Technology – Page 67 – A Geek With Guns

Raspberry Pi Bitcoin Miner

As those of you reading know, I’m a big fan of Bitcoin and a big fan of the Raspberry Pi. It was only a matter of time until I decided to follow in the footsteps of many and setup a Raspberry Pi Bitcoin miner. In an unrelated Amazon search I noticed that the ASCIMiner Block Erupters had come down in price (they sell for $29.98 on Amazon’s main page but cheaper units can be had from other Amazon vendors) so I decided to order a couple.

Mind you, nobody is going to get rich off of a Block Erupter. My desire was to experiment with them. I’ve often wondered how much a somewhat decent miner could be built for. Combining cheap Block Erupters with cheap Raspberry Pis seemed like an excellent want to build an affordable miner (with the acknowledgement that the setup was unlikely to pay for itself). I followed the setup guide on Adafruit and was mining Bitcoin in minutes. What follows are some issues I ran into.

First, my Raspberry Pi wasn’t able to provide reliable power to both modules. This wasn’t unexpected. While the Pi could run one Erupter without any issue the second one would periodically die from loss of power. The mining application I used, cgminer, continuously notified me of hardware errors. Fortunataly, I have a second Raspberry Pi that runs my Tor relay so I unplugged the second Erupter from the first Pi, plugged it into the second Pi, and got it up and running without any trouble. The obvious solution to this problem is to purchase a powered USB hub.

Second, Block Erupters run hot. I learned this lesson when I went to unplug my second Erupter from my first Pi. If you’ve been running an Erupter make sure you give it time to cool down before touching it (or be impatient, like me, and grab some gloves). You will also want to invest in a small fan to keep your Erupters cool. This USB powered fan has been recommended by several people and costs all of $8.00.

Third, as I feel this needs to be pointed out, setting up a mining rig isn’t the most efficient way to acquire Bitcoin. Sites like Coinbase are better sources. The amount of Bitcoin you can mine with an Erupter isn’t going to pay for the hardware for quite some time (even before calculating in the cost of electricity, fans, powered hubs, etc.). I’m perusing this project for fun and to fulfill my curiosity. When I need to acquire Bitcoin in usable quantities I tend to buy from sellers.

Private Solutions to State Failures

“Without the government who will [fill in the blank]?” It’s a question anti-statists face frequently. People seem to lack the imagination necessary to come up with any ideas of who would build roads, teach children, or protect people in the absence of government (and I want to know who is building roads, teaching children, and protecting people in the presence of government). As we find more governments collapsing we are getting an opportunity to see who can provide the services that were formerly monopolized by the governments. One many has developed a potential alternative to the state’s first responder services:

What if you could report emergencies anywhere, have faster response times, and strengthen local communities, all without spending thousands of dollars or involving bureaucrats?

We are seeing sluggish emergency response times in many big cities around the United States, and in parts of Detroit and Chicago you’d be lucky if someone came at all, even hours later. This is the problem with having a one-size-fits-all monopoly on emergency services. Sure, the system works pretty well, but when it has problems it can be a matter of life and death. And those problems don’t cause any firm to lose profits when they drop the ball. Tax money still fills the agency’s coffers, rewarding incompetence. (In economics we call this a soft budget constraint.)

Cody Drummond at Peacekeeper is rethinking defense and emergency response with a new app he is developing. His focus? Bring it local and use something you already carry to alert those around you to a problem. In those critical first moments during a crisis, you can alert those closest to you and get the help you need faster.

This system has the potential of replacing lengthy police response times (if they respond at all) with quick response from members of your community. It could also save lives if medical emergencies can be attended to quickly by any medical personnel in your community, as opposed to waiting for an ambulance to arrive from a far away hospital. What makes solutions like this even more appealing is that they don’t stop working just because the government has shutdown. One of the biggest problems with allowing governments to monopolize services is that those services cease being available in the event of a budget cut or shutdown.

