enough; the firmware constructs tables of system information when the machine boots. The operating system then examines these tables to, for example, learn what hardware is installed in the machine and how it is connected. This is all governed by a specification called ACPI, Advanced Configuration and Power Interface. Microsoft defined a new ACPI table, the Windows Platform Binary Table (WPBT), that contains information about a firmware-embedded executable. When it boots, Windows looks for a WPBT. If it finds one, it copies the executable onto the filesystem and runs it.

The primary purpose of WPBT is the automatic installation of anti-theft software. This kind of software typically does a couple of things that require online connectivity: it can phone home to check if it’s been reported stolen (and brick or otherwise disable itself if it has), and it can phone home to simply report where it is to aid recovery of lost or stolen hardware.

Instead Lenovo used it to ensure the pre-install software that comes with the laptop, which was insecure, would always be installed even if the user did a clean install with a Windows disc. That’s pretty scummy behavior. Fortunately Lenovo appears to have stopped doing this but trust, as far as I’m concerned, has already been breached.

Another Infected Ad Network, Another Reason To Use An Ad Blocker

As many website publishers whine about ad blockers destroying their revenue source we have yet another story demonstrating that ad blockers are actually security tools. Another ad network was exploited and the exploit lead to malware being distributed to visitors of the Drudge Report (which, in addition to delivering malware, also delivers brain cancer to visitors) and Wundergorund:

Millions of people visiting drudgereport.com, wunderground.com, and other popular websites were exposed to attacks that can surreptitiously hijack their computers, thanks to maliciously manipulated ads that exploit vulnerabilities in Adobe Flash and other browsing software, researchers said.

The malvertising campaign worked by inserting malicious code into ads distributed by AdSpirit.de, a network that delivers ads to Drudge, Wunderground, and other third-party websites, according to a post published Thursday by researchers from security firm Malwarebytes. The ads, in turn, exploited security vulnerabilities in widely used browsers and browser plugins that install malware on end-user computers. The criminals behind the campaign previously carried out a similar attack on Yahoo’s ad network, exposing millions more people to the same drive-by attacks.

There are really two lessons to learn from this story. First, run an ad blocker. Second, uninstall Adobe Flash. But some people are unwilling to do the latter so they, even more than the rest of us, need to run a good ad blocker.

Personally I recommend using a tool such as NoScript to block all JavaScript from domains that haven’t been expressly white listed. But that’s a pain in the ass for many people and ad blockers act as a nice middle ground that blocks most of the crap but don’t require a lot of fine tuning to utilize.

Cat And Mouse Game

Since they want to revolutionize the world you would think libertarians would be hard to beat down. But so many of them, at least in my experience, are willing to roll over if the alternative requires too much work. Computer security is one of those things that tend to require too much work for the average libertarian.

Libertarianism is about wrestling power away from the state. One way of doing this is exploiting economics. The more resources you can make the state misallocate the less it will available for maintaining and expanding its power. That being the case cryptography should be every libertairans best friend. Cryptography, even when it’s not entirely effective, still forces the state to allocate more resources into its surveillance apparatus. Even data secured with weak cryptography requires more effort to snoop than plaintext data. When you start using effective cryptography the amount of resources you force the state to invest increased greatly.

Learning how to use cryptographic tools requires quite a bit of initial effort. Instead of investing their time into learning these tools a lot of libertarians invest their time in creating excuses to justify not learning these tools. One of the excuses I hear frequently is that current cryptographic tools will be broken in a few years anyways.

It’s certainly possible but that’s not an excuse. Cryptography is a cat and mouse game. As cryptographic tools improve the tools used to break them need to improve and as those tools improve cryptographic tools need to improve again. In keeping with the theme I established above the key to this cycle is that the tools to break cryptography need to improve as cryptography improves. In other words adopting better cryptography forces the state to allocate more of its resources into improving its tools to break cryptography. Using effective cryptography today forces the state to invest resources today. If you don’t use it the state doesn’t have to invest resources to break it and therefore has more resources to solidify its power further.

Libertarians have to accept the fact that they’re in a big cat and mouse game anyways. As libertarians work to seize power from the state the state develops new ways to maintain its power. Surveillance is one way it maintains its power and effective cryptography turns it into a cat and mouse game instead of a mouse and mousetrap game. So stop making excuses and start learning about these tools.

