Tag: Technology

Google Backs Away from Encrypting Android 5.0 Device By Default

When Snowden leaked the National Security Agency’s (NSA) dirty laundry a lot of companies’ faces were red. The leaks showed that they were either complacent in the NSA’s surveillance apparatus or helpless to stop the agency from exploiting their systems. In an attempt to rebuild customer confidence many technology companies scrambled to improve the security on their devices. Apple, being the manufacturer of very popular handsets, announced several major security improvements in iOS 8, including disabling its ability to bypass a user’s set passcode. Much to the approval of Android users Google announced that Android 5.0, also known as Lollipop, would ship with device encryption enabled by default.

But some bad news appeared yesterday. Google has backed down from enabling encryption by default in Lollipop:

Last year, Google made headlines when it revealed that its next version of Android would require full-disk encryption on all new phones. Older versions of Android had supported optional disk encryption, but Android 5.0 Lollipop would make it a standard feature.

But we’re starting to see new Lollipop phones from Google’s partners, and they aren’t encrypted by default, contradicting Google’s previous statements. At some point between the original announcement in September of 2014 and the publication of the Android 5.0 hardware requirements in January of 2015, Google apparently decided to relax the requirement, pushing it off to some future version of Android. Here’s the timeline of events.

This, in my seldom humble opinion, is a very bad idea. The justification appears to be performance related. Namely the performance of many Android devices without hardware cryptography acceleration support tend to take a huge performance dive when device encryption is enabled.

If a user wants to disable device encryption that’s their choice but I firmly believe that this option should be enabled by default even if performance noticeably suffers on some devices. We’ve seen too many stories where abusive spouse, police officers, and federal agents have retrieved data from unencrypted devices without the consent of the owner or, in the case of law enforcement, warrants. With the amount of personal data people store on their mobile devices it’s far too risky to leave that data unprotected from prying eyes. Especially when we live in a surveillance state.

Signal for iOS Now Supports Secure Text Messaging

One of the things I try to do is find tools that enable secure communications without requiring a degree in computer science to learn. OK, few of the tools I’ve seen require a computer science degree but most people are notoriously lazy so any barrier to entry is too much. I’ve been using and recommending Wickr for a few months now because of its relative ease of use. It’s a good tool but there are two major flaws in my opinion. First, it’s not open source. Second, it requires a separate user name and password, which is a surprisingly high barrier to entry for some (I’m talking about people with little security knowledge).

For a while Android users have enjoyed Red Phone for secure phone calls and TextSecure for secure text messages. Some time ago an app called Signal was released that gave iOS users the ability to call Red Phone users but there was no app that was compatible with TextSecure. Since some of the people I talk to use Android and others use iOS I really needed a solution that was cross platform. Fortunately the developers of Signal, Red Phone, and TextSecure just released an update to Signal that enables secure text messaging.

It’s a very slick application. First of all it, along with every other project developed by Open Whisper Systems, is open source. While being open source isn’t a magic bullet it certainly does make verifying the code easier (and by easier I mean possible). The other thing I like is that it uses your phone number to register your app with Open Whisper System’s servers. That means people can see if you have the app installed by looking up your number, which is magically pulled from your contacts list, in the app. If it’s installed on your end the app will let them send you text messages or call you. There are no user names or passwords to fiddle with so the barrier to entry is about as low as you can go.

Signal isn’t a magic bullet (no secure communication tools are). For example, since it’s tied to your phone number it doesn’t preserve your anonymity. Wickr, by allowing you to use a separate user name, does a better job in that department although it’s still not as good as it could be since it doesn’t attempt to anonymize traffic through something like Tor. Messages also aren’t set to self-destruct in a set amount of time like Wickr’s messages do. But it certainly fulfills some of my requirements when talking with people who aren’t technically knowledgeable or are just plain lazy.

Why I Self-Host

For many years this site has been hosted on a server sitting in my dwelling. I did this in part for educational purposes, hosting your own site does teach you a lot about server administration. The other reason I did this was so I could be free of any third-party’s terms of use agreement. While many hosts; including my original one, WordPress.com; have very permissive use agreements those agreements are subject to change. Google just announced a major change to its use agreement that will leave some blogs reeling:

TORONTO — Google is cracking down on adult content posted to its popular Blogger service.

The company started notifying users on Monday that they have until March 23 to delete “images and video that are sexually explicit or show graphic nudity.”

Google said it will not delete existing blogs that haven’t been purged of explicit content by March 23 but warned it will set them to “private” — meaning only the user and people with whom he/she has directly shared the blog will be able to view it.