Will Mr. Drummond’s solution work? Only time will tell. But we know that state controlled police don’t work (unless you want your dog euthanized) so an alternative must be found. Even if Mr. Drummond’s solution doesn’t work out I will tip my hat to him for trying.

Tor Stands Pretty Secure Against NSA Attack

We all know that the National Security Agency (NSA) hates Tor. Tor stands for everything the NSA is against, such as anonymity and information security. It comes as no surprise to find out that the spy agency has been attacking the Tor network:

The National Security Agency has made repeated attempts to develop attacks against people using Tor, a popular tool designed to protect online anonymity, despite the fact the software is primarily funded and promoted by the US government itself.

It’s pretty funny when one government agency is focused on destroying something originally created by another government agency (Tor was originally funded by the United States Naval Research Laboratory). Fortunately the NSA has met with very little success:

But the documents suggest that the fundamental security of the Tor service remains intact. One top-secret presentation, titled ‘Tor Stinks’, states: “We will never be able to de-anonymize all Tor users all the time.” It continues: “With manual analysis we can de-anonymize a very small fraction of Tor users,” and says the agency has had “no success de-anonymizing a user in response” to a specific request.

Another top-secret presentation calls Tor “the king of high-secure, low-latency internet anonymity”.

There has been a lot of speculation about Tor’s security. Even now people are arguing over whether or not the Tor Stinks presentation is still accurate. It is possible that the NSA has developed a way to successfully remove a Tor user’s anonymity since the presentation was leaked. So far we’ve seen no evidence of this though. The two primary stores involving Tor, the take down of Freedom Hosting and the apparent arrest of Dread Pirate Roberts, were both accomplished using old fashioned investigative work. This leads me to believe the the Tor Stinks presentation is still accurate and that the NSA hasn’t found a reliable way to attack a Tor user’s anonymity.

Once again, we can speculate about the powers of the NSA. The problem is we can’t work off of speculations. I agree with Bruce Schneier who said we should “trust the math.” Unless we have evidence to the contrary we can only assume that Tor works. With that said, it’s never good to rely entirely on a single tool. Tor is great but you should also take other precautions to protect your anonymity online (for example, Tor doesn’t do you a lot of good if somebody has already managed to install a trojan onto your computer).

Another Online “Black” Market Bites the Dust

With the exceptions of alcohol and caffeine I don’t take drugs. It’s not that I’m opposed to taking drugs I just choose not to. I believe many drugs have beneficial properties (violence would probably plummet if people would just take to smoking cannabis) and am therefore a fan of online “black” markets like Silk Road (link only works if you’re using the Tor Browser Bundle). Silk Road is an interesting site because it was the first large online drug market. The operator(s) of that site are smart and have remained anonymous. They have also chosen not to advertise the site, instead relying on word of mouth. That being the case, many people believed that Atlantis, a competing online “black” market, would crush Silk Road because of its major advertising push. It appears that the operators of Atlantis weren’t as smart as they thought they were because they shut down the site for “security reasons”:

Atlantis Market, the online bazaar for illegal drugs, has suddenly shut down permanently due to “security reasons outside our control.” The site gained some notoriety after the circulation of an animated commercial that explained how a “stoner” named Charlie uses Atlantis to find “dank buds,” part of a broader advertising push aimed at chipping away market share from the reigning drug underground kingpin, Silk Road.

When it comes to “black” markets, it pays to keep a fairly low profile. Most major advertisers won’t accept Bitcoin, which means there is no truly anonymous way to pay for their services. Anybody buying advertisements from traditional outlets therefore put their privacy at risk. Assuming Atlantis wasn’t a government sting operation (which is quite possible) it’s likely the people operating the site had their identities revealed through ties to their bank accounts.

Meanwhile Silk Road is likely to continue running for some time since the operator(s) refuse to even communicate outside of his/their website forum. If you’re going to run an agorist business that specializes in verboten substances keep a low profile.