You Can Catch A Hacker

I dissuade people from harassing other people. Not only is it morally repugnant to me but it’s also a waste of time that could be spent doing something beneficial. But some people have a deep-seated need to be complete assholes. This has lead to endless headaches for website administrators. Fortunately most of these assholes aren’t the sharpest tools in the shed and vastly overestimate their ability and underestimate their targets’ inability to retaliate. One of these assholes had instigated multiple swatting incidents and thought he couldn’t be caught because he was a “hacker.” Kids, what you’re going to read here is an example of how not to opsec:

In April 2015, after months of harassing Marshall Public Schools officials and pulling off swatting attacks in the area, Morgenstern called a public resources officer assigned to Marshall High School and left a voicemail saying that it was “not possible” for him to be caught. Why? Well, he was a “hacker,” and as everyone knows, “you can’t catch a hacker.”

He continued his eloquent rant: “You’re a fat fucking lesbian. I want to kill your family, I want to kill your family, I want to make you watch me kill your family. I am going to call a bomb threat into your house every day, just to piss you off. And then, I am going to jerk off to it. How does that make you feel? How does it make you feel to know that I am a hacker??”

So how did federal authorities ultimately bring down Morgenstern?

Well, among several of the handles and e-mail addresses that the 19-year-old used was anonymously.lulzsec@gmail.com and the Twitter handle @RIURichHomie. The FBI simply filed a subpoena to Google for the records associated with that account and another to Twitter. They both showed that they had been accessed by the same IP address from a Comcast account served to a home in Cypress, Texas.

Authorities also found through a simple Google search that Morgenstern had previously controlled the Twitter account @ZackL337H4X0R.

I’m sure the website administrators were all but too happy to hand over those records. Even with my hatred of the state I think I’d have enjoyed turning those records over.

Many of the tools I advocate on this blog would provide pretty good protection for people such as this. That’s certainly the downside of the double-edged sword that is computer security. However, the good greatly outweighs the bad, especially when you realize that most people like this aren’t smart enough to properly use anonymizing tools. And even the assholes who are smart enough to use such tools are usually too dumb to use them properly but have an ego that’s large enough to convince them they’re smarter than they really are.

Don’t Return To The Caves

Robert Anton Wilson popularized the words neophiles and neophobes to describe people who enjoy and can adapt to rapid changes and those who fear and oppose change respectively. Whenever neophiles create and adopt a technological advancement neophobes step in to try and retard it. Strong cryptography allows individuals to securely communicate between one another. Neophobes, who are fearful by nature, cannot accept the idea of people having conversations that cannot be spied on. Advancements in automation require less human labor to produce more goods and services. Neophobes fear automation because they cannot conceive of a world where laborers don’t have to work as much or can find meaningful employment after being displaced by machines. Genetically modified crops can dramatically increase our species food production and feed more people with less resource expenditure. Neophobes want to halt production of genetically modified crops because they fear tampering with nature will have frightening and currently unrealized consequences.

The biggest difference between neophiles and neophobes is the former understands risks are inherent in change and accepts those risks while the latter fears change because it involves unknown risks.

Would you enjoy living a much shorter and hard life as a hunter gatherer in a cave? Because that’s what we’d all being doing if everybody listened to the neophobes. Advancement is scary because we don’t know how they will change the world. But advancement is far less scary than stagnation. This is why I don’t give any weight to arguments against technological advancement.

Are there risks in widespread availability to strong cryptography? Yes. Are there risks in allowing machines to do more and more of our labor? Yes. Are there risks in creating and cultivating genetically modified crops? Again, yes. However there are risks in enabling widespread surveillance, relying on manual labor, and refusing to advance agriculture. Those risks are powerful police states, injuries and deaths on jobs, and starvation.

Since the industrial revolution we’ve enjoyed a world where neophilia has surpassed neophobia. Even though we’re enjoying a standard of living unheard of only a generation ago the neophobes are still pounding their drums and trying to scare people into returning to the caves. Do you want to live in a world where we’re relegated to subsistence agriculture or one where robots produce more food than our species can possibly consume? If you, like me, desire the latter then you should work to ensure technological advancement isn’t hindered by neophobes. That means not supporting any efforts to stop the advancement of technology. Don’t support attempts to control the exportation of strong cryptography. Don’t support attempts to stop the adoption of automation. Don’t support prohibitions against genetically modified crops. Try to help technological advancements to flourish so more people can enjoy their benefits. Refute the neophobic fear mongering by pointing out how not adopting new technologies is also risky and how the fears of neophobia have seldom, if ever, been realized. Don’t help those who would return us to the caves.

