Technology – Page 54 – A Geek With Guns

North Korea’s Web Browser

North Korea has its own operating system called Red Star OS. Not surprisingly it’s a distribution of Linux. What makes it interesting is that it’s the official operating system of one of the most closed nations on Earth. Recently it leaked onto the Internet and people have been playing with it. So far the most interesting article I’ve found involves the operating system’s web browser:

If you want to send a request to a web address across the country, you need to have a hostname or an IP address. Hostnames convert to IP addresses through something called DNS. So if I want to contact www.whitehatsec.com DNS will tell me to go to 63.128.163.3. But there are certain addresses, like those that start in “10.”, “192.168.” and a few others that are reserved and meant only for internal networks – not designed to be routable on the Internet. This is sometimes a security mechanism to allow local machines to talk to one another when you don’t want them to traverse the Internet to do so.

Here’s where things start to go off the rails: what this means is that all of the DPRK’s national network is non-routable IP space. You heard me; they’re treating their entire country like some small to medium business might treat their corporate office. The entire country of North Korea is sitting on one class A network (16,777,216 addresses). I was always under the impression they were just pretending that they owned large blocks of public IP space from a networking perspective, blocking everything and selectively turning on outbound traffic via access control lists. Apparently not!

Yup, the entire country is apparently treated as one giant intranet. The zany doesn’t stop there though. Check out the article because North Korea certainly made some intriguing design decisions.

We’re All Sons of the Patriots Now

Obligatory reference.

TrackingPoint is a company known for developing a $17,000 Linux powered scope. Now they’re moving into Internet enabled optics:

The company, which is here at CES Showstoppers, has just announced ShotView, an iOS and Google Play app that lets a hunter stream video from his or her gun to anyone in the world. And the press release is very clear about its place in the tech world:

“Hunting and shooting sports are now part of the Web fabric. With this new technology, friends and family are virtually transported and immersed in exotic and exciting hunts,” says Danielle Hambleton, TrackingPoint’s vice president of marketing. “Hunters can now share the thrill of the stalk and the excitement of victory in real-time.”

According to Cisco, more than 99 percent of things in the physical world are still not connected to the Internet. But, this new technology represents a giant leap forward for the firearms industry. “We wholeheartedly embrace Cisco’s vision for the Internet of Everything,” says Hambleton. “Our exceptional long-range hunting technology combined with Cisco’s foresight will vastly enrich the world of hunting and shooting sports.”

“Now that the firearm is networked, the sky is the limit,” says Vann Hasty, TrackingPoint’s vice president of engineering.

This is an interesting take on so-called smart guns. While the technology being discussed into integrated into the firearm itself it’s not hard to see that happening a few years down the line. After all, humans crave data. Why not include mechanisms to measure trigger pull, chamber pressure, barrel harmonics, etc.? That would give a far better experience to people watching your hunt via your optic. But then we get into the strange realm of security.

While I’m a fan of integrating technology and firearms my enthusiasm is curbed but the lackluster history of computer security we’ve experienced as a species. Internet enabling a firearm opens the door for potential remote attacks. Give the right electronics in a firearm it isn’t outside the realm of possibility that a firearm could be rendered disabled via remote Internet exploit. On a wide enough scale, such as the scale seen when exploits are used to create botnets, you could even render large percentages of weapons inert.

For you gamers out there this could eventually lead to system similar to Metal Gear Solid 4’s Sons of the Patriots (SoP). In the series, because of the magic of nanomachines, anybody who is able to gain control of SoP can disable most military hardware including small arms. It’s a pretty stupid premise as it is based on technomagic but as more military hardware becomes network enabled it isn’t unforeseeable that large chunks of a military could be disabled through remote hacks.

We live in an interesting world and it’s getting more interesting every day.

Anarcho-Robots Care Not For Your Laws

I was out late helping plan a local CryptoParty so this will be all the content you will get today. But I’m giving you some gold. Science fiction often explores the ideas of artificial entities breaking laws. Usually these entities take the form of artificial intelligences that are capable of thinking and acting on their own. Under such circumstances it’s easy to see how human law can be applied to artificial intelligences. But what happens when the artificial law breaker isn’t intelligent? That’s exactly what this story is making use address:

The Random Darknet Shopper, an automated online shopping bot with a budget of $100 a week in Bitcoin, is programmed to do a very specific task: go to one particular marketplace on the Deep Web and make one random purchase a week with the provided allowance. The purchases have all been compiled for an art show in Zurich, Switzerland titled The Darknet: From Memes to Onionland, which runs through January 11.