I don’t host any adult content on my site but I do discuss firearms, anarchism, and other subjects that can be unpopular with many companies. It isn’t impossible to imagine a host decided it doesn’t want to allow anybody to use its service to discuss weapons or how terrible statism is. But since I host this site on my own server I don’t have to worry about such bullshit!

You Can’t Stop the Signal

If you research the development of communication technology you’ll notice two trends. First, when the technology first begins to gain popularity there are always government busybodies arguing that it must be controlled. Second, any attempt to control the technology utterly fails in the long wrong. When the printing press started gaining prominence the Inquisition wanted to control it to prevent the printing of heresy. While they achieved some limited success in controlling what was printed in certain languages, namely the languages the Inquisition officials that works in censorship knew such as Italian, the result was that people printed censored works in languages, such as German, that Inquisition officials were less familiar with. Today the same game is being played with modern communication technologies. Every government seems hellbent on censoring modern communication technologies and some states have been especially tyrannical in their efforts. Cuba is one of those states. But the watchful censors of the Cuban government have been continuously outsmarted by a bunch of kids:

HAVANA (AP) — Cut off from the Internet, young Cubans have quietly linked thousands of computers into a hidden network that stretches miles across Havana, letting them chat with friends, play games and download hit movies in a mini-replica of the online world that most can’t access.

Home Internet connections are banned for all but a handful of Cubans, and the government charges nearly a quarter of a month’s salary for an hour online in government-run hotels and Internet centers. As a result, most people on the island live offline, complaining about their lack of access to information and contact with friends and family abroad.

A small minority have covertly engineered a partial solution by pooling funds to create a private network of more than 9,000 computers with small, inexpensive but powerful hidden Wi-Fi antennas and Ethernet cables strung over streets and rooftops spanning the entire city. Disconnected from the real Internet, the network is limited, local and built with equipment commercially available around the world, with no help from any outside government, organizers say.

Never underestimate the power of kids wanting to communicate with one another. Unlike many adults, kids haven’t have the fear of the state beaten into them and therefore are more willing to flip it the bird and do as it wants. Combine this willingness to disobey with an amazing capacity to learn new technologies quickly and you have a recipe for rendering state censorship efforts impotent.

As long as we have states we will likely have attempts to censor communications. But you can’t stop the signal. Humans have an innate desire to communicate with one another and will smash through any barrier that lies between them and their friends.

Ensuring Only Established Business Can Play

The best thing about having a government is that it can protect the big players from small start ups. One of the biggest threats to established companies such as AT&T, Comcast, and Verizon are small start ups that develop innovating ways to offer superior services for less. Thankfully the state has established a great many regulatory roadblocks between start ups and their already established competitors. For example, the Federal Communications Commission (FCC) has a monopoly on wireless spectrum. In order to utilize any wireless spectrum you must obtain its permission and it has developed an auction model that ensures its permission is much too costly for anybody besides the already established companies:

(Reuters) – The U.S. Federal Communications Commission raised a record $44.9 billion in the auction of so-called AWS-3 airwaves that closed on Thursday, marking the highest point yet in the wireless industry’s appetite for more spectrum.

Wireless carriers Verizon Communications Inc, AT&T Inc and T-Mobile US Inc, satellite TV provider Dish Network Corp and others vied for new slices of airwaves to satisfy the growing consumer demand for streaming video and other data-guzzling applications.

$44.9 billion. While that’s a significant investment even for the likes of AT&T and Verizon it’s an impossible price for a stat up to meet. The auction model for wireless spectrum ensures only companies will billions of dollars to throw around can buy into the wireless game. Sure, the FCC periodically throws a few scraps to the little guy such as the 2.4 and 5.0GHz bands but those scraps aren’t suited for services such as cellular phone provision.

People always talk about how important government is to prevent monopolies. What they fail to see is that the government is a monopoly and it uses that status to favor specific market actors over others.

Police Love to Stalk But Hate Being Stalked

Police love stalking people. To this end most departments have invested a lot of money into acquiring technology that makes their creepy behavior easier. But what happens when the tables are turned at the people start keeping tabs on the police? The police cry foul, what else?

Sheriffs are campaigning to pressure Google Inc to turn off a feature on its Waze traffic software that warns drivers when police are nearby. They say one of the technology industry’s most popular mobile apps could put officers’ lives in danger from would-be police killers who can find where their targets are parked.

Talk about a bunch of hypocrites. They’re bitching about people being able to find and target them but the tracking technology they use is totally cool even though it’s used to find and target us. It’s not unheard of for police officers to use department resources to stalk an ex, a potential love interest, or just somebody they feel like harassing. Take this story for example:

Fort Collins police officer was fired following an investigation that determined he used agency resources to discover where a woman worked and lived.

