Technology – Page 61 – A Geek With Guns

Stupid Questions

The BBC has an article on so-called smart guns. Overall it’s not a bad article, it mostly covers what a smart gun is, how it works, and the political battle surrounding them. But one very stupid question is put forth:

Can it be hacked?

Yes. When the question is “Can it be hacked?” the answer is always yes. Granted the article does cover some of the ways in which radio-frequency identification (RFID) and biometric authentication systems have been hacked. But the conclusion by the BBC is that we don’t know if the iP1 authentication system can be hacked.

I’m here to tell you that it can be. We don’t know how but we do know it can be. That’s because every authentication system developed by us has been hacked because a security system can only buy time, it can’t entirely stop an unauthorized individual. Being that the RFID device used with the iP1 is new and, as the article explains, hasn’t seen much widespread use there is likely to be a plethora of bugs waiting to be discovered.

It’s likely that there will be a presentation at an upcoming security conference by a guy who figured out how to remotely enable and disable an iP1 from 100 feet away with an off the shelf RFID emulator. Authentication systems rarely survive their initial encounter with the hacker community.

Why Legalizing Driverless Cars is Likely to Be an Uphill Battle

One of the political battles currently being waged in Minnesota is cannabis legalization. The reason the battle is so heated is because law enforcement agents are opposing legalization because they know it will hurt their funding from civil forfeiture laws. This will likely be the reason why law enforcement agents will also oppose legalizing driverless cars:

Google’s driverless cars have now combined to drive more than 700,000 miles on public roads without receiving one citation, The Atlantic reported this week. While this raises a lot of questions about who is responsible to pay for a ticket issued to a speeding autonomous car – current California law would have the person in the driver’s seat responsible, while Google has said the company that designed the car should pay the fine – it also hints at a future where local and state governments will have to operate without a substantial source of revenue.

Approximately 41 million people receive speeding tickets in the U.S. every year, paying out more than $6.2 billion per year, according to statistics from the U.S. Highway Patrol published at StatisticBrain.com. That translates to an estimate $300,000 in speeding ticket revenue per U.S. police officer every year.

Driverless cars are less likely to violate traffic laws. As driverless cars become more prevalent this will cause the number of traffic citations issued by police to dwindle. Without the kickback from those citations departments will find that their funding will also dwindle. In other words this is why we can’t have nice things.

One of the major problems with modern policing is the fact that it incentivizes the creation of criminals. The more criminals that exist in society the more money law enforcement agencies can rake in. That creates a conflict of interest as law enforcement agencies are incentivized to support any measure that creates more criminals and oppose any measure that reduces the number of criminals. This conflict of interest becomes especially egregious when you consider that technology like driverless cars have the potential to save a lot of lives by reducing traffic accidents.

The Conspiracy Theory that Annoys Me the Most

Conspiracy theories are fun even when you don’t buy into them hook, line, and sinker. I enjoy reading about all of the wonky theories people have come up with, especially if that theory involves lizard people. But amongst the conspiracy theories out there the one that annoys me the most is that the government is all omnipotent. This theory is very prevalent in libertarian circles, which is ironic considering that most libertarians view the government has being entirely incompetent. Whenever I try to discuss tools to secure one’s self against the National Security Agency’s (NSA) surveillance apparatus there are usually a few people who start making up bullshit and claiming that using such tools with either make you a target, are backdoored by the NSA (even if the project is open source and the code has been thoroughly reviewed for such shenanigans), or that the NSA has magical super computers that can instantly break all encryption protocols.

Unlike most conspiracy theories, which usually contain some kernel of factual information that wild theories are based off of, the claim that the government NSA can render all computer security tools impotent is entirely baseless. As Bruce Schneier pointed out in a recent blog entry the NSA isn’t magic:

I am regularly asked what is the most surprising thing about the Snowden NSA documents. It’s this: the NSA is not made of magic. Its tools are no different from what we have in our world, it’s just better-funded. X-KEYSCORE is Bro plus memory. FOXACID is Metasploit with a budget. QUANTUM is AirPwn with a seriously privileged position on the backbone. The NSA breaks crypto not with super-secret cryptanalysis, but by using standard hacking tricks such as exploiting weak implementations and default keys. Its TAO implants are straightforward enhancements of attack tools developed by researchers, academics, and hackers; here’s a computer the size of a grain of rice, if you want to make your own such tools. The NSA’s collection and analysis tools are basically what you’d expect if you thought about it for a while.