The concept would be all gravy if not for one thing: the programmers came home one day to find a shipment of 10 ecstasy pills, followed by an apparently very legit falsified Hungarian passport– developments which have left some observers of the bot’s blog a little uneasy.

If this bot was shipping to the U.S., asks Forbes contributor and University of Washington law professor contributor Ryan Calo, who would be legally responsible for purchasing the goodies? The coders? Or the bot itself?

This case is another example of the legal system being unable to keep up with the advancement of technology. The article goes on to explain that the laws apply to people knowingly purchasing illicit merchandise. Because of the bot’s random nature the author could not know that they would receive illegal merchandise. But the bot also didn’t know what it was doing since its actions were random and it is incapable of thinking (as far as we know, those AIs can be pretty sly).

In all probability politicians will scramble to debate this issue, write a law, and pass it. By the time they’re done the next technological advancement will be created that acts outside of the boundaries imagined by the politicians who passed the law that was supposed to deal with the last situation. Eventually we will have to address more severe crimes such as assault or murder. At some point when machines are intelligent enough to create new machines we’ll have to deal with the idea of whether or not an artificial author is responsible for the actions of its creation’s crime. Property crimes will also be interesting once the offenses are committed by machines instead of humans.

The legal system is incredibly slow moving while technological advancements happen at a rapid pace. There will likely come a day when intelligent machines become responsible for most technological advancements. What will happen then? Will we have to put the legal system into the hands of machines as well? Will people accept that? It’s an interesting thought exercise.

Fingerprints Still Suck as Authenticators

I do find Touch ID to be convenience but fingerprints are still terrible authenticators. This is, in part, because you leave them everywhere. Another problem is once an attacker as obtained your fingerprint there’s no way for you to change it. As technology improves the ability to obtain a target’s fingerprint becomes easier. The Chaos Computer Club demonstrated that this week when one of its members explained how he was able to replicate a politician’s fingerprint from a photograph:

Jan Krissler says he replicated the fingerprint of defence minister Ursula von der Leyen using pictures taken with a “standard photo camera”.

Mr Krissler had no physical print from Ms von der Leyen.

[…]

He told the audience he had obtained a close-up of a photo of Ms von der Leyen’s thumb and had also used other pictures taken at different angles during a press event that the minister had spoken at in October.

Biometric technology often wins favor due to its cool factor. Seeing a device unlock from a fingerprint reader or a retinal scanner is very neat to witness. But cool factor does not equal secure. If fingerprints can be replicated from standard photography today it won’t be long until they can also replication retinal patterns.

Touch ID

When I was young I was an early adopter. I had to have every new gadget as soon as it was released. Because of that I was also a beta tester. Now that I’m older and don’t have the time to dick around with buggy products I wait until early adopters have played with a device for a while before purchasing it. The beta testers for the iPhone 6 have done a fantastic job as far as I can see so I finally upgrade to one.

I’m not too thrilled about the increased size but it’s not so big as to be difficult to use (unlike the iPhone 6 Plus, which combines all of the worst features of a phone and tablet into one big mistake). Other than the size it’s basically like previous iPhones but with added processing power and storage. Since I was upgrading from an iPhone 5 I also gained access to Touch ID, Apple’s finger print authentication system.

Let me preface what I’m about to say with an acknowledgement of how poor fingerprints are as a security token. When you use your fingerprint for authentication you are literally leaving your authentication token on everything you touch. That means a threat can not only get your authentication token but can do so at their leisure. Once a threat has your fingerprint there’s nothing you can do to change it.

With that disclaimer out of the way I must admit that I really like Touch ID. Fingerprints may not be the best authentication method in existence but all of us make security tradeoffs of some sort every day (since the only truly secure computer is one that cannot be used). Security and convenience are mutually exclusive. This is probably the biggest reason so many people are apathetic about computer security. But I think Touch ID does a good job of finding that balance between security and convenience.

Until Apple implemented Touch ID the only two options you had for security your iPhone were a four digit PIN or a more complex password. A phone is a device you pull out and check numerous times throughout the day and usually those checks are a desire to find some small bit of information quickly. That makes complex passwords, especially on a touchscreen keyboard, a pain in the ass. Most people, if they have any form of security on their phone at all, opt for a four digit PIN. Four digit PINs keep out only the most apathetic attackers. If you want to be secure against a threat that is willing to put some work into cracking your device you need something more secure.

