Technology – Page 48 – A Geek With Guns

Ad Blockers Are Security Tools

If you’re not already running an ad blocker I highly recommend you start. In addition to reducing bandwidth usage ad blockers also protect against ad network delivered malware. Because they span so many separate websites ad networks are common targets for malicious hackers. When they find an exploit they usually use the compromised network to deliver malware to users who access websites that rely on the ad network. Yahoo’s network is the most recent example of this scenario:

June and July have set new records for malvertising attacks. We have just uncovered a large scale attack abusing Yahoo!’s own ad network.

As soon as we detected the malicious activity, we notified Yahoo! and we are pleased to report that they took immediate action to stop the issue. The campaign is no longer active at the time of publishing this blog.

This latest campaign started on July 28th, as seen from our own telemetry. According to data from SimilarWeb, Yahoo!’s website has an estimated 6.9 Billion visits per month making this one of the largest malvertising attacks we have seen recently.

When a single ad network can see almost 7 billion visits per month it’s easy to see why malware distributors try to exploit them.

Many websites rely on advertisements for revenue so they understandably get upset when users visit their pages while using ad blockers. But their revenue model requires their users put themselves at risk so I don’t have any sympathies. If you run a website that relies on ads you should be looking at different revenue models, preferable ones that don’t put your users in harm’s way.

Security Is A Growing Threat To Security

Where a person stands on the subject of effective cryptography is a good litmus test for how technically knowledgeable they are. Although any litmus test is limited you can tell immediately that an individual doesn’t understand cryptography if they in any way support state mandated weaknesses. Mike Rogers, a former Michigan politician, expressed his ignorance of cryptography in an editorial that should demonstrate to everybody why his opinion on this matter can be safety discarded:

Back in the 1970s and ’80s, Americans asked private companies to divest from business dealings with the apartheid government of South Africa. In more recent years, federal and state law enforcement officials have asked — and required — Internet service providers to crack down on the production and distribution of child pornography.

You know where it is going when the magical words “child pornography” are being mentioned in the first paragraph.

Take another example: Many communities implement landlord responsibility ordinances to hold them liable for criminal activity on their properties. This means that landlords have certain obligations to protect nearby property owners and renters to ensure there isn’t illicit activity occurring on their property. Property management companies are typically required to screen prospective tenants.

Because of the title of the editorial I know this is supposed to be about encryption. By using the words “child pornography” I know this article is meant to argue against effective cryptography. However, I have no bloody clue how landlords play into this mess.

The point of all these examples?

There’s a point?

That state and federal laws routinely act in the interest of public safety at home and abroad. Yet now, an emerging technology poses a serious threat to Americans — and Congress and our government have failed to address it.

Oh boy, this exercise in mental gymnastics is going to be good. Rogers could be going for the gold!

Technology companies are creating encrypted communication that protects their users’ privacy in a way that prevents law enforcement, or even the companies themselves, from accessing the content. With this technology, a known ISIS bomb maker would be able to send an email from a tracked computer to a suspected radicalized individual under investigation in New York, and U.S. federal law enforcement agencies would not be able to see ISIS’s attack plans.

Child pornography and terrorism in the same editorial? He’s pulling out all the stops! Do note, however, that he was unable to cite a single instance where a terrorist attack would have been thwarted if only effective encryption hadn’t been in the picture. If you’re going to opt for fear mongering it’s best to not create hypothetical scenarios that can be shot down. Just drop the boogeyman’s name and move on otherwise you look like an even bigger fool than you would.

What could a solution look like? The most obvious one is that U.S. tech companies keep a key to that encrypted communication for legitimate law enforcement purposes. In fact, they should feel a responsibility and a moral obligation to do so, or else they risk upending the balance between privacy and safety that we have so carefully cultivated in this country.

Here is where his entire argument falls apart. First he claims “state and federal laws routinely act in the interest of public safety” and now he’s claiming that state and federal laws should work against public safety.

Let’s analyze what a hypothetical golden key would do. According to Rogers it would allow law enforcement agents to gain access to a suspect’s encrypted data. This is true. In fact it would allow anybody with a copy of that key to gain access to the encrypted data of anybody using that company’s products. Remember when Target and Home Depot’s networks were breached and all of their customers’ credit card data was compromised? Or that time Sony’s PlayStation Network was breached and its customers’ credit card data was compromised? How about the recent case of that affair website getting breached and its customers’ personal information ending up in unknown hands? And then there was the breach that exposed all of Hacking Team’s dirty secrets and many of its private keys to the Internet. These are not hypothetical scenarios cooked up by somebody trying to scare you into submission but real world examples of company networks being breached and customer data being compromised.