The NSA is little more than the combination of well known hacking tools, massive funding, and privileged positions on the main infrastructure. Edward Snowden has said numerous times that encryption works. Anybody who claims that the NSA can render all known encryption protocols impotent is literally making shit up. It’s no different than the conspiracy theory that lizard people secretly control all of the governments of the world. Zero evidence exists supporting the claim.

My theory is that people who claim nobody should bother using encryption because it’s futile are simply too lazy to learn how to use the tools and don’t want to admit it. To make themselves feel better they justify their actions by claiming doing otherwise is pointless.

How the Abolition of Net Neutrality is Being Bought

The battle for net neutrality is a difficult one to sort out because it’s effective oligarchs arguing with other oligarchs. Oligarchs that hold actual monopoly in many areas to distribute Internet content want the ability to suck more money out of both customers and service providers. These oligarchs own much of the infrastructure and claim that they have a right to use it as they please since it is their property. What they don’t mention is that they have legal protections from other oligarchs that prevent any meaningful competition from arising in the Internet content distribution market.

The other set of oligarchs are the ones that compose the legislature and regulatory bodies. It’s an election year for many in the legislature so they want to convince the serfs that their rulers are very benevolent and should be vote in for another term. Since the serfs are quite fond of the current model used to distribute Internet content the oligarchs in the legislature are demanding the model stay in place. The regulatory body most involved in this fight, the Federal Communications Commission (FCC) is stuck between both sides. Its current chairman, Tom Wheeler, is a form lobbyist for the infrastructure oligarchs but he also wants to continue his position as chairman of the FCC, which means he must also make the oligarchs in the legislature happy.

Fortunately when competing sects of the oligarchy go to war they don’t use bombs. Instead they negotiate with one another to determine how much which sect will pay to get its way:

These lawmakers, including the top House leadership, warned the FCC that regulating broadband like a public utility “harms” providers, would be “fatal to the Internet,” and could “limit economic freedom.”

According to research provided Friday by Maplight, the 28 House members received, on average, $26,832 from the “cable & satellite TV production & distribution” sector over a two-year period ending in December. According to the data, that’s 2.3 times more than the House average of $11,651.

What’s more, one of the lawmakers who told the FCC that he had “grave concern” (PDF) about the proposed regulation took more money from that sector than any other member of the House. Rep. Greg Walden (R-OR) was the top sector recipient, netting more than $109,000 over the two-year period, the Maplight data shows.

The infrastructure oligarchs obviously feel very strongly about being able to change their current distribution model because they are paying a good chunk of change to key oligarchs in the legislature. I predict an end to what we call net neutrality in the near future (probably not until the next election cycle or two have concluded though). It will be a slow death consisting of apparently minor changes over the coming years.

If we want to continue enjoying a distribution model that is neutral towards service providers then we will likely have to cut out the infrastructure oligarchs entirely. That will involve building our own infrastructure, which will almost certainly be declared an illegal act at some point. I’ve mentioned several times that I’m working with a handful of other people in the Twin Cities to develop a local mesh network with the hopes of expanding it over time. I think mesh networks, being decentralized (and therefore hard to stop through the judicial and law enforcement systems), are a promising strategy for bypassing the Internet service providers that are trying to double dip by charging both content consumers and content providers more money to access one another. The Chaos Computer Club’s idea to launch small satellites into orbit to bypass state censorship also appeals to me. Between all of us who dwell online would should be able to develop a practical solution to the oligarchy problem.

Designer of Smart Gun Says Smart Guns are Safer

Ernst Mauch, the man behind the Armatix iP1 so-called smart gun (really a gun with an onboard authentication system), recently wrote an opinion piece for the Washington Post where he states that smart guns are safer than regular guns:

Respect for this freedom to protect your family as you see fit is a major reason I believe that gun owners in the United States should have the right to purchase personalized firearms using high-tech safety features. The reality is that firearm safety has not meaningfully advanced in the past century. Nearly every other industry has transformed its safety features — often multiple times — in that same period. Given how tragic the misuse of firearms can be, guns should be no different.

