Tag: Technology

Agorism and Decentralized Power

One of the major news items this week was Elon Musk unveiling the Powerwall, a battery pack aimed at making renewable energy sources more useful. The idea isn’t a new one. People, especially those living in remote areas, have been making homemade energy storage mechanisms, usually out of car or marine batteries, charged by solar panels for some time now. What the Powerwall brings to the table is an affordable prepackaged solution that you can have professionally installed. Advocates of renewable energy have been cheering this announcement while detractors have been pointing out the return on investment:

But as of right now, the ROI still takes too long to reach break-even for people to view it as an economic benefit.

Why? Basically, it boils down to how much you pay per kWh put into the battery, which is then retrieved later. And if you don’t already have a big enough photovoltaic system to get off the grid, paying the estimated $0.30/kWh for electricity through the Powerwall may not make much sense. On average, grid prices for electricity in the US are about $0.12/kWh. Rooftop solar PV is estimated to reach grid parity in most places by 2016, but it’s not quite there yet.

The author of this statement makes a common economic mistake by assuming the only return one gains from an investment is monetary. Value is subjective and there are many advantages to a product such as the Powerwall other than saving money on the power bill. For agorists the biggest advantage may be decentralization.

Relying on a centralized power infrastructure has several downsides. First, if the complex centralized system goes down you have no power. This is becoming a bigger deal as we come to rely on our electrically powered appliances and devices more heavily. By having your own solar array and battery to storage energy for cloudy days and nights you can keep your gear running even if the centralized power grid goes down.

Second, and this is a big one for agorists, a centralized power system is more easy for a state to tax. One of the reasons states prefer big businesses over small ones is that they reduce the costs of enforcing a tax scheme. It’s easier for a state to keep tabs on a handful of large businesses than thousands of little ones. Since businesses act as tax collectors themselves by withholding payroll taxes for the state having a handful of large employers further reduces the state’s overhead. Power is the same. By having everybody hooked into a centralized system the state can collect power-related taxes easily by putting the power provider in charge of collecting. Even if the state declared a tax on power generated by personally owned solar panels it would be a nightmare to enforce. The more decentralized the power infrastructure is the more difficult it is for the state to use it as a tax collecting mechanism.

Third, and this is probably even more important for agorists, the state can more readily utilize a centralized power infrastructure to enforce its decrees. It’s possible for the state to utilized power usage to detect cannabis growers. With a centralized system it’s trivial to convince the power company to report large spikes in customer power usage by either offering a reward or through coercive means. Any prohibited activity that requires a large amount of power could be caught by monitoring the centralized power system. By relying on your own solar panels you can more readily conceal you power usage since you don’t have nosy power providers checking how much you’ve used every month.

By making solar power more accessible the Powerwall stands to be a good product for agorists because it allows one to further decouple themselves from the state. Because of that it stands to have a much quicker return on investment that most people are giving it credit for. I know the value of being able to further separate myself from the state is enormous, especially if the means of separating myself open up additional revenue sources that were otherwise too risky.

Deprecating Non-Secure HTTP

One of the biggest weaknesses of the Internet, in my opinion, is the fact secure connections aren’t the default. E-mail servers often don’t transmit messages to other e-mail server over secure connections. Many Jabber servers don’t utilize secure connections to other servers they’re federated with. Even the protocol most of us deal with multiple times on a daily basis to interact with web servers, the hypertext transport protocol (HTTP), isn’t secure by default. This lack of security has been a boon for national spy agencies such as the National Security Agency (NSA) and the Government Communications Headquarters (GCHQ). Even private businesses have been exploiting the lack of secure HTTP connections so they can better spy on their customers for advertising purposes. At this point it’s clear that non-secure Internet connections need to die.

To this end Mozilla, the developer of Firefox, has announced its plan to depricate non-secure HTTP:

Today we are announcing our intent to phase out non-secure HTTP.

There’s pretty broad agreement that HTTPS is the way forward for the web.  In recent months, there have been statements from IETF, IAB (even the other IAB), W3C, and the US Government calling for universal use of encryption by Internet applications, which in the case of the web means HTTPS.

After a robust discussion on our community mailing list, Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web.

This could be a huge move in the right direction. If every major browser deprecated non-secure HTTP it would force web servers to make secure connections available by default or lose users. More importantly, in my opinion, is that getting rid of non-secure HTTP would also eliminate the what’s encrypted guessing game. Many websites only utilize a secure connection for specific actions such as logging into an account or sending credit card data. Other interactions with the web server are done over a non-secure connection. That guessing game can make users believe that they’re connection is secure even though it isn’t.