Imagine the same thing happening to a company that held a golden key that could decrypt any customer’s encrypted data. Suddenly a single breach would not only compromise personal information but also every device every one of the company’s customers possessed. If Apple, for example, were to implement Rogers’ proposed plan and its golden key was compromised every iOS user, which includes government employees I might add, would be vulnerable to having their encrypted data decrypted by anybody who acquired a copy of the key (and let’s not lie to ourselves, in the case of such a compromise the key would be posted publicly on the Internet).

Network breaches aren’t the only risk. Any employee with access to the golden key would be able to decrypt any customer’s device. Even if you trust law enforcement do you trust one or more random employees at a company to protect your data? A key with that sort of power would be worth a lot of money to a foreign government. Do you trust somebody to not hand a copy of the key over to the Chinese government for a few billion dollars?

There is no way a scenario involving a golden key can end well, which brings us to our next point.

Unfortunately, the tech industry argues that Americans have an absolute right to absolute privacy.

How is that unfortunate? More to the point, based on what I wrote above, we can see that the reason companies don’t implement cryptographic backdoors isn’t because they believe in some absolute right to privacy but because the risks of doing so are too great of a liability.

The only thing Rogers argued in his editorial was his complete ignorance on the subject of cryptography. Generally the opinions of people who are entirely ignorant on a topic are discarded and this should be no exception.

The Future Of Warfare

There are two common predictions regarding the future of warfare. First, the arms race between military powers necessitates a continuous adoption of improving technologies. Second, the focus will increasingly be on attacking your opponents technology as opposed to their soldiers.

TrackingPoint, an optical system that automates almost all of the previously specialized knowledge usually required to accurately hit a target at long distances with a rifle, is an example of this. Such a system could greatly increase the accuracy of the average soldier while cutting training costs. Militaries that adopt such technology would have a distinct advantage over those that didn’t. The tradeoff is that the technology can be attacked and potentially render it useless:

At the Black Hat hacker conference in two weeks, security researchers Runa Sandvik and Michael Auger plan to present the results of a year of work hacking a pair of $13,000 TrackingPoint self-aiming rifles. The married hacker couple have developed a set of techniques that could allow an attacker to compromise the rifle via its Wi-Fi connection and exploit vulnerabilities in its software. Their tricks can change variables in the scope’s calculations that make the rifle inexplicably miss its target, permanently disable the scope’s computer, or even prevent the gun from firing. In a demonstration for WIRED (shown in the video above), the researchers were able to dial in their changes to the scope’s targeting system so precisely that they could cause a bullet to hit a bullseye of the hacker’s choosing rather than the one chosen by the shooter.

I’m sure somebody is going to claim this as a reason why merging firearms and technology is stupid. Such criticisms can be dismissed entirely because any military that fails to take advantage of this type of technology will be at a tremendous disadvantage. Merging technology and firearms is inevitable so we need to address the weaknesses.

TrakingPoint has stated that it will work with the researches to fix the vulnerabilities and that’s the proper response. This should also serve as a lesson to any organization creating military technology that software security, which will eventually become the primary target of enemy forces, must be a primary consideration.

As an aside it will be interesting to see if the death tolls in future wars decrease as focus on attacking technology increases. If one side can disable the other side’s ability to wage war it could lead to a bloodless surrender or an immediate retreat.

It’ll also be interesting to see how this plays out in the ancient battle of the state versus the people. Traditionally states, being centralized bureaucracies, have responded poorly to change whereas humanity as a whole has responded very well to change. In the future states will be entirely dependent on technology to both wage war and exploit its people. That could give the people a strong advantage since you could have the creativity of the entire world focused on rendering the technology and these centralized exploiters impotent. Imagine a world where a police cruiser pursuing a nonviolent drug dealer could be turned off with the push of a button. Suddenly the dangerous high-speed chase initiated by the officer could be made into a very safe getaway for the dealer. Family pets could be saved from police kicking in a door at oh dark thirty by merely using an exploit that would cause the officer’s identification friend or foe (IFF) to identify all of the house’s inhabitants as friendly and therefore prevent their weapons from discharging at them. Admittedly that is a farfetched vision but not one outside of the realm of possibility.

