Tag: Technology

It’s Hard Being a Gun Nut and Technology Enthusiast

Do you know what’s difficult for gun nuts and technology enthusiast to do? Turn on the news. Most of the gunny readers of my blog are used to the glaring idiocy emitted by reporters when they attempt to talk about firearms. You get ridiculous assertions like the word magazine being interchangeable with clip, every rifle being an AK-47, every handgun being a Glock, and Uzis being high-powered firearms:

The girl was being shown how to use a high-powered Uzi sub-machine gun at an Arizona shooting range when the recoil caused her to lose control of it.

Emphasis mine. Unless there is an Uzi model chambered in .308 (and if there is please tell me, I fucking want that for reasons) it is not high-powered. Uzis, as far as I know, are commonly chambered in 9mm with a few other models available that fire other pistol calibers. Pistol calibers, no matter how you look at them, aren’t high-powered. In fact they’re usually considered anemic, which is why military personnel usually carry rifles.

When media outlets report on topics related to technology we get similar levels of stupidity. The news that nude pictures of several celebrities have been obtained form their compromised iCloud accounts has received wall to wall coverage from several media outlets. And with great coverage comes great stupidity. Here we have a CNN talking head speculating on the nature of 4chan:

In the wake of the massive leak of hacked celebrity nude photos now known as celebgate, CNN—the most trusted name in news—is on the case. The cable news pioneer put its best tech analyst Brett Larson on the job and he speculated in wildly unhelpful fashion on Tuesday about just who this 4chan guy is, anyway.

“He might be a system administrator,” Larson suggests.

I guess the top tier research team over at CNN couldn’t be bothered to do a Google search. If they had they would have gotten the website 4chan at the top hit and a Wikipedia article entry on 4chan as the second hit. In other words a few simple keystrokes would have informed anybody capable of reading (I know, that’s expecting a lot from the research team over at CNN) that 4chan isn’t a person, it’s a website.

Because of my interests in guns and technology I feel as through I’m receiving a double dose of stupid every time I turn on the news or open a news site. I can only assume that the media’s coverage of basically everything else is just as ill-informed.

Once Data Leaves Your System You No Longer Have Control

I try not to waste your time talking about celebrity news on this blog. But once in a great while celebrity news can act as a launching point for something that’s actually important. The recent breach of several celebrities’ iCloud accounts is one of those rare times:

Someone claiming to be the individual responsible for the breach has used 4Chan to offer explicit videos from Lawrence’s phone, as well as more than 60 nude “selfies” of the actress. In fact, it seems multiple “b-tards” claimed they had access to the images, with one providing a Hotmail address associated with a PayPal account, and another seeking contributions to a Bitcoin wallet. Word of the images launched a cascade of Google searches and set Twitter trending. As a result, 4Chan/b—the birthplace of Anonymous—has opened its characteristically hostile arms to a wave of curious onlookers hoping to catch a glimpse of their favorite starlets’ naked bodies. Happy Labor Day!

This breach appears different from other recent celebrity “hacks” in that it used a near-zero-day vulnerability in an Apple cloud interface. Instead of using social engineering or some low-tech research to gain control of the victims’ cloud accounts, the attacker basically bashed in the front door—and Apple didn’t find out until the attack was over. While an unusual, long, convoluted password may have prevented the attack from being successful, the only real defense against this assault was never to put photos in Apple’s cloud in the first place. Even Apple’s two-factor authentication would not have helped, if the attack was the one now being investigated.

There is a valuable lesson in this story. Once data leaves your system you no longer have control over it. With the skyrocketing popularity of online data storage services (often referred to as “the cloud”) this lesson is more important than ever.

Smartphones are pervasive in our society. Millions of people are walking around with an Android, iOS, or Windows Mobile powered device in their pockets. These devices, by default, upload a lot of personal data to Google, Apple, and Microsoft’s online data storage services. While many conspiracy theorists will claim that these services are enabled by default for nefarious purposes the truth of the matter is consumers demanded these services. Automatically uploading data to online storage services helps protect against data loss. Since most computer users are unwilling to take the time to manually backup their data, and bitch an awful lot when they lose data, manufacturers have begun doing backups automatically. But security and convenience seldom go hand in hand. By backing up data to online services users have begun to lose control of their data. Once the data is been uploaded to a third party service that third party now has control over that data.

There are ways to alleviate many of the risks involved with using online storage services. The most effective method of reducing the risks involved is to encrypt data with a strong key known only to you before uploading it. That way the third party only has access to an encrypted blob and not the means of decrypting it. Using a strong password and two factor authentication and also help protect your online accounts but neither of those practices will offer much protection if there is a flaw in the service itself (as was the case with these iCloud breaches). Ultimately the most secure option is not to upload your data to begin with.