Touch ID works as a secondary method of authentication. You still need to have a four digit PIN or a password on the device. That, in my opinion, is the trick to Touch ID being useful. If you reboot your phone you will need to authenticate with your four digit PIN or password. Until that first authentication after boot up Touch ID is not available. Another way to make Touch ID unavailable is not to log into your phone for 48 hours.

The Fifth Amendment does not protect you from surrendering your fingerprint to the police. That means law enforcers can compel you to give your fingerprint so they can unlock your phone. Whether passwords are protected by the Fifth Amendment is a topic still being fought in the courts. If you’re arrested a password is going to be a better method of securing your device from the state than your fingerprint. Because of how Touch ID works you can thwart law enforcement’s ability to take your fingerprint by simply powering off the phone.

Only you can decide if Touch ID is an appropriate security mechanism for you. I’m really enjoying it because now I can have a complex password on my phone without having to type it in every time I pull it out of my pocket. But I also admit that fingerprints are poor authentication mechanisms. Tradeoffs are a pain in the ass but they’re the only things that make our electronic devices usable.

Encryption Works Except When It Doesn’t

People are still debating whether Edward Snowden is a traitor deserving a cage next to Chelsey Manning or a hero deserving praise (hint, unless you believe the latter you’re wrong). But a benefit nobody can deny is the overall improvement to computer security his actions have lead to. In addition to more people using cryptographic tools we are also getting a better idea of what tools work and what tools don’t work:

The NSA also has “major” problems with Truecrypt, a program for encrypting files on computers. Truecrypt’s developers stopped their work on the program last May, prompting speculation about pressures from government agencies. A protocol called Off-the-Record (OTR) for encrypting instant messaging in an end-to-end encryption process also seems to cause the NSA major problems. Both are programs whose source code can be viewed, modified, shared and used by anyone. Experts agree it is far more difficult for intelligence agencies to manipulate open source software programs than many of the closed systems developed by companies like Apple and Microsoft. Since anyone can view free and open source software, it becomes difficult to insert secret back doors without it being noticed. Transcripts of intercepted chats using OTR encryption handed over to the intelligence agency by a partner in Prism — an NSA program that accesses data from at least nine American internet companies such as Google, Facebook and Apple — show that the NSA’s efforts appear to have been thwarted in these cases: “No decrypt available for this OTR message.” This shows that OTR at least sometimes makes communications impossible to read for the NSA.

Things become “catastrophic” for the NSA at level five – when, for example, a subject uses a combination of Tor, another anonymization service, the instant messaging system CSpace and a system for Internet telephony (voice over IP) called ZRTP. This type of combination results in a “near-total loss/lack of insight to target communications, presence,” the NSA document states.

[…]

Also, the “Z” in ZRTP stands for one of its developers, Phil Zimmermann, the same man who created Pretty Good Privacy, which is still the most common encryption program for emails and documents in use today. PGP is more than 20 years old, but apparently it remains too robust for the NSA spies to crack. “No decrypt available for this PGP encrypted message,” a further document viewed by SPIEGEL states of emails the NSA obtained from Yahoo.

So TrueCrypt, OTR, PGP, and ZRTP are all solid protocols to utilize if you want to make the National Security Agency’s (NSA) job of spying on you more difficult. It’s actually fascinating to see that PGP has held up so long. The fact that TrueCrypt is giving the NSA trouble makes the statement of its insecurity issued by the developers more questionable. And people can finally stop claiming that Tor isn’t secure due to the fact it started off as a government project. But all is not well in the world of security. There are some things the NSA has little trouble bypassing:

Even more vulnerable than VPN systems are the supposedly secure connections ordinary Internet users must rely on all the time for Web applications like financial services, e-commerce or accessing webmail accounts. A lay user can recognize these allegedly secure connections by looking at the address bar in his or her Web browser: With these connections, the first letters of the address there are not just http — for Hypertext Transfer Protocol — but https. The “s” stands for “secure”. The problem is that there isn’t really anything secure about them.

[…]

One example is virtual private networks (VPN), which are often used by companies and institutions operating from multiple offices and locations. A VPN theoretically creates a secure tunnel between two points on the Internet. All data is channeled through that tunnel, protected by cryptography. When it comes to the level of privacy offered here, virtual is the right word, too. This is because the NSA operates a large-scale VPN exploitation project to crack large numbers of connections, allowing it to intercept the data exchanged inside the VPN — including, for example, the Greek government’s use of VPNs. The team responsible for the exploitation of those Greek VPN communications consisted of 12 people, according to an NSA document SPIEGEL has seen.