Why You Should Be Concerned About Wi-Fi Sense

Windows 10 has a feature, dubbed Wi-Fi Sense, that allows you to share any Wi-Fi pre-shared keys with your friends. Needless to say the security community hasn’t received this feature with open arms. Just because you trust a friend to connect to your wireless network doesn’t mean you trust all of their friends. But a lot of people have been trying to argue that this feature isn’t a big deal and people should stop being so worried about it. Some are even claiming that this feature is beneficial to security because it makes it easier for people to find encrypted Wi-Fi networks to join.

My focus when it comes to security is the individual. From my vantage point I see this feature as a risk to individuals who want to control who has access to their wireless networks. Ars Technica, while trying to argue that Wi-Fi Sense isn’t that big of a deal, inadvertently made the best case against it:

For a start, when a Wi-Fi passkey is shared with your PC via Wi-Fi Sense, you never actually see the password: it comes down from a Microsoft server in encrypted form, and is decrypted behind the scenes. There might be a way to see the decrypted passkeys if you go hunting through the registry, or something along those lines, but it’s certainly not something that most people are likely to do.

Emphasis mine. You can’t base your security model on the assumption that so long as something isn’t easy to do it won’t be done. Although Wi-Fi Sense encrypts pre-shared keys before transmitting them they have to be decrypted before they can be used. Once they’re decrypted they’re fair game for anybody who knows where to look. To make matters worse once somebody finds where the unencrypted keys are stored it will be trivial to write an automated tool for extracting and displaying them.

The biggest problem with Wi-Fi Sense it makes it extremely easy to lose any control over who has access to your pre-shared key. While it’s true that you potentially lose control over who has your pre-shared key the second you share it with somebody else this makes the problem worse because even a trustworthy person may inadvertently shard the key with all of their friends.

As with anything there are pros and cons. I’m not saying Wi-Fi Sense doesn’t offer any benefits. But I think a lot of people are sweeping major security concerns about the feature under the rug. You should be fully aware of the risks involved in using the feature and you especially can’t assume just because something is potentially difficult nobody is going to do it.

The Real Android Security Issue

A new text message vulnerability has been discovered. Sending a maliciously formed video through multimedia messaging service (MMS) an attacker can compromise a device running Android. This shouldn’t be a notable problem because Google has already pushed out a fix. But it is a notable problem because there’s no guarantee device manufacturers will push the fix to their users:

If you’re an Android user, you’d better hope that a stranger doesn’t send you a video message in the near future — it might compromise your phone. Security researchers at Zimperium have discovered an exploit that lets attackers take control if they send a malware-laden MMS video. The kicker is that you may not even need to do anything to trigger the payload, depending on your text messaging app of choice. While the stock Messenger app won’t do anything until you see the message, Hangouts’ pre-processing for media attachments could put you at risk before you’re even aware that there’s a message waiting.

Google is already on top of the flaw, and has pushed out a fix to its hardware partners. However, whether or not you’ll get that fix will depend on your phone’s manufacturer. Zimperium tells Forbes that the Nexus 6 and Blackphone are already safe against some of the related flaws (other Nexus devices are likely in a similar boat), but more common third-party phones from Samsung, HTC and others are typically still vulnerable.

There is a lot of heated debate over whether iOS or Android is more secure. Overall I think both operating systems have a decent reputations for security but Android gets a bad rap because Google doesn’t control the update channel for all Android devices. Google has already pushed the fix out to its device and some manufacturers have pushed the fixes to their users. But each manufacturer gets a great deal of leeway over what they can do with Android and many have opted to make their devices rely on their update channel instead of Google’s. This means updates may not arrive in a timely manner or at all.

iOS has an advantage when it comes to security because Apple controls the hardware and software. When a vulnerability is fixed Apple can guarantee everybody using a currently support version of iOS gets the update.

Google would do well to require device manufacturers to use its official Android update channel in order to use its proprietary apps (which is the only real pull Google has since Android is an open source operating system). Since most Android users rely on Google’s proprietary apps that would be a powerful incentive for handset manufacturers to utilize the official Android update channel instead of rolling their own. Until that is done I fear a lot of Android users will continue being vulnerable to exploits that have already been discovered and patched.

I’m Available For Performing Electronic Exorcisms

As many of you know I’m a discordian pope. In addition to that I’m also an ordained minister by the Universal Life Church Monastery. With rock solid credentials like that I’m totally getting into the electronic exorcism business:

But if you truly think your electronics have been invaded by an evil spirit, there’s someone who will take your call — Reverend Joey Talley — a Wiccan witch from the San Francisco Bay Area who claims to solve supernatural issues for techies.