As a general rule I don’t upload anything to a third party service unless I’m OK with it becoming publicly accessible. While I don’t take selfies or record my sexual exploits, if I were to do so I wouldn’t upload them to iCloud, Dropbox, Azure Cloud, or any other third party online storage option. The iPhone is pretty good about giving you options to keep your data on your own services, and I utilize those options heavily. It’s been ages since I’ve used Android so I’m not sure if it has the same options (its options were sparse when I used it) and I have no idea what options are made available in Windows Mobile as I’ve not used that platform. But I highly encourage people to utilize such options when available. Apps, on the other hand, are seldom as flexible since most seemed geared towards getting people to utilize third party services. You may have the automatic upload features disabled in your phones operating system but if an app automatically uploads that data then all of your efforts are for naught. So it’s important to not only be familiar with your operating systems but also the applications you utilize.

Keep your shit under your control. If you fail to do so there’s no way to regain it.

Down the Memory Hole

There’s no doubt that the Internet has been one of the greatest tools for information sharing every invented. Instead of having to go to the library, request a book, wait two weeks for that book to arrive, and squeeze every bit of knowledge you need out of that book in one or two weeks we not open a browser and type a search into Google. But it’s not limited solely to books. The state, failing to comprehend a future where the plebs could access and read its documents, put a bunch of stuff online for us to access. This saves a lot of people a lot of headaches having to go to a court to obtain a physical copy of records related to cases. Slowly the state is realizing its mistake and disappearing things down the memory hold:

The Administrative Office of the US Courts (AO) has removed access to nearly a decade’s worth of electronic documents from four US appeals courts and one bankruptcy court.

The removal is part of an upgrade to a new computer system for the database known as Public Access to Court Electronic Records, or PACER.

Court dockets and documents at the US Courts of Appeals for the 2nd, 7th, 11th, and Federal Circuits, as well as the Bankruptcy Court for the Central District of California, were maintained with “locally developed legacy case management systems,” said AO spokesperson Karen Redmond in an e-mailed statement. Those five courts aren’t compatible with the new PACER system.

If your tax funded upgrade of a public system removes public records then the upgrade was not done correctly. As somebody who relies on being able to download the state’s dirty laundry and court records (but I repeat myself) to entertain my readers this kind of shit pisses me off. And I’m probably going to be pissed off more and more because I guarantee the state is going to “upgrade” more of its systems and toss a ton of online records down the memory hole. It’s a classic maneuver, if you can’t get away with destroying public records then you just make them very difficult to access.

Real Heroes

Tor is a great tool for those in need of anonymity online. But online anonymity is something spy agencies don’t like because it makes their job much harder. Therefore it seems highly probable that agents within the National Security Agency (NSA) are actively investing resources into compromising Tor. In fact all evidence indicates the agency, and other spy agencies, are doing exactly that. Thankfully evidence also indicates that there are real heroes working within those agencies to undermine such efforts:

British and American intelligence agents attempting to hack the “dark web” are being deliberately undermined by colleagues, it has been alleged.

Spies from both countries have been working on finding flaws in Tor, a popular way of anonymously accessing “hidden” sites.

But the team behind Tor says other spies are tipping them off, allowing them to quickly fix any vulnerabilities.

While the leviathan that is government is powerful it is also composed of people, many of whom have a conscience. Because of this many of the government’s nefarious acts are undermined by people within itself. If the NSA is attempting to compromise Tor then it’s very likely some of its agents are anonymously tipping off Tor’s developers, which renders the NSA’s overall efforts futile.

These are real heroes who should be celebrated. They actively put themselves at risk to fight against the illegal government activities and therefore make the world a better, and safer, place.

Tesla Taking Car Security Seriously

One of the neat and odd things I saw in the Defcon vendor area was a Tesla car. This is especially true when talks about hacking cars are given regularly:

The guys in that video are awesome presenters by the way. As it turns out Tesla was at Defcon preciously because it doesn’t want to be featured in one of these videos:

Tesla is one of the only household corporate names with an official presence this year at Def Con, an annual security conference held in Las Vegas, where attendees try to hack the hotel elevators and press room. The company is here courting hackers who can help it find holes in the software that controls its cars. It’s looking to hire 20 to 30 security researchers from Def Con alone, Ms. Paget says. Moreover, hackers who report bugs to Tesla get a platinum-colored “challenge coin.” If they show up at a Tesla factory and give the security team a heads-up, they get a free tour.