Deprecating non-secure HTTP isn’t a straight forward move. Enabling transport layer security (TLS) isn’t as simple as flipping a switch. You need to obtain a keypair signed by an authority that major browsers trust, load them on the web server, and ensure those keys aren’t compromised. Administrators also have to keep up on recent security news so they can reconfigure their server when new exploits are discovered. Managing certificates could become much easier if Let’s Encrypt gains traction. Ensuring broken TLS protocols and features aren’t being used is a more difficult task but one that will likely be made easier as more sites move towards TLS. With that said, deprecating non-secure HTTP must be done regardless of the challenges involved.

CryptoParty in Minneapolis on May 9th

Do you want to learn how to communicate securely but don’t want to spend any money? Join CryptoPartyMN at The Hack Factory this Saturday between 13:00 and 17:00. We’ll teach you how to secure your stuff and won’t even hit you up for loose change!

This event will serve as a dry run before our main CryptoParty at Security B-Sides MSP on June 13th and 14th. Some mistakes will likely be made but I think we’ll be able to help you secure your life with a decent amount of competency.

If you’re interested in attending please RSVP here.

Rubber-Hose Cryptanalysis is Effective

I’m a big privacy advocate, which means I urge people to encrypt their hard drives (amongst many other things). This protects your data from a thief who has stolen your device, snoopy significant others, and law enforcement agents trying to dig up a reason to throw you in a cage for the remainder of your life. But encryption isn’t perfect. Rubber-hose cryptanalysis is effect. What that means is that officers, thanks to their magical liability shields, can bypass your encryption by threatening or actually using violence against your person:

After a few hours of this, which involved an attempt to lure one of Cascioli’s suppliers to his building, the officers focused on Cascioli’s Palm Pilot, which they (correctly) believed contained the information they wanted. But Cascioli wouldn’t provide the password. He claims that police then tried to extract the password through intimidation.

Cascioli says [Officer Thomas] Liciardello asked him a question: “Have you ever seen Training Day?”

When Cascioli said yes, Cascioli says Liciardello looked him in the eyes and said: “This is Training Day for f—ing real,” and then instructed officers Norman and Jeffrey Walker to take him to the balcony.

According to Cascioli and the indictment, Liciardello told them to “do whatever they had to do to get the password.”

Out on the balcony, Cascioli says officers Norman and Walker lifted him up by each arm and leaned him over the balcony railing.

In his testimony at trial this month, Cascioli provided more details, under oath, about what happened that night. The Palm Pilot, he said, contained records on his $400,000 stash, which he had split for safekeeping between the home of his brother and the home of a friend. When the cops allegedly took him out to the balcony, Cascioli said he truly feared for his life.

“They started to lift me a little,” he said. “My feet were off the ground.”

He said he was afraid. “I thought they were going to drop me” over the railing. Cascioli said he then gave up his password.

As a side note it’s worth bringing up that no Palm Pilot ever supported storage encryption so the most Cascioli’s device could have had was a password that could be easily bypassed by plugging the device into a computer and syncing all of the data (which copies the data from the Palm Pilot to the computer). But that really has nothing to do with the case at hand.

What is important here is threat modeling. Police rarely suffer consequences for using excessive force or even committing murder. That makes them more likely to use rubber-hose cryptanalysis. Fortunately encrypted drives are usually easy to erase because only the decryption keys need to be wiped out. If you really want to keep your information secret it would be wise to begin formatting your computer and mobile device upon confirming police are trying to gain entry into your dwelling. Otherwise you’re at the mercy of the court, which will tend to side with the police, to throw out any condemning evidence (and there will always be condemning evidence since everything is illegal these days).

The DMCA is a Corporate Subsidy

Planned obsolescence is a term generally used by the economically ignorant to explain the improvement of products over time. The claim is that, for example, Apple doesn’t make as good of phones as they could because they want them to be obsolete next year so consumers will buy the new one. This ignores the fact that using the latest and greatest hardware drastically increases costs so manufacturers of mass produced devices tend to use components that are still very powerful but cheaper as they rely on older technology. It also ignores the fact that a phone isn’t suddenly obsolete just because a new model has been released. If there were the case there would be no market for used phones.

But there are times when examples of planned obsolescence, that is to say times when companies invested time and resources guaranteeing a product would cease to function after a certain period of time, can be found. Not surprisingly most of these examples rely on various corporate subsidies put into place by the state. One of those subsidies is the Digital Millennium Copyright Act (DMCA). The DMCA criminalizes the production and distribution of technology that circumvents copyright protection schemes, which are commonly referred to as Digital Rights Management (DRM). How is that a corporate subsidy? Let’s take this case of actual planned obsolescence as an example:

The IlluMask is a $30 “light therapy” mask that utilizes LED lights to zap away bacteria, stimulate skin cells and otherwise fight acne/aging (depending on what model you purchase.) Sounds great (if you buy IlluMask’s claims). A lifetime of skin revitalization, and all for just $30. Oh, wait.

