Tag: Technology

Protect Yourself from the NSA

As I said, those of us who dwell on the Internet aren’t going to take the NSA and GCHQ’s attack lightly. We have more firepower than they realize and have unleashed one of our best weapons, Bruce Schneier. Mr. Schneier has been working with Mr. Greenwald for the last two weeks and has written a short list of things, based on the information provided by Mr. Snowden, you can do to keep yourself secure online:

1) Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it’s work for them. The less obvious you are, the safer you are.

2) Encrypt your communications. Use TLS. Use IPsec. Again, while it’s true that the NSA targets encrypted connections – and it may have explicit exploits against these protocols – you’re much better protected than if you communicate in the clear.

3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn’t. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it’s pretty good.

4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It’s prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.

5) Try to use public-domain encryption that has to be compatible with other implementations. For example, it’s harder for the NSA to backdoor TLS than BitLocker, because any vendor’s TLS has to be compatible with every other vendor’s TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it’s far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.

Mr. Schneier does rightly point out that many Internet users aren’t currently capable of doing all of these things. To those of you who don’t know how to use the above mentioned tools, learn. Information on all of the tools Mr. Scheneier mentioned is freely available online. If you’re still having trouble I’m more than happy to help. Shoot me an e-mail at blog [at] christopherburg [dot] com and I’ll give you as much assistance as I can. Together we can push back against the state’s surveillance apparatus and return the Internet to its original form, a network where those wanting to remain anonymous can do so.

How The NSA and GCHQ Defeat Privacy

Glenn Greenwald has done it again. With the help of Edward Snowden he has been buy leaking many of the National Security Agency’s (NSA) dirty little secrets. Yesterday he dropped another bomb as he laid out the methods used by the NSA and British Government Communications Headquarters (GCHQ) to destroy online privacy:

US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden.

[…]

The files, from both the NSA and GCHQ, were obtained by the Guardian, and the details are being published today in partnership with the New York Times and ProPublica. They reveal:

• A 10-year NSA program against encryption technologies made a breakthrough in 2010 which made “vast amounts” of data collected through internet cable taps newly “exploitable”.

• The NSA spends $250m a year on a program which, among other goals, works with technology companies to “covertly influence” their product designs.

• The secrecy of their capabilities against encryption is closely guarded, with analysts warned: “Do not ask about or speculate on sources or methods.”

• The NSA describes strong decryption programs as the “price of admission for the US to maintain unrestricted access to and use of cyberspace”.

• A GCHQ team has been working to develop ways into encrypted traffic on the “big four” service providers, named as Hotmail, Google, Yahoo and Facebook.

I think the most important thing to note is that, from the information leaked, it doesn’t appear as though the NSA or the GCHQ have actually broken common encryption algorithms. In cryptography terms an encryption algorithm is only broken if an attack finds a method of decrypting data encrypted with that protocol faster than can be done via brute force (guessing every possible decryption key). What the NSA and GCHQ are doing is buying off commercial entities to insert back doors into their security products. Keep this in mind as major media outlets wrongly (as far as we know) begin reporting about how the NSA is able to break all known encryption algorithms.

None of the information in this latest leak surprises me. It’s been apparent for a while that the state’s surveillance apparatus has been relying on a fascist marriage between private and public entities. The game is afoot and the NSA and GCHQ believe they can wage war on the Internet without suffering repercussions. Those of us who dwell may not be as agreeable as they think.

The Vietnamese Government Doesn’t Understand How the Internet Works

I’m a fan of saying that statism is synonymous with halting progress. Statists always attempt to curtail advancements by forcing them into preconceived notions. A classic example of this mentality can be found in stories involving Japanese Samurai. Many works note that the Samurai believed firearms to be dishonorable weapons. Such a mentality made sense to an individual who spent decades learning the art of swordsmanship. All of the time spent mastering the sword became irrelevant when some peasant with little training could strike from many yards away. Instead of realizing that technology had advanced to a point where the importance of the sword was diminished, a master swordsman would be apt to argue that firearms aren’t honorable. Why change yourself when you can force everybody else to change to suit your desires?

Today we’re seeing this with the emergence of the Internet. Statists are trying to confine the Internet to their preconceived notions. They don’t believe anybody with a blog can be a journalist because journalists have traditionally been individuals who work for centralized state-recognized news organization. They don’t want to acknowledge that crypto-currencies are real currencies because it goes against their belief that money must be centrally issued paper notes. This is what leads governments around the world to implement stupid laws like this:

A controversial law banning Vietnamese online users from discussing current affairs has come into effect.