How the NSA is able to bypass VPN and HTTPS is still in question. I’m guessing the NSA’s ability to break HTTPS depends on how it’s implemented. Many sites, including ones such as Paypal, fail to implement HTTPS in a secure manner. This may be an attempt to maintain backward compatibility with older systems or it may be incompetence. Either way they certainly make the NSA’s job easier. VPN, likewise, may be implementation dependent. Most VPN software is fairly complex, which makes configuring it in a secure manner difficult. Like HTTPS, it’s easy to put up a VPN server that’s not secure.

The ultimate result of this information is that the tools we rely on will become more secure as people address the weaknesses being exploited by the NSA. Tools that cannot be improved will be replaced. Regardless of your personal feelins about Edward Snowden’s actions you must admit that they are making the Internet more secure.

Abusers Installing Spyware on Their Victims’ Computers

Last month I briefly mentioned the importance of full disk encryption. Namely it prevents the contents of the hard drive from being altered unless one knows the decryption key. I had to deal with a friend’s significant other installing spyware on her system in order to keep tabs on who she was talking to and what she was doing. Her significant other didn’t know her login credentials but since her hard drive wasn’t encrypted he was able to install the spyware with a boot disk. This threat model isn’t out of the ordinary. In fact it is becoming worryingly common:

Helplines and women’s refuge charities have reported a dramatic rise in the use of spyware apps to eavesdrop on the victims of domestic violence via their mobiles and other electronic devices, enabling abusers clandestinely to read texts, record calls and view or listen in on victims in real time without their knowledge.

The Independent has established that one device offering the ability to spy on phones is being sold by a major British high-street retailer via its website. The proliferation of software packages, many of which are openly marketed as tools for covertly tracking a “cheating wife or girlfriend” and cost less than £50, has prompted concern that police and the criminal justice system in Britain are failing to understand the extent of the problem and tackle offenders.

A survey by Women’s Aid, the domestic violence charity, found that 41 per cent of domestic violence victims it helped had been tracked or harassed using electronic devices. A second study this year by the Digital Trust, which helps victims of online stalking, found that more than 50 per cent of abusive partners used spyware or some other form of electronic surveillance to stalk their victims.

As a general rule security is assumed to be broken when an adversary has physical access. But that isn’t always the case. It really depends on how technically capable a threat is. Oftentimes in cases of domestic abuse the abuser is not technically savvy and relies on easy to procure and use tools to perform monitoring.

Full disk encryption, while not a magic bullet, is pretty effective at keeping less technically capable threats from altering a drive’s contents without the owner’s knowledge. When encrypting the contents of a hard drive is not possible, either due to technical limitations or the threat of physical violence, the Tails Linux live distribution is a good tool. Tails is being developed to maintain user anonymity and leave a few traces as possible that it was used. All Internet traffic on Tails is pumped through Tor, which prevents a threat monitoring your network from seeing what you’re looking at or who you’re talking to (but does not disguise the fact that you’re using Tor). That can enable a victim to communicate securely with an individual or group that can help. Since Tails boots from a USB stick or CD it can be easily removed and concealed.

As monitoring tools becomes easier to use, cheaper, and more readily available the need to learn computer security will become even greater. After all, the National Security Agency (NSA) isn’t the only threat your computer environment may be facing. Domestic abusers, corrupt (or “legitimate”) law enforcers, land lords, bosses, and any number of other people may with to spy on you for various reasons.

The Scope of the North Korea Internet Outage

I’m sure many of you are aware of the Internet outage in North Korea. An entire country’s Internet service disrupted? On paper this may sound impressive, it may even sound like retaliation by another nation state for a hack North Korea had nothing to do with. But the outage isn’t nearly as impressive as it sounds:

Chris Nicholson, a spokesman for Akamai, an Internet content delivery company, said it was difficult to pinpoint the origin of the failure, given that the company typically sees only a trickle of Internet connectivity from North Korea. The country has only 1,024 official Internet protocol addresses, though the actual number may be a little higher. That is fewer than many city blocks in New York have. The United States, by comparison, has billions of addresses.

1,024 official Internet protocol addresses for an entire nation? Damn. Obviously there aren’t a lot of connected people in that country (shocker, I know). According to Bloomberg the attack is directed at North Korea’s domain name service servers, which is cheap enough pretty much anybody could do it:

Such attacks flood Internet servers with traffic to knock infrastructure offline. In North Korea’s case, the attack appears to be aimed at the country’s domain-name service system, preventing websites from being able to resolve Internet addresses, Holden said.