The trouble is, it is limited to 30 daily uses of 15 minutes each, totaling just 7 1/2 hours, effectively lasting you a month. At the end of which, you just discard the device and get a new one. That seems like a ridiculous waste of a perfectly fine, functional device whose LED’s can last at least 30,000 to 40,000 hours.

Even if we ignore the negative environmental impact of discarding plastic masks loaded with perfectly good LEDs, there’s still the incredible audacity of IlluMask’s claim that its mask will only last 30 days, at which point the LEDs doing all of the facial revitalization/bacteria zapping are suddenly useless, even with well over 99.97% of their lifespan still ahead of them (based on 35,000 hours).

The manufacturers of the IlluMask utilize DRM to prevent the device from working after 30 days. Fortunately bypassing the DRM is easy:

1. Change the batteries if lights are getting dimmer.
2. Use a screwdriver and open the case. Then remove batteries and unscrew screws so the plastic battery holder on top of the circuit board can be moved over. Be careful NOT to damage any of the delicate wiring.
3. Now that the circuit board is exposed, put the batteries back in their slots.
4. Using a piece of wire (such as a paper clip) touch one end of your wire and place it where the thin copper wire connects to the circuit board (silver spot marked LED). Touch the other end to the little RESET copper circle–located on the left of the circuit board (use the copper circle above the word RESET, not below).
5. Press the start button while the wire is in place.
6. Move your wire from the RESET button to the TEST button.
7. Press the start button again while the wire is in place, and the count should reset to 30!

Unfortunately the DMCA makes disabling the DRM a potentially criminal offense. And herein lies the subsidy. Thanks to the DMCA developing DRM technology can be worth the investment in time and resources. Even though DRM can always be bypassed, which would making it a poor investment in time and resources under normal circumstances, the existence of the DMCA means that anybody who does develop methods of bypassing DRM faces fines and prison time for doing so. The state threatens violence against anybody who attempts to bypass DRM, which drastically raises the cost of doing so. And the tax victims gets to foot the bill for sending the heavily armed cops to kidnap developers of DRM bypassing technology, having highly paid prosecutors and judges argue and rule the developer’s guilt, and guarding the prison the developer will be kept in for years. Were the DMCA not in place bypassing DRM would carry no risks and manufacturers would have no recourse other than attempt to develop a hardier DRM mechanism.

Yet Another Reason to Use HTTPS On Your Site

Transport Layer Security (TLS), often referred to by its predecessor SSL, helps protect the privacy of your users and prevents malicious actors from altering the content being sent between them and your servers. Since it’s such a powerful tool you should think every site would enable it by default but they don’t. If the privacy of your users and the integrity of your data isn’t enough to convince you to enable TLS maybe this will:

With CloudFlare, websites can afford extra security to users with Full SSL (Strict) encryption. Long story short, this strips certain identifiers from the traffic data ISPs use to block websites like TPB; since the information is routed through CloudFlare, website IP addresses are also hidden behind the delivery network. In the UK, where all major ISPs were strong-armed into blocking TPB in 2012, this has all but turned back time, with thepiratebay.se now accessible for Virgin, EE, BT and TalkTalk customers. Sky is the only popular provider still managing to block the site; you aren’t notified, as such, but the page won’t load anyhow.

TLS makes blocking access to websites more difficult (although not entirely impossible). Many web filters rely on identifiable information viewable in plaintext streams. When you encrypt those streams with TLS those filters are no longer able to see the identifiable information and therefore can’t block access.

Avoiding censorship is just another reason why you should not only enable TLS on your site but make its use mandatory by disabling unsecured connections (or redirecting them to secured connections as I do with this blog).

This is What Happens When Officers Can Turn Off Body Cameras

Advocates of police accountability have been arguing that police officers should be required to wear body cameras while on duty. Although there was some resistance to this idea from police apologists that has mostly faded. Many of them are now on board with the idea because they understand that body cameras can collect evidence to prosecute more people and that officers and disable the cameras when they’re about to beat somebody down. That second part is important because it will render any of the benefits of body cameras useless. What we can expect in the future is what Denver is experiencing now:

As the nation’s policing agents scramble to provide street officers with body cameras, a new study released Wednesday shows that a majority of use-of-force incidents weren’t captured by Denver police officers who are piloting use of the technology.

There were a host of reasons for officers failing to turn on the body worn cameras (BWCs) in violation of Denver Police Department policy. According to an independent police monitor’s report, which surveyed the six months ending in December, only 26 percent of the use-of-force incidents in the studied policing district were captured on video.