The decree, known as Decree 72, says blogs and social websites should not be used to share news articles, but only personal information.

The law also requires foreign internet companies to keep their local servers inside Vietnam.

A government could only issue such a decree if it lacked an understanding of how the Internet works. Enforcing laws requires that you can identify offenders. The beauty of the Internet is that one can maintain anonymity if they desire. How can the Vietnamese government enforce laws regulating blogs if those blogs are created on a computer that is connected to a random wireless network under a pseudonym and hosted on a location hidden service? Statists can pass whatever laws they want but reality isn’t going to reform itself to make enforcement of those laws possible.

3D Printed Skin

The technology industry makes me happy. While politicians run around trying their damnedest to wreck everybody’s life the technology industry is busy trying to improve everybody’s life. One of the most interesting technologies that looks to change our society is 3D printers. Taken to its logical conclusion, 3D printer technology stands to decentralized great deals of manufacturing and medical care. The manufacturing side of 3D printers is discussed frequently but the technology’s applications in the medical field are less publicized. For example, I haven’t read about the fact that scientists at Wake Forest University have printed skin onto a burn victim:

Scientists have developed a method of 3D printing new skin cells onto burn wounds at Wake Forest University’s Military Research Center. The method is far superior to traditional skin grafts because regular grafts require skin from a donor site somewhere on the patient’s body. Taking skin from a donor site is painful and sometimes the patients do not even have enough unburned skin to transplant.

Wake Forest accomplishes the skin printing by way of laser scanning and a modified inkjet printer. The laser scans the patient’s burn and that information gets translated into a personalized plan for filling the wound up with cells. Then the inkjet printer lays down the cells individually, one layer at a time until the burned area is completely covered.

Imagine a day when entire organs can be printed. No longer will people in need of transplants have to worry about a lack of potential donors.

Smith and Wesson M&P Shield Recall

I’m beginning to have flashbacks to the slew of jokes made in the shooting community about the Ruger LCP when it suffered failures that resulted in a recall. Now Smith and Wesson can join Ruger because they’re issuing a recall for early the M&P Shield:

SPRINGFIELD, Mass. (August 22, 2013) — Smith & Wesson Corp. announced today that the Company has identified a condition where the trigger bar pin could damage the lower trigger in certain M&P Shields in a way that may affect the functionality of the drop safety feature of the firearm, potentially allowing the pistol to discharge if it is dropped.

This Safety Alert applies to all M&P Shield pistols manufactured before August 19, 2013. We believe this condition is largely limited to recently manufactured M&P Shield pistols. However, out of an abundance of caution, we are asking all consumers of all M&P Shields manufactured before August 19, 2013 to immediately inspect their pistols for this condition.

Any unintended discharge of a firearm has the potential to cause injury, and we ask that you STOP USING YOUR PISTOL IMMEDIATELY UNTIL IT HAS BEEN INSPECTED AND, IF THE CONDITION IS FOUND, REPAIRED.

To determine whether your firearm was manufactured before August 19, 2013 and to receive video instructions for inspection, please go to MPShieldSafetyAlert.com. All firearms must be inspected to determine whether it exhibits the condition identified in this notice. You can also find this information on our website at www.smith-wesson.com under the product safety button.

If you are uncomfortable conducting the inspection outlined above, or are unsure whether the condition described in this notice applies to your firearm, please take your firearm to your local M&P Certified Armorer or send your firearm to Smith & Wesson for inspection. M&P Armorers can be found on the smith-wesson.com website under the Find a Dealer tab

If after inspection it is determined that the condition outlined in this safety alert exists, the firearm must be sent to Smith & Wesson for repair. If your firearm is affected by the condition outlined in this notice, please send your pistol to Smith & Wesson. Your firearm will be inspected, and if necessary, repaired at no cost to you. Your firearm will be returned within 5 to 7 business days. All shipping and repair costs will be covered by Smith & Wesson.

Please contact Smith & Wesson directly at 877-899-6259, or at MPShieldSafetyAlert.com to arrange for the repair, if necessary, of your pistol.

Ironically the website the recall redirects Shield owners to, MPShieldSafetyAlert.com, doesn’t present any information unless JavaScript is enabled. A safety recall shouldn’t subject a user to potentially unsafe situations such as requiring JavaScript to be enabled in order to view a new, and therefore unknown, website. It almost makes me want to register MPShieldSafetyRecall.com, or another similar domain name, and load it with web exploits.

Oh, and you should probably check your Shield. Guns that fail to operate in their expected manner are pretty good at maiming their users.