So why aren’t these sheriffs volunteering to dispose of their departments’ license plates scanners, accounts will with cellular providers that allow them to request customer location information, cell phone trackers, and other technology that enables their officers to stalk us? It’s because they love doing to us what they fear us doing to them.

HealthCare.gov Sending Personal Information to Tracking Sites

The war over the Affordable Care Act (ACA) is still be waged. Democrats are pointing out that the number of people with health insurance coverage is higher than ever, which isn’t surprising since you’re not required to purchase it by law. Republicans are upset because the ACA is still called ObamaCare and they wanted everybody to call it RomneyCare. Libertarians, rightly so, are asking how a government can force you to buy a product. But there’s a problem with the ACA that has received relatively little coverage. From a privacy standpoint HealthCare.gov is a total fucking nightmare:

EFF researchers have independently confirmed that healthcare.gov is sending personal health information to at least 14 third party domains, even if the user has enabled Do Not Track. The information is sent via the referrer header which contains the URL of the page requesting a third party resource. The referrer header is an essential part of the HTTP protocol, it is sent for every request that is made on the web. The referrer header lets the requested resource know what URL the request came from, this would for example let a website know who else was linking to their pages. In this case however the referrer URL contains personal health information.

In some cases the information is also sent embedded in the request string itself, like so:

https://4037109.fls.doubleclick.net/activityi;src=4037109;
type=20142003;cat=201420;ord=7917385912018;~oref=https://www.
healthcare.gov/see-plans/85601/results/?county=04019&age=40&smoker=1&parent=&pregnant=1&mec=&zip=85601&state=AZ&income=35000&step=4?

That’s a referrer link from HealthCare.gov to DoubleClick.net that tells the advertiser that the user is 40 years old, that the user (assuming a value of 1 indicates true) smokes, that the user is not a parent, that the user is pregnant, the user’s zip code, the user’s state, and the user’s income.

You might be curious why a website paid for with taxes is sending health information about its users to an online advertiser. Usually websites only send user data to advertisers if they’re selling it. I wouldn’t be surprised if HealthCare.gov is double dipping by taking tax dollars and selling data to online advertisers. It wouldn’t be a bad money making strategy. First you force everybody to buy your product and then you sell their data.

DoubleClick.net isn’t the only site that HealthCare.gov is sending user health information to. Akamai.net, Chartbeat.net, Clicktale.net, and many more are receiving this data.

Interestingly enough both the Democrats and the Republicans seem entirely unconcerned about this. The only thing they care about is the political dick measuring contest that has been going on between then since forever. But this violation of privacy has real world ramifications, especially since the advertisers receiving this data already have a great deal of data on many Internet users.

Obama Wants Enable Abusers to Better Surveil Their Victims

Last week David Cameron, the prime minister of the United Kingdom, publicly stated that he wanted all encryption to be broken so him and his cronies could better spy on the populace. Shortly afterward Obama came out in support of Cameron’s desire:

President Barack Obama said Friday that police and spies should not be locked out of encrypted smartphones and messaging apps, taking his first public stance in a simmering battle over private communications in the digital age.

Apple, Google and Facebook have introduced encrypted products in the past half year that the companies say they could not unscramble, even if faced with a search warrant. That’s prompted vocal complaints from spy chiefs, the Federal Bureau of Investigation and, this week, British Prime Minister David Cameron.

Obama’s comments came after two days of meetings with Cameron, and with the prime minister at his side.

“If we find evidence of a terrorist plot… and despite having a phone number, despite having a social media address or email address, we can’t penetrate that, that’s a problem,” Obama said. He said he believes Silicon Valley companies also want to solve the problem. “They’re patriots.”

Every time a politician tells us that we need to surrender security they always sell it with fear. They tell us that they must be able to read all of our communications otherwise terrorists will kill us, pedophiles will kidnap and rape children, abusers will continue to abuse their victims, and murderers will be able to kill with impunity. I think it’s about time to bring this conversation full circle. Every one of those arguments can be flipped around.

Without having a means of anonymously and privately individuals become much easier for terrorists to target. Imagine an individual inside of a terrorist cell that wants to communicate the cell’s plans to counter-terrorists. Unless he is able to do this anonymously and privately he will likely be killed. The problem with breaking cryptographic tools so the government can bypass them is that anybody who knows about that weakness can also bypass them.

Then we have the children. Everything attack against our privacy is “for the children”. But cryptographic tools can also protect children from predators. Imagine a school setting where an instructor is planning to abduct one of the pupils. He’s obviously not going to do it on school grounds because the likelihood of him being caught is high. However if his target coordinates plans with other schoolmates via electronic communications and those communications are not secure the predator can view them and wait for them to go somewhere more isolated.