Why I Generally Recommend iOS Over Android

As I’m sure many of you are, I’m the guy who friends and family come to when seeking advice on what electronic device to purchase. When somebody asks me whether they should get an iOS or Android device I generally point them towards iOS. It’s not because Android is bad, it’s a very good operating system. Unfortunately, in most cases, when you get an Android device you’re not so much dealing with Android as the manufacturer and carrier. Because of their meddling in an otherwise great operating system it’s difficult to know when or for how long you’ll get updates and that creates a security nightmare:

Now, though,Android has around 75-80 percent of the worldwide smartphone market—making it not just the world’s most popular mobile operating system but arguably the most popular operating system, period. As such, security has become a big issue. Android still uses a software update chain-of-command designed back when the Android ecosystem had zero devices to update, and it just doesn’t work. There are just too many cooks in the kitchen: Google releases Android to OEMs, OEMs can change things and release code to carriers, carriers can change things and release code to consumers. It’s been broken for years.

The Android ecosystem’s reaction to the “Stagefright” vulnerability is an example of how terrible things are. An estimated 95 percent of Android devices have a have a remote arbitrary code execution just by receiving malicious video MMS. Android has other protections in place to stop this vulnerability from running amok on your smartphone, but it’s still really scary. As you might expect, Google, Samsung, and LG have all pledged to “Take Security Seriously” and issue a fix as soon as possible.

Their “fix” is going to be to patch 2.6 percent of all active Android devices. Tops. That’s the percentage of Android devices that are running Android 5.1 today, nearly five months after the OS was released.

This isn’t a new problem. Manufacturers and carriers have been interfering with software updates for phones for ages. My first cell phone was a Palm Treo 700p running on Sprint’s network. Sprint, compared to other carriers who also had the 700p, would take forever to approve updates for the device and sometimes wouldn’t approve them at all. That meant I was stuck with unpatched software much of the time because Palm was at the mercy of Sprint.

Apple refused to allow carriers any control over iOS. Although this is likely part of why the iPhone was relegated to only being available on AT&T for a long time the decision paid off in the long run. When a vulnerability is discovered in iOS Apple can push out the patch and no carrier can interfere. Google, on the other hand, gave almost all control to manufacturers and carriers. Because of that it can’t push out Android updates to all of its users and that leaves many Android users with insecure devices.

I hope Google changes this and at least requires manufacturers to use Android’s official update channel in order to gain access to its proprietary apps (which is what most people use Android for anyways). The current situation is untenable, which is sad because Android really is a good operating system.

Why You Want Paranoid People To Comment On Features

When discussing security with the average person I’m usually accused of being paranoid. I carry a gun in case I have to defend myself? I must be paranoid! I only allow guests at my dwelling to use an separate network isolated from my own? I must be paranoid! I encrypt my hard drive? I must be paranoid! It probably doesn’t help that I live by the motto, just because you’re paranoid doesn’t mean they’re not out to get you.

Paranoid people aren’t given enough credit. They see things that others fail to see. Consider all of the application programming interface (API) calls the average browser has available to website developers. To the average person, and even to many engineers, the API calls available to website developers aren’t particularly threatening to user privacy. After all, what does it matter if a website can see how much charge is left in your batter? But a paranoid person would point out that such information is dangerous because it gives website developers more data to uniquely identify users:

The battery status API is currently supported in the Firefox, Opera and Chrome browsers, and was introduced by the World Wide Web Consortium (W3C, the organisation that oversees the development of the web’s standards) in 2012, with the aim of helping websites conserve users’ energy. Ideally, a website or web-app can notice when the visitor has little battery power left, and switch to a low-power mode by disabling extraneous features to eke out the most usage.

W3C’s specification explicitly frees sites from needing to ask user permission to discover they remaining battery life, arguing that “the information disclosed has minimal impact on privacy or fingerprinting, and therefore is exposed without permission grants”. But in a new paper from four French and Belgian security researchers, that assertion is questioned.

The researchers point out that the information a website receives is surprisingly specific, containing the estimated time in seconds that the battery will take to fully discharge, as well the remaining battery capacity expressed as a percentage. Those two numbers, taken together, can be in any one of around 14 million combinations, meaning that they operate as a potential ID number. What’s more, those values only update around every 30 seconds, however, meaning that for half a minute, the battery status API can be used to identify users across websites.

The people who developed the W3C specification weren’t paranoid enough. It was ignorant to claim that reporting battery information to websites would have only a minimal impact on private, especially when you combine it with all of the other uniquely identifiable data websites can obtain about users.

Uniquely identifying users becomes easier with each piece of data you can obtain. Being able to obtain battery information alone may not be terribly useful but combining it with other seemingly harmless data can quickly give a website enough data points to identify a specific user. Although that alone may not be enough to reveal their real identity it is enough to start following them around on the web until enough personal information has been tied to them to reveal who they are.

The moral of this story is paranoia isn’t properly appreciated.