It’s unlikely the attack is being carried out by the U.S., as any hacker could probably spend $200 to do it, Holden said.

This is most likely an attack being carried out by a bored teenager with a small botnet than a nation state. Then again with Sony’s recent behavior it wouldn’t surprise me a whole lot if it was doing this.

Sony isn’t Happy Until the Entire Internet Hates It

Sony has been on the Internet’s shit list at least since it included a rootkit on one of its audio CDs back in 2005. While nothing it has done since then has been as egregious in my opinion the company also hasn’t done anything to improve its image. Removing the feature on the PlayStation 3 that let you install Linux certainly didn’t go over well with people who paid for it.

Based on Sony’s reputation it shouldn’t surprise anybody that it was targeted for one hell of a nasty hack. But it still hasn’t learned its lesson. Since the hack Sony has been a really poor sport. It tried using Distributed Denial of Service (DDoS) attacks in a futile attempt to stop the data stolen in the hack from spreading. Now Sony is threatening to sue Twitter if it doesn’t ban accounts sharing stolen data:

Sony’s battle on people disseminating its hacked and leaked emails has extended from news outlets to random Twitter users to, now, Twitter itself. Sony’s lawyer has threatened Twitter with legal action if the social networking company doesn’t ban accounts that are sharing the leaks, according to emails obtained by Motherboard.

The letter—sent from David Boies, the lawyer Sony has hired to help guide it through the aftermath of the hack, to Vijaya Gadde, Twitter’s general counsel—says that if “stolen information continues to be disseminated by Twitter in any manner,” Sony will “hold Twitter responsible for any damage or loss arising from such use or dissemination by Twitter.”

The only thing shenanigans like this will get Sony is more wrath from the Internet. At this point the only sane thing for Sony to do is admit defeat and work on tightening its security so this doesn’t happen for a third time. Once data has leaked onto the Internet there is no way to stop it from propagating. It’s not even possible to slow the rate of propagation in any meaningful way. The Internet exists to disseminate information. Any attempt to prevent it from doing that will not end well for you.

Never Let a Crisis Go to Waste

Sony, in what I predict to be a brilliant marketing move, has cancelled what was certainly going to be a shitty movie. This has gotten the expected, and likely desired, result of unleashing a great deal of impotent Internet rage. Not one to let a crisis go to waste the politicians in Washington DC are swooping in like vultures. First United States officials claimed that the hack was almost certainly performed by North Korea. Now senators are using that claim to justify the necessity of a “cyber security” (a meaningless term) bill:

Senator John McCain (R-AZ) also said that the choice set a “troubling precedent” in cyberwarfare. “The administration’s failure to deter our adversaries has emboldened, and will continue to embolden, those seeking to harm the United States through cyberspace,” he said in a statement. He reiterated promises to focus on the issue if elected chair of the Armed Services Committee, including plans to create a subcommittee for cybersecurity issues. “Congress as a whole must also address these issues and finally pass long-overdue comprehensive cybersecurity legislation,” he said. McCain has been pushing cybersecurity bills for years, including the Secure IT Act, a competitor to the controversial CISPA bill.

In a statement on Tuesday, Senator Dianne Feinstein (D-CA), a major proponent of cybersecurity and author of multiple bills, said that “this is only the latest example of the need for serious legislation to improve the sharing of information between the private sector and the government to help companies strengthen cybersecurity. We must pass an information sharing bill as quickly as possible next year.”

There are three points I would like to bring up.

First, there is no evidence that North Korea was involved in the Sony hack. All we have are statements made by United States officials. Remember that United States officials also told us that there were weapons of mass destruction in Iraq.

Second, the reason people like McCain and Feinstein want to pass a “cyber security” bill is because it would further enable private corporations, the same private corporations that currently possess a great deal of your personal information, to share data with the federal government without facing the possibility of legal liability. What members of Congress are referring to as “cyber security” bills are more accurately called surveillance bills.

Third, legislation won’t improve computer security. No matter how many “cyber security” bills are passed the fact of the matter is that bills are merely words on pieces of paper and words on pieces of paper have no ability to effect the world by themselves. What you need are experts in computer security doing their job and that is done by enticing them with rewards (often referred to as paying them) for utilizing their skills. Legislation doesn’t do that, markets do. The only thing legislation does is state who the state will send armed thugs after if their desires are not properly met.