Fingerprint Folly

It was only a matter of time before somebody found a way to crack the fingerprint reader on the iPhone 5S. Coming in as the first group to publicly announce a bypass is the Chaos Computer Club (CCC), which has a habit of breaking security systems:

The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple’s TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.

[…]

“In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake”, said the hacker with the nickname Starbug, who performed the critical experiments that led to the successful circumvention of the fingerprint locking. “As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints.”

I’ve never been a fan of biometrics. While it’s true that using features unique to a person can be used to uniquely identify that person it’s also true that, as Frank Reiger of the CCC pointed out, one cannot change their biometrics:

“We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token”, said Frank Rieger, spokesperson of the CCC.

If you can’t change your authorization token and somebody compromises that token things aren’t going to end well. Fingerprints are especially bad tokens because they can be lifted from many of the surfaces we touch. An authorization token isn’t very secure when you go around telling everybody about it.

With that said, if Apple’s fingerprint reader is convenient enough that people actually use it it will have served its purpose. While an unchangeable security token that you leave everywhere you touch isn’t great it’s better than no authorization control whatsoever.

The Folly of Basing Society Agreements of Geographic Regions

In one of my ever fewer forays into /r/Libertarian I found an interesting link by a user who was looking for feedback on a proposted libertarian constitution he wrote. I decided to take a look at it and noticed that it started off with “We the Citizens of the State of New Hampshire…” That brought up a criticism I have of most attempts by libertarians to establish a libertarian society: they have a tendency to based their society on geographic regions.

I believe it’s time to free ourselves of those imaginary lines drawn on pieces of paper. Geographic regions mean far less today than they did a century ago. The advent of efficient and quick transportation technology combined with effective real-time communication technology has allowed humanity to live a more mobile existence than it did in the past. Thanks to modern avionics I can be anywhere in the Continental United States in a matter of hours. Likewise, I can communicate with my associates via e-mail, instant messenger, video conferencing or telephone from wherever I end up. These technologies have allowed me to become members of geographically separate groups. Throughout the year I communicate with my Defcon friends and once a year we all travel to Las Vegas to meet. I would argue that I’m more of a member of the Defcon community than I am of the Minnesota community. The same goes for my membership in the shooting, gun blogging, agorist, and anarchist communities.

Communities, when all said an done, are groups of people who interact with one another. The Internet has allowed these interactions to take place regardless of geographic separation, which has rewritten the rules on social agreements. Libertarian societies, in my opinion, should take shape in the form of mutual aid societies. What other reason would libertarians get together other than for mutual benefit? Libertarian philosophy, especially when you begin moving towards complete anti-statism, isn’t based on geography; it’s based on voluntary interactions. Those interactions can largely take place regardless of physical location. If one of my fellows is in need of assistance I can transfer a quantity of Bitcoin (or pieces of paper with pictures of dead presidents) to him instantly and he can use that to access needed resources local to him.

There are times when geographic agreements make sense. A group of people living around a lake, for instance, would likely benefit from laying down some common mutually agreeable ground rules. But general agreement between fellows one voluntarily interacts with need not be so restricted.

It would do the libertarian community well to toss off the shackles of physical location. We live in a great big world that floats around in a great big universe. Why restrict ourselves to infinitesimal points in a practically limitless area?

The Legal Issue Regarding Fingerprints

I have mixed feelings about the iPhone 5S’s fingerprint reader. On the one hand I believe it would encourage users to enable the security features on their phones. On the other hand it makes things easier for law enforcement because forcing somebody’s finger onto a reader is much easier than coercing their password out of them. As it turns out there may be additional legal issues regarding Apple’s fingerprint reader:

Courts have given mixed messages about whether Americans are protected from being forced to divulge passwords or decrypt information for law enforcement officials. Civil liberties advocates argue defendants shouldn’t have to unlock their own computers for the cops. The logic: Under the Fifth Amendment, Police can’t force you to self-incriminate by testifying, or divulging something in your mind.

It’s unclear if that same protection applies if the password is your fingerprint.