Abusers love to surveil their victims. Keeping tabs on where their victims go, what they spend, who they’re talking with, and what they’re talking about allows abusers to wield a great deal of psychological power. This ability to surveil also makes it less likely that their victims will seek help. When the chances of getting caught seeking help are high and the consequences are physical abuse then a victim is more likely to do what maintains to status quo.

Murders, like terrorists, would benefit greatly from broken cryptography. Like terrorists, murderers need to identify and track their target. If somebody is trying to murder a specific individual they may know where that individual works and lives. Businesses and neighborhoods often have too many witnesses around so a smart murderer is going to suveil their target and use the information he uncovered to strike at a more opportune time.

It’s time we start calling the politicians on their bullshit fear mongering. Whenever they bring up terrorists, pedophiles, abusers, or murderers we need to point out that those threats are also good arguments for strong cryptography.

Google Stops Supporting Old Unsupported Code

I give software companies a lot of shit for failing to keep their customers secure but I also acknowledge that the task is really difficult. This is especially true when your customers are running old versions of your software and either refuse to or cannot upgrade. Microsoft continued supporting Windows XP for a decade, which is probably a century in software terms. When it cut off support many people still running Windows XP complained that they were being put at unnecessary risk. But software companies can’t support every version of every software product they’ve released. Google recently announced that it was no longer going to support Android WebView and now people are complaining that they’re being put at unnecessary risk because they’re running a old version of Android:

Owning a smartphone running Android 4.3 Jelly Bean or an earlier versions of Android operating system ?? Then you are at a great risk, and may be this will never end.

Yes, you heard right. If you are also one of millions of users still running Android 4.3 Jelly Bean or earlier versions of the operating system, you will not get any security updates for WebView as Google has decided to end support for older versions of Android WebView – a default web browser on Android devices.

WebView is the core component used to render web pages on an Android device, but it was replaced on Android 4.4 KitKat with a more recent Chromium-based version of WebView that is also used in the Chrome web browser.

Admittedly only supporting the latest version of Android is pretty shoddy but who is really to blame? Google has released a new version of Android, 4.4, and is supporting it so why aren’t customers upgrade? Because device manufacturers and carriers are standing in the way.

The smartest thing Apple did with the iPhone is cut the carriers out of the update cycle. When Apple wants to release an update it just released an update. Furthermore it has been doing an OK, albeit not great, job of supporting older devices.

Most devices require the device manufacturer to release an update and each carrier to sign off on it before it gets pushed to customers. Android device manufacturers have also been stopping updates for older devices at breakneck speed. Oftentimes you’re fortune to have your device supported with updates by the manufacturer for the entirety of your two year contract. And even if the manufacturer does a good job of supporting your device the carrier through inaction many prevent the update from being released to its customers.

I don’t think Google should bear most of the blame here. The real culprit are the companies that have prevented their customers from upgrading to the latest version of Android. Unless mobile handsets move to a model similar to desktops and laptops, where customers are free to install whatever operating system version they desire, we’re going to continue seeing instances where software developers drop support for legacy products and leave massive numbers of users without needed support.

David Cameron Joins the Legion of Naive People Who Think They Can Stop the Progress of Technology

David Cameron, the fascist prime minister of the United Kingdom, has decided that us serfs have no need for secure communications. He has expressed a desire to make the use of end-to-end encrypted communications illegal:

The prime minister has pledged anti-terror laws to give the security services the ability to read encrypted communications in extreme circumstances. But experts say such access would mean changing the way internet-based messaging services such as Apple’s iMessage or Facebook’s WhatsApp work.

This is just another battle in the crypto wars that have been waged between the state and the people. Needless to say the state hasn’t been faring so well. Nobody should be surprised by this though. History is littered with examples of power hungry despots trying to control commonly available technology and failing miserably. For example, the Inquisition was very interested in controlling access to printing presses in order to prevent the spread of anti-Church literature. It didn’t end well for them.

Today states are interested in restricting our access to secure communications. We’re told that these restrictions are necessary for the state to keep us safe but history has shown that such restrictions are put into place to bolster the state’s power. History has also shown us that any restrictions unpopular with the people fail in time.

Secure communication tools are now so pervasive that they cannot help but hold popular support. Nobody wants to transmit their authentication credentials in a way that anybody can intercept them (and if the state can intercept them then anybody can). People suffering from embarrassing medical conditions don’t want the world to know about it when they’re searching for related material online. And few people want others to know what kind of porn they watch.

We have need for secure communications and the tools to enable it are widely available. That means Cameron’s desires cannot be realized. Even if he passes a law making end-to-end encryption illegal people will use it coupled with anonymity tools to protect themselves from prosecution. You can’t put the djinn back in the bottle once it’s out no matter how many laws you pass. The fact that Cameron doesn’t realize this shows how delusional of his power he truly is.