This is something I’m happy to read about. Computer security in the automotive industry, like the medical industry, is seldom considered. I’m not surprised by this fact since security costs time and money, which means it’s only considered after products have been fallen to widespread exploitation. Your computer and smartphone are only as security as they are (which isn’t to say they’re very secure but they are veritable fortresses compared to systems from earlier days) is because corporate and personal computers have been the targets of an almost uncountable number of exploits. Each industry seems destined to experience these same mistakes instead of learning from other industries that have already done so. Tesla, on the other hand, is acting more like a smartphone company in this regard by taking security seriously enough to hire people dedicated to ensuring its cars’ computers are at least somewhat secure.

This will pay off in the long run for Tesla. As vehicles become more integrated with technology they are going to become bigger targets for malicious attackers. If automotive manufacturers don’t nip this in the bud now they’re going to suffer many years of lawsuits related to their lack of on-board computer security.

Great Organic Fair Trade Conflict-Free Product For Sale

I must say that I love the Internet. If there is a want out there somebody on the Internet will eventually serve it. For example:

At the more extreme end of socially progressive marketing strategies used by online dealers are those that involve the promotion of drugs on the basis of supposedly “ethical”, “fair trade”, “organic” or “conflict-free” sources of supply.

The story is talking about cocaine and opium, not coffee. This shouldn’t surprise anybody since hipsters need their fix as well. I’m greatly amused by the fact that the Federal Bureau of Investigations (FBI) managed to shutdown the original Silk Road and were rewarded by a notable increase in website selling unpatentable drugs. Now the online drug dealers are marketing to hipsters, which probably means they are making a nice premium (if Whole Foods is any indicator hipsters are willing to pay quite a bit more for the same product with the words “fair trade”, “organic”, or “conflict-free” on the label).

Hidden services have no only reduced violence in the drug trade but now they’re ensuring more drug users’ needs are met.

Defcon 22 Recap

I’m back from my vacation. Where did I go? Well:

at-the-podium-at-defcon-22

That’s me at the podium in Track Two giving a rousing presentation about the need for hackers all around the world to use their skills to break into and sabotage government all government networks. Just kidding. That picture of me was taken by a friend when we gained access to Track Two after it was locked up for the night.

Defcon 22 was a blast. Things started off on a good foot when the room I had booked at the Palms was unavailable so they had to upgrade me to a better room for free. The room had living room separate from the bedroom and two bathrooms. It was a shame to have such a nice room and not spend much time in it but Defcon itself was packed with things to do. I got in line for my badge a few minutes before eight and proceeded to slowly make my way towards the registration desk for the next two and a half hours. During that time I made a few friends and learned some interesting things. After obtaining my fancy electronic badge I attended a handful of talks and met up with some friends.

Friday, when Defcon really begins, was packed with great talks. Defcon was also packed with people. I felt as though the number of attendees this year was at least 50 percent higher than last year (later I talked to a goon who said that the number of attendees wasn’t actually that much higher than last year but agreed that it felt much higher). As usual the convention was an exercise in controlled chaos. The villages proved to be interesting but the Social Engineering Village didn’t have nearly as much space as it needed and the Hardware Hacking Village was shoved off into a corner that was only accessible by going through the competition area. New this year were the Crypto Village and the Industrial Controllers Village. I walked through the latter but didn’t spend much time in it. The Crypto Village was interesting as they had some excellent presentations. It was there that I learned the Fifth Amendment doesn’t protect your biometric data. While you may be protected from giving the police the decryption key for your hard drive you cannot refuse to give your fingerprint (at least under the Fifth Amendment, technically you could refuse to do so until they decided to murder you). So securing your data with a fingerprint probably isn’t the best idea (I’m looking at your iPhone 5S users).

During the evening a few friends and myself hung out in Track One where several electronic music performers were doing their thing. One of the groups to play was Anamanaguchi. Their album sounds like it was made on an old Nintendo Entertainment System, which is pretty cool. But their live performance didn’t, which was disappointing. I still had fun though likely thanks to the alcohol.

Saturday was basically Friday all over again. Lots of good talks and fun things to do. During the evening a few friends and I went to Hacker Jeopardy. In years prior there was a woman on stage who would remove an article of clothing whenever a team got a Double Jeopardy question correct. That wasn’t the case this year. This didn’t surprise me too much since Defcon does get a lot of flak for being a sexist event (and much of that flak is justifiable). After Jeopardy we went to the party out by the pool. That started off pretty poorly since the girl performing was, well, fucking horrible. So my friends and I found ourselves in Track One again where the music was a marked improvement.