EDIT: 2013-09-23: 13:00: I misread the date. The recall affects almost all M&P Shields, not just early ones. Also, I can’t properly close HTML tags. Thanks Zerg539 for pointing those issues out.

Rules are Meant to be Broken

Possibly the least productive conversation that has arisen since the great Snowden leak is what rules Congress should implement to protect the privacy of online users. Asking the state to pass rules to curtail its own misdeeds is like asking a wolf to guard your sheep from danger. As an advocate of self-defense I, along with my peers, often point out how ineffective government rules are at protecting people. Restraining orders, for example, are nothing more than pieces of paper that are unable to actually protect you from an aggressor who doesn’t care about disobeying a judge’s command. Laws against murder, assault, and rape have not stopped murders, assaults, or rapes. To make my point even more clear, rules have already been established to protect the privacy of online users but the National Security Agency (NSA) broken them thousands of times per year:

The NSA audit obtained by The Post, dated May 2012, counted 2,776 incidents in the preceding 12 months of unauthorized collection, storage, access to or distribution of legally protected communications. Most were unintended. Many involved failures of due diligence or violations of standard operating procedure. The most serious incidents included a violation of a court order and unauthorized use of data about more than 3,000 Americans and green-card holders.

Rules are meant to be broken as they old saying goes. No amount of Congressional oversight will protect us from Big Brother. Hell, Congress is Big Brother. Let’s put the conversation about what laws to pass to rest. It’s no more productive than an argument between two children who are trying to determine if Batman is better than Superman (granted, since that argument involves Batman it’s already more productive than any conversation about what laws to pass). What we need to discuss is how to protect ourselves from prying eyes at all times. Even if the NSA stopped spying on us we’re still being watched by numerous corporate entities, such as Google and Facebook, that have a keen interest in tracking our every move online.

We should be having conversations about cryptography, anonymity, and decentralization. Those things, unlike the passage of laws, actually hold the potential to protect us from Big Brother.

The State Cannibalizes Its Servants

Bruce Schneier has a good blog post urging companies to fight the National Security Agency’s (NSA) rampant spying:

It turns out that the NSA’s domestic and world-wide surveillance apparatus is even more extensive than we thought. Bluntly: The government has commandeered the Internet. Most of the largest Internet companies provide information to the NSA, betraying their users. Some, as we’ve learned, fight and lose. Others cooperate, either out of patriotism or because they believe it’s easier that way.

I have one message to the executives of those companies: fight.

Do you remember those old spy movies, when the higher ups in government decide that the mission is more important than the spy’s life? It’s going to be the same way with you. You might think that your friendly relationship with the government means that they’re going to protect you, but they won’t. The NSA doesn’t care about you or your customers, and will burn you the moment it’s convenient to do so.

This is a point I’ve brought up to many people many times: the government doesn’t love you. Many people cooperate with the state because they view themselves as patriots, believe cooperating will make their lives easier, or value monetary gain more than principles. In the short term this seems like an effective strategy but in the long term the state has a nasty habit of turning against those who serve it.

In the state’s eyes everybody is a pawn. Nowhere is this more noticeable than politics. If you’ve worked on campaigns then you know how disposable people are. One of my favorite examples, since I’m living in Minnesota, is a particularly sketchy politicians by the name of Kurt Bills. Mr. Bills ran for office under the guise of understanding economics and he did his damnedest to court Ron Paul supporters. After receiving an endorsement from Ron Paul his job of courting became very easy indeed. What happened after Ron Paul supporters sunk tons of time and money into Kurt Bill’s campaign? They were tossed to the side of the road as he pursued social issues, endorsed Mitt Romney, and lambasted Ron Paul supporters for not voting for neo-conservatives. Political campaigns aren’t the only example of this. Law enforcement agents and members of the military are quickly disposed of when they are no longer politically convenient. If you get into bed with the state you will find yourself infected with 15 different sexually transmitted diseases after the breakup.

As Bruce Schneier points out, the companies currently cooperating with the state will soon find themselves out in the cold:

It will be the same with you. There are lots more high-tech companies who have cooperated with the government. Most of those company names are somewhere in the thousands of documents that Edward Snowden took with him, and sooner or later they’ll be released to the public. The NSA probably told you that your cooperation would forever remain secret, but they’re sloppy. They’ll put your company name on presentations delivered to thousands of people: government employees, contractors, probably even foreign nationals. If Snowden doesn’t have a copy, the next whistleblower will.