[…]

“Most people want me to protect their computers from viruses and hacks,” she told SF Weekly. “So I’ll make charms for them. I like to use flora.” And when there are problems in office hardware, Talley turns to “Jet,” a black stone that serves to block energy. In extreme cases, she casts protection spells of her own over the entire company.

[…]

Talley’s services do not come cheap. She charges $200 an hour (though a phone consultation is free).

For $200.00 per hour — hell, for $100.00 per hour I’ll exorcise the daemons from your systems (at least the daemons that aren’t supposed to be there). My e-mail address is to the right of this post, feel free to contact me for your free exorcism estimate!

Use WPA-AES To Secure Your Wireless Network

Wired Equivalent Privacy (WEP) was the first standard implemented for securing wireless networks. As the weakness of the RC4 algorithm, which WEP relied on, became better known Wi-Fi Protected Access (WPA) was created as a successor. WPA has two modes: Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES).

TKIP was a bandage created for devices that could implement AES. It used WEP but with four rotating keys that raised the challenge of attacking the network significantly. But it was never meant to be a long-term replacement. Nowadays everything has support for AES, which was a good enough reason to move away from TKIP. In addition to that the weaknesses in RC4 are now bad enough where breaking TKIP is easy:

Almost a third of the world’s encrypted Web connections can be cracked using an exploit that’s growing increasingly practical, computer scientists warned Wednesday. They said the attack technique on a cryptographic cipher known as RC4 can also be used to break into wireless networks protected by the Wi-Fi Protected Access Temporal Key Integrity Protocol.

Researchers have long known statistical biases in RC4 make it possible for attackers to predict some of the pseudo-random bytes the cipher uses to encode messages. In 2013, a team of scientists devised an attack exploiting the weakness that required about 2,000 hours to correctly guess the characters contained in a typical authentication cookie. Using refinements, a separate team of researchers is now able to carry out the same feat in about 75 hours with a 94 percent accuracy. A similar attack against WPA-TKIP networks takes about an hour to succeed. The researchers said the only reliable countermeasure is to stop using RC4 altogether.

A wireless network secured with TKIP can now be broken in an hour. If you haven’t already setup your access point to exclusively use AES it’s time to do so. If you’re administering a web server and haven’t already disabled RC4 you’ve failed. But there’s no reason you can’t redeem yourself by disabling it now.

I spend a lot of time advocating for people to encrypt their data. One caveat I try to point out but sometimes forget is that all encryption isn’t made the same. Some encryption algorithms and implementations are far better than others. Even poor encryption is better than no encryption but usually not by a lot. Effective encryption is what you need if you want to keep your data private.

Focusing On Softer Targets

In regards to the Office of Personnel Management (OPM) breach I noted that the federal government’s networks are only as secure as the weakest link. While it’s likely federal agencies such as the Department of Defense (DoD) and National Security Agency (NSA) have much more secure networks than the OPM or Internal Revenue Service (IRS) the fact that all these federal agencies share data amongst each other means an attack only needs to breach the weakest network. Apparently that’s what China has been doing:

WASHINGTON — After years of cyberattacks on the networks of high-profile government targets like the Pentagon, Chinese hackers appear to have turned their attention to far more obscure federal agencies.

Law enforcement and cybersecurity analysts in March detected intrusions on the computer networks of the Government Printing Office and the Government Accountability Office, senior American officials said this week.

It’s a smart move. Just as much valuable information can be gleamed from lesser known agencies as more famous agencies. The fact is federal agencies have so much data on both individuals and government operations that they’re all prime targets. Herein again lies the fallacy of the “nothing to hide” crowd. They believe the only eyes that will be looking at the data the federal government has collected on them is the federal government. Truth be told other eyes such as foreign governments and malicious hackers will also be looking at their data.

The reason it’s important to keep as much data away from the federal government as possible is not just because of what the federal government will do with it but also because of the likelihood it will lose control of that data in the future.

When The Only Thing You Have Is Legislation Every Problem Looks Like It Can Be Solved By Passing A Law

Politicians are trying to infringe on both the rights of self-defense and free speech in their latest attempt at the impossible. With the 3D printing revolution taking place many politicians see the writing on the wall and realize their power to regulate manufacturing is waning. Hoping to head this technology off at the pass they’re trying to find a justification that people will fall for to pass regulations against 3D printing. Their betting everything on the populace finding the prospect of 3D printed firearms scary enough that they’ll support laws restricting what individuals can print on their 3D printers. But the rhetoric is especially amusing:

The notion of a 3-D printable gun has become the perfect flashpoint in a new conflict between digital arms control and free speech. Should Americans be allowed to say and share whatever they want online, even if that “speech” is a blueprint for a gun? The State Department has now answered that question with a resounding “no.”