Sunday, being the last day of Defcon, was much more somber. Most of us were exhausted from back-to-back all-nighters. A couple of Sunday’s talks were very interesting. Deviant’s talk about elevators was fascinating. The closing ceremonies were as usual (which for me means kind of boring) except for the announcement at the end. Defcon 23 will be held at the Paris and Bally’s casinos. I’m not sure whether we outgrew Rio or if Rio simply refused to renew our contract. Hosting Defcon is kind of a pain in the ass since things all over the hotel get compromised and I could see the Rio simply refusing to renew our contract. Either way a new venue will be nice since Rio felt too small.

Defcon 22 was a blast. The only thing that wasn’t a blast was the flight home. Red eye flights aren’t fun and I don’t like touching ground in Minnesota at 05:30. Getting to bed at 07:30 is not my idea of a fun time. But that’s a pretty minor thing to complain about. I can’t wait for Defcon 23.

I’ve been completely out of the loop since Wednesday so I don’t have any other posts prepared for today. Catching up on a week’s worth of news and events isn’t easy, especially when your sleep schedule has been thoroughly fucked up by a red eye flight. Normal posting should resume tomorrow.

You Can’t Stop the Signal

The Federal Bureau of Investigations (FBI) really though it was hot shit after shutting down the original Silk Road. But the Internet doesn’t take kindly to censorship and markets cannot be stifled. Since the original Silk Road was taken down others have popped up to replace it. And online advertisements for unpatentable drugs have actually increased:

The US Federal Bureau of Investigation (FBI) closed down the original online illegal drug market, Silk Road, in 2013.

But new figures suggest the trade has actually increased since then.

And other research indicates one in four British drug users has accessed hidden websites.

This is a beautiful thing. Silk Road, in addition to providing for the wants of drug consumers, also reduced the amount of violence in the drug trade. Nobody should be surprised by this since violence is much harder to perpetrate when both parties in a transaction are anonymous. It’s also much harder for the biggest perpetrators of violence in the drug trade, the police, to storm the homes and kill the dogs of drug consumers if they cannot identify them.

It’s always nice to see the state’s control slipping through its fingers. The war on unpatentable drugs is untenable because markets always win. Agorism is such a powerful tool against the state precisely because it relies on markets, which are the manifestation of human action.

Protection Against Rockets Doesn’t Imply Protection Against Malicious Hackers

Israel’s Iron Dome has proven to be a very effective defensive system against rockets. But just because you can build an effective anti-rocket system doesn’t mean your network and computer security don’t suck:

Three Israeli defense contractors responsible for building the “Iron Dome” missile shield currently protecting Israel from a barrage of rocket attacks were compromised by hackers and robbed of huge quantities of sensitive documents pertaining to the shield technology, KrebsOnSecurity has learned.

The never-before publicized intrusions, which occurred between 2011 and 2012, illustrate the continued challenges that defense contractors and other companies face in deterring organized cyber adversaries and preventing the theft of proprietary information.

It always amazes me how a company that invests so much into physical security fail to properly security their computers and networks. But it doesn’t surprise me since physical security and computer and network security are usually quite different (although there is a lot of overlap). I would still think that a company whose task it is to build weapons for physical security would invest a great deal of money into hiring the best computer and network security people in existence.

Slaying Net Neutrality Under the Guise of Cyber Security

It has become obvious to our overlords in government that us slaves are rather fond of the way the Internet has worked since day one. But its corporate partners have dictated that they desire legal permission to throttle traffic selectively and what the government’s corporate partners want they get. So it’s time to play that wicked game again where the government slips in what it wants to do under the guise of something else. Net neutrality is now being sold as cyber security:

The cybersecurity bill making its way through the Senate right now is so broad that it could allow ISPs to classify Netflix as a “cyber threat,” which would allow them to throttle the streaming service’s delivery to customers.

[…]

The bill, as it’s written, allows companies to employ “countermeasures” against “cybersecurity threats,” but both terms are extremely broadly defined, and video streaming could easily fall within the purview of the latter.

“A ‘threat,’ according to the bill, is anything that makes information unavailable or less available. So, high-bandwidth uses of some types of information make other types of information that go along the same pipe less available,” Greg Nojeim, a lawyer with the Center for Democracy and Technology, told me. “A company could, as a cybersecurity countermeasure, slow down Netflix in order to make other data going across its pipes more available to users.”

You would think with a Senate full of lawyers that net neutrality could be force fed down our throat in a slightly more subtle way. This strategy just reeks of laziness in my opinion. There is only a handful of things I expect the government to do well: killing people, expropriating wealth from the people, pretend that it’s benevolent, and slyly sneak in its corporate partner’s agenda in a way that we don’t readily recognize.

But there you have it, net neutrality is now part of cyber security. And while cyber security hasn’t received much love from the slaves it’s easier to force feed to them because it’s part of OH MY GOD NATIONAL SECURITY!