As Google, Yahoo, and Microsoft are finding out, once your cooperation with the NSA becomes public the NSA will do nothing to help you dig yourself out of the hole.

Interview with the Dread Pirate Roberts

After what must have been a great deal of effort, Andy Greenberg managed to get an interview with the Dread Pirate Roberts, the mystery person behind Silk Road. The Dread Pirate Roberts is one of those individuals I look up to. By operating the Silk Road, a truly free market for many things that are prohibited by the state, he or she has done far more to advance liberty than the throngs of people who sink their time into politics. He or she has actually created a mechanism that allows individuals to live freer today. Although the entire interview is of interest I think the most telling part is the following paragraph:

All my communications with Roberts are routed exclusively through the messaging system and forums of the website he owns and manages, the Silk Road. Accessing the site requires running the anonymity software Tor, which encrypts Web traffic and triple-bounces it among thousands of computers around the world. Like a long, blindfolded ride in the back of some guerrilla leader’s van, Tor is designed to prevent me–and anyone else–from tracking the location of Silk Road’s servers or the Dread Pirate Roberts himself. “The highest levels of government are hunting me,” says Roberts. “I can’t take any chances.”

I doubt this is an understatement since anybody who unveils the Dread Pirate Robert’s identify and manages to arrest him will become legendary in the Drug Enforcement Agency (DEA), Federal Bureau of Investigations (FBI), and other law enforcement agencies. For the crime of operating an online market place that allows individuals to sell what they want he or she is being hunted like a dog.

Still, with all of its power and might, the state has been unable to locate the Dread Pirate Roberts or Silk Road. The state’s inability to find and strike against either is a testament to the power of location hidden services.

Bitmessage

Since I just spent a post bitching about the ineffectiveness of e-mail I think it’s time to discuss alternatives. In my pursuit to find methods of secure communications I’ve stumbled across an interesting piece of software called Bitmessage. Bitmessage caught my attention because it attempts to fulfill several goals I have when looking for an e-mail replacement. First, it’s decentralized. There are no central servers running the Bitmessage network. Instead the Bitmessage network is similar to Bitcoin in that messages are broadcast (in an encrypted form) throughout the entire network.

The second feature that interests me is Bitmessage’s pseudo-anonymity.Bitmessage, like Bitcoin, is based off of public-key cryptography. Users create a keypair and the public key is hashed, which gives you an identifier that others can use to communicate with you. All message sent to you are encrypted with your public key so only you, the holder of the private key, can decrypt and read them.

That leads me to the third feature of Bitmessage that interests me, an attempt to use strong cryptography. All messages in the Bitmessage network are encrypted using public-key cryptography. That makes snooping on communiques extremely difficult. One of the weaknesses I’ve noted in most potential e-mail replacements is a tendency to send communiques in plain text. Most instant messenger servers, for example, send all message in plain text so anybody can easily listen in.

Bitmessage isn’t perfect by a long shot. The software is obviously in an alpha stage. I could only find a pre-built Windows client on Bitmessage’s website and an unofficial pre-built OS X client after some digging. Installing Bitmessage is probably more work than most people want to go through. Another problem with Bitmessage is that no independent security audit has been performed on the network or the client (although a request for such an audit is on the front page of Bitmessage’s wiki). Without a security audit there is no way to know how secure Bitmessage really is. But these are problems that plague every new piece of software. One should approach Bitmessage as a proof of concept that promises to deliver great things in the future.

If you’re interested in testing Bitmessage with me my address is BM-2D95ncE8da721wVxQzcA3QEhjrg2MGFjka.

Prototype Automatic Gauss Gun Developed

Although I love firearms I must admit that I’m beginning to find old fashioned chemical propulsion to be rather boring. Thankfully the hacker community has been working on this issue by developing exciting new electromagnetic propulsion systems. Meet the fully automatic Gauss gun:

While it may only be able to shoot a few cans right now, we certainly wouldn’t want to be in front of [Jason]‘s fully automatic Gauss gun capable of firing 15 steel bolts from its magazine in less than two seconds.

The bolts are fired from the gun with a linear motor. [Jason] is using eight coils along the length of his barrel, each one controlled by an IGBT. These are powered by two 22 Volt 3600mAh LiPo battery packs.

Here’s a video of the weapon firing:

Obviously the weapon isn’t very deadly at this point in time but it’s a prototype developed by a hobbyist in his spare time. As technology tends to do, this design will continue to advance until it becomes a viable weapon platform. These are the things I get excited about in the firearm industry these days, new prototypes that make actual advances.