“A fingerprint is entitled to less constitutional protection than a password known in your mind,” said Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation in San Francisco. “If police arrest you and ask you for a password, you could refuse and they’d be hard pressed to force you to divulge the password.”

Of course, police already collect fingerprints after booking a suspect. And the Supreme Court has also held that police don’t need a search warrant to collect fingerprints.

The combination of being able to collect fingerprints without a search warrant and the east of which a person’s finger can be forced onto a scanner creates a dangerous legal environment. It’s not stretch of the imagination to think of a situation where a police officer forces a suspects finger onto their phone’s scanner, finds incriminating evidence, and makes an arrest based on that evidence. During the court battle the office would argue that he is allowed to collect fingerprints without a search warrant, which is what he did.

The iPhone 5S Fingerprint Reader

Yesterday Apple announced their new iPhones. The iPhone 5c was, in my opinion, wasn’t at all newsworthy. Apple’s new flagship phone, the iPhone 5s, wouldn’t be newsworthy except for its fingerprint reader:

Apple’s brand-new iPhone 5s isn’t dramatically different from last year’s model, but it has at least one major addition: a “Touch ID” sensor. Us human beings are calling it a fingerprint sensor, and it’s built into the phone’s main Home button below the screen. Apple’s Phil Schiller says, “It reads your fingerprint at an entirely new level” — it’s 170 microns in thickness with 500 ppi resolution. According to Cupertino, it “scans sub-epidermal skin layers,” and can read 360 degrees. As expected, the sensor is actually part of the Home button, making it less of a button and more of a…well, sensor. Using Touch ID, users can authorize purchases in iTunes, the App Store, or in iBooks by simply using their thumbprint (starting in iOS 7, of course). Pretty neat / scary!

Honestly, I have mixed feelings about this. It’s certainly a neat piece of technology and I don’t want to decry Apple for trying something new in the smartphone field. Today you can lock your phone with a four-digit passcode or a full password. If I were betting money I would bet that a majority of users use neither option. Of the people who put a passcode on their phone a vast majority likely opt for the four-digit option. Phones are devices that are accessed frequently. Having to enter a long password every time you want to check your Twitter feed get annoying quickly. Therefore few people are willing to use a complex password to security their phones. That leaves most people not enabling any security and those who enable security most likely opt for a relatively insecure four-digit passcode.

Apple has been fairly good about including security features that are relatively easily to use and this fingerprint reader looks to be another one. Time will tell if the sensor is easily fooled by other fingerprints but if it convinces more people to put some kind of security on their phone I’m happy. If the technology is properly implemented it could easily be more secure than the four-digit passcode (admittedly not a high barrier to climb over).

Then there’s the other side of the coin. My first thought after seeing the announcement of a fingerprint reader was that the police are going to love it. As it currently stands, a police officer wanting immediate access to your phone must obtain a search warrant and gain your cooperation, have a mechanism of exploiting a security hole in the phone on site, or bring force into things either as a threat or as physical harm. With the inclusion of a fingerprint reader a police officer need only force your finger onto the sensor to unlock it. That seems to be far less hassle than the other three mentioned options.

In light of Edward Snowden’s leaks there is also the concern that your fingerprint will be send off to the National Security Agency (NSA). While Apple promised that your fingerprint data will only be stored locally there is no way to verify that fact. Furthermore, if Apple was compelled with a national security letter to include a mechanism to allow the NSA to obtain fingerprint data they wouldn’t be legally allowed to tell us. That thought should scare everybody.

Finally, on a more practical side, biometrics have a fatal flaw: the technology is based on sensor data obtained from your body as a point in time. What happens if you cut your finger? Will the sensor detect your altered fingerprint as somebody else? What happens if your finger is cut off? Our bodies can change over time and those changes are often difficult, if not impossible, for biometric technology to detect.

As with most security technology there are ups and downs to this fingerprint reader. If it convinces more people to enable security on their phones then I will be content. However, one must realize that there are real downsides to using your fingerprint as a security token.