While firearm safety hasn’t meaningfully advanced in the past century it still doesn’t hold the record. Sword, for example, haven’t meaningfully advanced in regards to safety in over a millennium. Clubs also haven’t advanced in regards to safety for even longer. Why is this? Most likely because firearms, swords, and clubs are weapons and weapons are meant to cause damage. Ernst’s claim that nearly every other industry has advanced its safety features ignores most industries involving weapons.

Armatix offers market-based solutions for improving gun safety. We understand that any time a major new technology enters the market, some people will be skeptical, and that is why it is important to clarify exactly what the Armatix pistol is.

As far as I know Armatix hasn’t been lobbying in the United States for mandating that all firearms include built-in authentication systems. That being the case I have no issue with Armatix introducing its iP1. Let the market decide whether or not gun owners want such technology. So long as Ernst and Armatix rely on the market to decide whether or not people should buy their firearms I have nothing against them.

The firearm also detects the proximity of the watch, meaning that even if the gun is stolen after the code has been keyed in, it cannot be fired. If the gun and the watch are both stolen, the thief might as well throw them out because the gun won’t fire without the correct five-digit code.

This is something I didn’t know about the iP1. In addition to having the watch you also have to know a five digit code. That further complicates things will offering relatively little additional security. Five digit codes can be brute forced pretty quickly. Even if the watch itself implements mechanism to slow down a brute force attack that means little if the thief is in physical possession of the watch. Downloading a copy of the watch’s firmware will allow an attacker to bypass any watch implemented slowdown mechanisms, which will likely render the five digit code irrelevant.

The thing to take away from this article is that the author isn’t unbiased. He designed the authentication system and is therefore invested in making it sound good. On the other hand he doesn’t indicate that he wants to lobby for mandating his design be including in all handguns, which is a good. I have no objections to the technology itself although I don’t have any interest in it since its reliability hasn’t been proven. But I also cannot accept his claim that firearms like the iP1 are inherently safer since he has a direct business interest in saying so and there are a lot of scenarios where the technology could cost you your life (for example, if your arm with the watch is injured you could be unable to fire the gun with your functional hand).

Mozilla Throws in the Towel on DRM

I thought Mozilla releasing its version of Chrome was the most disappointing thing the company could do this year but I was wrong. Yesterday Mozilla announced that it decided to throw in the towel against digital rights management (DRM) technology being included in its browser:

Despite our dislike of DRM, we have come to believe Firefox needs to provide a mechanism for people to watch DRM-controlled content. We will do so in a way that protects the interests of individual users as much as possible, given what the rest of the industry has already put into place. We have selected Adobe to provide the key functionality. Adobe has been doing this in Flash for some time, and Adobe has been building the necessary relationships with the content owners. We believe that Adobe is uniquely able to bring new value to the setting.

Mozilla was the last holdout of the major browser providers to refuse to implement DRM technology. I understand why Mozilla is doing this. The company’s browser marketshare has been diminishing since Google released its Chrome browser. If major video providers start using Encrypted Media Extensions (EME), the new DRM technology that has been settled on, and Firefox is unable to display those videos it will further hurt its marketshare.

But by implementing DRM Mozilla has also abandoned its manifesto:

The Mozilla project is a global community of people who believe that openness, innovation, and opportunity are key to the continued health of the Internet.

[…]

The Mozilla project uses a community-based approach to create world-class open source software and to develop new types of collaborative activities.

[…]

2. The Internet is a global public resource that must remain open and accessible.

[…]

7. Free and open source software promotes the development of the Internet as a public resource.

[…]

build and enable open-source technologies and communities that support the Manifesto’s principles;

Since the beginning Mozilla has touted itself as an open source project meant to support an open Internet. But it cannot do so while implementing DRM technology. As its blog post states:

The industry is on the cusp of a new mechanism for deploying DRM. (Until now, browsers have enabled DRM indirectly via Adobe’s Flash and Microsoft’s Silverlight products.) The new version of DRM uses the acronyms “EME” and “CDM.” At Mozilla we think this new implementation contains the same deep flaws as the old system. It doesn’t strike the correct balance between protecting individual people and protecting digital content. The content providers require that a key part of the system be closed source, something that goes against Mozilla’s fundamental approach.

Emphasis mine. In order to implement the DRM technology Mozilla has to rely on a closed source binary provided by none other than Adobe (who, I might add, has a deplorable security record). This goes against its manifesto of working to keep the Internet open and providing a quality open source project.