That isn’t even the correct question. What everybody should be asking is if it’s even possible to enforce a law restricting what individuals can do with their 3D printers. The answer is no. Computer technology is far too pervasive to control anymore. Information can be shared amongst individuals around the world almost instantly. Anonymity tools allow individuals to share information without being identifiable. And even if people in the United States comply with a law against sharing 3D printer designs for firearms the rest of the world isn’t bound by such nonsense.

Censorship is dead and the Internet killed it. Any restriction against the sharing of ideas is unenforceable and therefore shouldn’t even be a consideration for politicians.

For $549 You Can’t Own A Gun Detection System That Can’t Detect Guns

I’m not sure what to think about this one. GunDetect is being marketed as a camera that can detect when somebody is carrying a gun. Based on what has been published so far I’m not sure if this is meant to be a legitimate product or a really clever troll.

The first problem regarding GunDetect is technical. Namely what the device isn’t capable of doing:

There’s a question as to how effective this will be as a first line of defense, though. The makers say that their system is accurate “90% of the time” in instances where a gun is clearly visible. That sounds good, but that leaves a lot of room for misses. What happens if nogoodniks are smart enough to conceal their weapons? Also, night vision support isn’t in these existing models — for now, you can forget about spotting thieves in the middle of the night. The technology could easily be useful as an extra layer of gun safety or security, but it won’t replace a good home security system or vigilant parenting.

There’s only 90% chance that the device will successfully detect and gun and then only if the gun is being carried openly and there’s enough light. In other words this device is pretty much worthless at determining whether the person who broke into your home at oh dark thirty is armed or not. But the problems with this product don’t stop there. If you want access to this remarkably limited device you’ll have to spend some major dough. Since it’s 2015 this product has a Kickstarter page. On it you’ll notice two models being offered:

GunDetect comes in two versions, both of which are based on the latest computer-vision algorithms and optical sensing hardware. The difference is the location for the massive amount of number-crunching required to reliably detect a gun in an image.

GunDetect Premium is our main product and does all its vision processing locally using a powerful computing system that does not need to send any video data to the Internet – giving you the peace of mind knowing your private video never leaves the premises.

GunDetect Cloud has less local processing and uses our Internet servers to help crunch encrypted video data – potentially taking longer to detect a gun than GunDetect Premium.

Getting a GunDetect Premium requires throwing $549.00 at the Kickstarter. GunDetect Cloud starts at $349.00 but that only includes a one-year subscription to the service. What a bunch of stingy bastards! The Premium line seems like the only sane way to go since it doesn’t require working Internet service to function, doesn’t upload a constant video feed of your home to a third-party server, and doesn’t involve a yearly $100.00 (I shit you not, the reward tier for an additional year is $100.00) subscription. But for that price you could invest in an actual gun that would at least give you a means of defending yourself against an armed invader.

I don’t think technology able to detect whether is somebody armed is necessarily a bad thing. It could serve as an additional layer of defense for a home or office. However such a device can only be considered effective if it can detect both open and concealed weapons as well as function independently of an external server and not be dependent on environmental factors such as light availability. A weapon detection system that can’t detect conceal weapons is pretty worthless. If somebody is carrying a weapon I can see that already, I don’t need an expensive camera to confirm what my eyes are showing me. Any system that depends on an external server is rendered worthless if the Internet goes out, which can happy for any number of reasons including a burglar cutting your Internet line or the power going out. And what good is a weapon detection system that is unable to detect whether the person who kicked in my door in the middle of the night is armed? That’s the situation where I would most want to know whether somebody is armed or not.

Nothing about this product impresses me. It has technical weaknesses that make it ineffective at detecting weapons, the subscription service for the Cloud model is expensive, the price of the standalone Premium model is very expensive, and the Cloud model creates some serious privacy concerns. Judging by the number of backers so far I’m not the only one who sees this product as a nonstarter. If this is meant to be a legitimate product it would behoove the developers to return to the drawing board and sort these problems out before begging the Internet for money. If this is meant to be a clever troll I must tip my hat to them.