If officers can disable their body cameras without consequence then any benefits of mandating body cameras, at least as far as the people are concerned, go out the window. Unless officers are punished, and by that I mean charged with a crime, for disabling their body cameras while on duty the only purpose those fancy devices will serve is to collect evidence to prosecute people.

Body cameras along won’t hold officers accountable. There also needs to be policies that will result in officer being fired, fined, and opened up to lawsuits if they disabled their cameras. I believe arguments could even be made for jailing an officer who disables his body camera during a use of force incident (in which case I would argue that doing so would effectively be an admittance of guilt in a court hearing unless evidence of non-officer related failure could be shown).

Got $17,000 Burning a Hole In Your Pocket? Apple Can Help!

Yesterday Apple unveiled a new MacBook and released more details about the Apple Watch. The new MacBook certainly qualifies as a fantastic feat of personal electronics manufacturing. However having only a single port on the entire device makes it useless to me. One USB Type-C port that also doubles as the charging port means attaching accessories to the laptop will be impossible. I think Apple really missed the mark by not having the power adapter integrate a USB Type-C hub. None of this matters though since I’m not the intended audience for the laptop.

The Apple Watch appeared to be the star of the show even though I found it underwhelming when compared to the new MacBook. Apple announced that its watch would have a paltry 18 hour battery life based on estimations of average usage (but we have no idea what it estimates to be average usage so the measure is meaningless). However pricing was announced and if you have $17,000 burning a hole in your pocket Apple is here to help.

People have been comparing the luxury Watch Edition of the Apple Watch to high end watch manufacturers such as Rolex, Jaeger-Le Coultre, and Patek Phillipe. I feel that there’s a major difference that people making the comparison are leaving out. When you drop ten grand or more on, say, a Rolex you have a timepiece for life. Hell, you have a timepiece for the life of your children and their children. There is also resale value. Dropping ten grand or more on the Apple Watch will net you an electronic device that will be outdated next year and that will pretty much eliminate its resale value. I also have my doubts that the Apple Watch will be as serviceable as watches from well known watchmakers (there are skilled watchmakers that still service decades old Submariners, for example). Even if you do pass down an Apple Watch it’s unlikely getting a replacement battery in 30 years will be feasible. So I don’t think comparing the Apple Watch to established watchmakers is a terribly good idea.

In the end I don’t see the Apple Watch selling terribly well but few people have made money betting against Apple since Steve Jobs took the reigns back. That new MacBook will probably sell like hotcakes though. People want thin laptops and the new MacBook is certainly thin.

Modern Medical Technology Amazes Me

Prosthetics have only recently become more than crude mechanical devices capable of only being able to simulate very basic human movements, if they could even simulate that. But that introduction of computer technology has allow prosthetics to improve dramatically in a very short period of time. One of my friends posted this video of a woman who has a prosthetic hand that moves very much like a natural hand.

The prosthetic is made by Bebionic, which makes prosthetics that use motors and microprocessors to better mimic human movements. All I can say is that’s incredibly cool.

Today’s Browser Vulnerability is Brought to You By the State and the Letters F, R, E, A, and K

People often mock libertarians by claiming they blame everything on the state. But the recently revealed Factoring Attack on RSA-EXPORT Keys (FREAK) that leaves Android and Apple users vulnerable was actually the fault of the state. How so? Because of its futile attempts in the 1990s to control the export of strong encryption technology:

The weak 512-bit keys are a vestige of the 1990s, when the Clinton administration required weak keys to be used in any software or hardware that was exported out of the US. To satisfy the requirement, many manufacturers designed products that offered commercial-grade keys when used in the US and export-grade keys when used elsewhere. Many engineers abandoned the regimen once the export restrictions were dropped, but somehow the ciphers have managed to live on a select but significant number of end-user devices and servers. A list of vulnerable websites is here. Matthew Green, an encryption expert at Johns Hopkins University, told Ars the vulnerable devices included virtually all Android devices, as well as iPhones and Macs.

This is yet another example of how state regulations make us all vulnerable. In the state’s lust to control everything it often puts regulations in place that prevent its subject from utilizing the best available defensive technologies. From restrictions on encryption technology to body armor the state’s vested interest in spying on your and killing you far outweighs whatever concerns it may have about your safety.

We’re in the midst of a second crypto war but the state isn’t using its failed regulatory red tape this time. Instead it is trying to convince companies to implement back doors, actively exploiting encryption technology without disclosing the vulnerabilities to developers, and surveilling whatever data connections it can get its taps into. Even though the strategy has change the end goal remains the same; leave the people vulnerable to malicious actors so the state can ensure its capability to spy on us and kill us remain intact.