However I will begrudgingly give Mozilla some credit. The DRM binary will be sandboxed, optional, and not installed by default:

Firefox does not load this module directly. Instead, we wrap it into an open-source sandbox. In our implementation, the CDM will have no access to the user’s hard drive or the network. Instead, the sandbox will provide the CDM only with communication mechanism with Firefox for receiving encrypted data and for displaying the results.

Traditionally, to implement node-locking DRM systems collect identifiable information about the user’s device and will refuse to play back the content if the content or the CDM are moved to a different device.

By contrast, in Firefox the sandbox prohibits the CDM from fingerprinting the user’s device. Instead, the CDM asks the sandbox to supply a per-device unique identifier. This sandbox-generated unique identifier allows the CDM to bind content to a single device as the content industry insists on, but it does so without revealing additional information about the user or the user’s device. In addition, we vary this unique identifier per site (each site is presented a different device identifier) to make it more difficult to track users across sites with this identifier.

As plugins today, the CDM itself will be distributed by Adobe and will not be included in Firefox. The browser will download the CDM from Adobe and activate it based on user consent.

As I said earlier I understand why Mozilla is doing this. I don’t like it but at least the Mozilla development team is being as smart about this implementation as possible. This way people like me who trust Adobe as much as a kleptomaniac can simply not install this crap.

What really worries me about this is that it sends a message to the media production industry and that message is that they can now demand DRM be made an integral part of the web and have their demands met. Make no mistake this is just the beginning of a snowball that will continue to grow in size. The DRM may be primarily geared towards video today but it will expand to include images and eventually text. Before you know it the web will be turned into a wasteland where content providers attempt to tightly control said content.

The only upside is that DRM technology always loses against the hacker community. But due to the Digital Millennium Copyright Act (DMCA) bypassing DRM technology now carriers legal risks, at least in the United States. That means taking what steps are necessary to maintain an open web will be a criminal act. Some very bright people will likely end up in a cage for doing the right thing (not that that’s uncommon, especially here in the United States).

Now I Don’t Want the Ability to Remotely Disable My Phone

I live in Minnesota, the state partially made famous for its oddball political atmosphere. This state is both the source of some pretty decent legislation (the legislation regulating our ability to carry a firearm is surprisingly good) and some absolutely atrocious legislation. This is an example of the latter:

A first-in-the nation measure would require smartphone manufacturers to install mandatory “kill switch” technology to deter thefts became law with Gov. Mark Dayton’s signature Wednesday.

“This is a very important step forward for protecting young people and protecting people of all ages,” Dayton said.

The law mandates that smartphone manufacturers equip their phones with the technology by July 1, 2015. The “kill switch” enables a smartphone owner to remotely disable a smartphone or tablet if it is lost or stolen, rendering the devices useless.

I carry an iPhone, which has the ability to be remotely disabled via my provisioning server. For me it’s a desired feature because I would like to render the device unusable should somebody steal it and, due to the fact that I have the feature tied to my provisioning server, the feature is entirely within my control. With that said, I do not want the inclusion of such a capability to be mandatory. There are a lot of legitimate reasons why an individual wouldn’t want such a capability.

First and foremost is that the capability will most commonly be in the hands of the phone manufacturer. Having somebody’s finger on your phone’s kill switch is generally a bad idea. Second if the ability to remotely kill a device exists in any form it’s possible that an unauthorized third-party will find a way to gain access to that feature. Political dissidents performing a protest probably don’t want devices that can be remotely disabled since there is always the possibility that the state they’re protesting against will pressure the manufacturer into disabling the dissidents’ devices.

And because this is a Minnesota bill it had to include an extra heap of stupidity:

The law also prohibits retailers from paying cash for used phones, rather than electronic transfer or check.

In other words if you sell your phone the government wants to know about it. This is just another step in the state’s desire to track all financial transactions. Like every previous step this one is being marketed as a method of help the people. But the first part of this legislation, the mandatory kill switch, renders the second part irrelevant because no retailer is going to buy a useless phone. So this part is entirely unnecessary in regards to protecting people against cell phone thefts.