Starting Off Somewhere

I received a comment from Sonia on my post detailing Bruce Schneier’s tips for protecting yourself from the National Security Agency (NSA):

This kind of endeavor only works is everybody does it, otherwise is useless. Also inviting laymen to “learn” reveals how much you underestimate the fact that being a programmer gives you all the mental models you need.

Those people who “learn” will only end up compromising their own security under the impression that they are doing something secure.

Although I addressed these concerns in a reply I wanted to write a post because I feel what I’m about to say is relevant to anybody interested in computer security.

In another comment Sonia mentioned she (I’m assuming Sonia is female based on name, this being the Internet I could be incorrect) is a Ph.D. That being the case, I can see where her views on this subject come from. Oftentimes those of us who have been involved in the computer field for some time fall victim to two issues. First, we develop a form of elitist attitude that causes us to think of ourselves as somehow superior to non-techie people. Second, we forget about the early days when we knew little about computers. I’ve fallen victim to these issues before and I believe Sonia has fallen victim to them in her comment.

She does make a very important point. When you first dive into computer security you’re going to make mistakes. This is a problem all people face when learning something new. Just because you know how to utilize OpenPGP to encrypt your e-mail doesn’t mean you fully grasp underlying concepts such as private key security, the inability to know whether or not a closed system is secure, the value of a proper security audit, or the potential issue of generating keypairs on a system that lacks a true cryptographically secure pseudorandom number generator. All of these things, and more, play a part in OpenPGP and computer security.

You know what? That’s OK. You don’t need to know everything right away. Everybody has to start from the beginning. I didn’t become a computer programmer or system administrator overnight. I wasn’t blessed with the innate knowledge required to operate and manage an OpenBSD system. At one point I had no idea what Postfix was, let alone how to run and maintain a Postfix server. The difference between C and C++ were unknown to me back in the day. All of this knowledge came with due time. I’ve invested years into learning what I now know about computers and will likely invest a lifetime into learning more. When I started to program I made countless amateur mistakes. That didn’t discourage me because I learned from those mistakes. I’m happy to report that I’m still learning from my mistakes today.

Learning how to use the tools necessary to keep yourself safe online isn’t going to happen overnight. You’re going to make mistakes. Those mistakes will compromise your security. But you will learn from those mistakes and you will become more secure because of it.

Computer security isn’t an all-or-nothing thing. Even if you don’t practice proper private key security or generate an easily determinable keypair because your system lacks a secure pseudorandom number generator you’re more secure by using OpenPGP or Off-the-Record Messaging than not. Every encrypted communication requires potential spies to throw time and resources at decrypting it just to find out what’s in it. Simply put, every encrypted communication helps defend everybody’s privacy. As the number of encrypted communications increase potential spies must either prioritize the computing resources available to them or invest other resources into more computing resources.

Julian Assange is Tracking Spyware Contractors

Another weapon we have against the state’s surveillance apparatus is Julian Assange. Mr. Assange, through his Wikileaks project, has provided a platform whistle blowers can use to leak information and remain anonymous. Wikileaks has now announced another project called the Wikileaks Counterintelligence Unit, which will attempt to actively surveil surveillance contractors:

The inaugural release zeroes in on 19 different contractors as they travel visit countries like Bahrain, Kazakhstan, Spain, and Brazil. The location data displays only a time stamp and a country for each entry, but occasionally displays the message, “phone is currently not logged into the network,” indicating the data likely comes from some kind of cell-tracking service. The contractors in question work for Western companies like Gamma International, designer of the infamous FinFisher spyware tool — and as with previous Wikileaks releases marked as “Spy Files,” readers will also find marketing brochures for surveillance products to intercept and monitor web traffic.

I think this is a great idea and needs to be expanded. It would be great if we could eventually do to the surveillance apparatus what it has done to us. Imagine a world where anybody working to spy on us, whether they be private contractors or public National Security Agency (NSA) employees, was being spied on 24/7. Perhaps losing all sense of privacy would be enough to discourage people from working for these bastards.