Patents Don’t Equal Implementation

There are some rumors that just won’t die. What’s worse is when these rumors are reported as facts. Take this article. It claims that Apple is implementing a method that would allow law enforcement agents to remotely disable an iPhone’s camera:

The rapid emergence of smart phones with high definition cameras leads to consequences for law-breaking cops.

Recently, law enforcement throughout the country has been trying to pass laws that would make it illegal to film them while they’re on duty.

But Apple is coming out with a new technology that would put all the power in a cop’s hands.

The evidence? Apple filed a patent on this type of technology back in 2008. Ever since that patent was filed people have claimed that Apple is implementing or has secretly implemented the technology.

What people seem to miss is that companies file patents on anything they can think. It doesn’t matter if a company plans to actually implement a patented technology, they file the patent to build up an intellectual property war chest just in case they get sued by another company over an intellectual property matter. So far Apple has made no indication that it plans to actually implement the technology covered in the linked patent. Claiming anything other then the fact that Apple has filed a patent for such technology is pure fear mongering and it really needs to stop.

Technology Companies Defying the State By Reporting Law Enforcement Requests

Rebellion is a beautiful thing. Several major technology companies included Apple, Facebook, and Google have decided to notify their users when law enforcement agents request their data:

Major U.S. technology companies have largely ended the practice of quietly complying with investigators’ demands for e-mail records and other online data, saying that users have a right to know in advance when their information is targeted for government seizure.

This increasingly defiant industry stand is giving some of the tens of thousands of Americans whose Internet data gets swept into criminal investigations each year the opportunity to fight in court to prevent disclosures. Prosecutors, however, warn that tech companies may undermine cases by tipping off criminals, giving them time to destroy vital electronic evidence before it can be gathered.

Fueling the shift is the industry’s eagerness to distance itself from the government after last year’s disclosures about National Security Agency surveillance of online services. Apple, Microsoft, Facebook and Google all are updating their policies to expand routine notification of users about government data seizures, unless specifically gagged by a judge or other legal authority, officials at all four companies said. Yahoo announced similar changes in July.

One thing I like about the technology field is that companies and individuals within it tend to have a greater problem with authority than most. Although I would have preferred to see this happen sooner I’m not going to gripe too much. Instead I want to congratulate these companies on doing the right thing.

It’s interesting to see the changes that have rippled through the technology market since Edward Snowden leaked those National Security Agency (NSA) documents. Security and transparency has traditionally been an afterthought for major technology companies but both have gained more prominence since we all learned that the NSA was unlawfully spying on each and every one of us. Google, for example, began encrypting data moving between its data centers. Experts in the security field boycotted the RSA conference because its namesake took $10 million from the NSA to use a knowingly weak random number generator in its BSAFE product. There has also been a race to develop more secure communication devices in an attempt to thwart the NSA surveillance apparatus. Basically the state royally pissed off the technology industry and it is now actively doing what it can to rebel.

I’m proud to work in a field that is actively giving the state a gigantic middle finger. Seeing companies like Apple, Facebook, and Google publicly change their policies to better inform their customers when the state is snooping makes me smile.

I’ll Scratch Your Back If You Scratch Mine

Fascism is basically circlejerk economics. Government officials are jerking off corporate cronies while corporate cronies are jerking off government officials. This system works very well if you’re at the top but most of us aren’t at the top so we get to suffer protected monopolies, inferior products, and shitty service.

Another side effect of fascism is that government will always swoop in to protect its corporate cronies. Right now the White House is demanding that its corporate partners who hand over customer data to the National Security Agency (NSA) received legal immunity:

The White House has asked legislators crafting competing reforms of the National Security Agency to provide legal immunity for telecommunications firms that provide the government with customer data, the Guardian has learned.

In a statement of principles privately delivered to lawmakers some weeks ago to guide surveillance reforms, the White House said it wanted legislation protecting “any person who complies in good faith with an order to produce records” from legal liability for complying with court orders for phone records to the government once the NSA no longer collects the data in bulk.

In other words the White House doesn’t want any actual reform. Unless entities handing over data to the NSA face consequences there’s no motivation for them to not do so even when they know a request is illegal. This is especially true when you consider how much money many companies make off of government data requests.

As an aside, it’s funny how the White House never demanded whistleblowers like Chelsea Manning and Edward Snowden received legal immunity for revealing government corruption. I guess our illegal secrets aren’t the same as the government’s illegal secrets.