A Geek With Guns

Chronicling the depravities of the State.

Archive for the ‘You Can’t Cure Stupid’ tag

When You’re Trying to Be Very Smart™ but End Up Looking Stupid

without comments

The announcement of the iPhone X was one of the biggest product announcements of the year. Not only is it the latest iPhone, which always captures headlines, but it includes a new facial recognition feature dubbed Face ID. With the popularity of the iPhone it’s inevitable that politicians will try to latch onto it to capture some headlines of their own. Al Franken, one of Minnesota’s congress critters, decided to try to latch onto the iPhone X by expressing concern about the privacy implications of the Face ID feature. This may appear to have been a smart political maneuver but the senator only managed to make himself appear illiterate since Apple had already published all of the technical information about Face ID:

Apple has responded to Senator Al Franken’s concerns over the privacy implications of its Face ID feature, which is set to debut on the iPhone X next month. In his letter to Tim Cook, Franken asked about customer security, third-party access to data (including requests by law enforcement), and whether the tech could recognize a diverse set of faces.

In its response, Apple indicates that it’s already detailed the tech in a white paper and Knowledge Base article — which provides answers to “all of the questions you raise”. But, it also offers a recap of the feature regardless (a TL:DR, if you will). Apple reiterates that the chance of a random person unlocking your phone is one in a million (in comparison to one in 500,000 for Touch ID). And, it claims that after five unsuccessful scans, a passcode is required to access your iPhone.

Franken should feel fortunate that Apple even bothered entertaining his concerns. Were I Tim Cook I would have directed a member of my staff to send Franken links to the technical publications with a request to have a member of his staff read them to him and not bothered giving him a TL;DR. After all, Apple’s time is worth far more money than Franken’s since it’s actually producing products and services that people want instead of being a parasite feeding off of stolen money.

Still I admit that it was pretty funny seeing Franken make an ass of himself yet again.

Written by Christopher Burg

October 19th, 2017 at 11:00 am

Safari 11, Multiline HTTP Headers, and NSPOSIXErrorDomain:100.

without comments

I was happy when Mozilla announced that it was going to take a serious stab at the browser market again and released Firefox Quantum, a beta version of Firefox that runs significantly faster than the current stable version. So far I’ve been mostly impressed by it. However, Firefox Quantum has one significant flaw, it hogs the CPU. Even when idling I’ve noticed Firefox Quantum processes taking anywhere from five to 20 percent of the available power on one of my CPU cores. I decide to compare this CPU usage against Chrome and Safari, which lead me down quite the rabbit hole.

It all started when I tried to load my blog in Safari. Previous versions of Safari haven’t had any difficulty loading my site but when I tried to load it in Safari 11 I received the following error:

NSPOSIXErrorDomain:100 is about as useless as an error message can get. Unfortunately, Google didn’t provide me much insight. After a series of Google searches I did come across this article, which discusses some problems previous versions of Safari have had with Content Security Policies (CSP). Since I implemented a CSP for this site, I figured it was a good place to start. Low and behold, when I disabled my CSP the site loaded in Safari again.

This confused me since, as I mentioned earlier, my site, with its current CSP, loaded in previous versions of Safari. I thought that maybe one of the fields in my CSP had been deprecated or was misconfigured, which lead me to testing with a very simple one line CSP. When I tested with the simplified CSP my site loaded again. When I added an additional line to my CSP the site stopped loading again. That lead me to suspect the line feed characters. I split my CSP into multiple lines to make it easier to read and edit so it looked like this:

add_header Content-Security-Policy "default-src 'self';
  script-src 'self' 'unsafe-inline' 'unsafe-eval' https://s0.wp.com https://s1.wp.com https://s2.wp.com https://stats.wp.com;
  img-src 'self' https://secure.gravatar.com https://s0.wp.com https://s1.wp.com https://s2.wp.com https://chart.googleapis.com;
  style-src 'self' 'unsafe-inline' https://fonts.googleapi.com;
  font-src 'self' data: https://fonts.gstatic.com;
  object-src 'none';
  media-src 'self';
  child-src 'self' https://www.youtube-nocookie.com https://akismet.com;
  form-action 'self';";

I know it looks a little wonky since it includes unrecommended values like ‘unsafe-inline’ and ‘unsafe-eval’ for script-src but those, as well as a few other odd values such as the ‘data:’ font-src value, are needed by WordPress, which was developed before CSPs were a thing. But I digress. I decided to collapse the entire HTTP header value into a single line so it looked like this:

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://s0.wp.com https://s1.wp.com https://s2.wp.com https://stats.wp.com; img-src 'self' https://secure.gravatar.com https://s0.wp.com https://s1.wp.com https://s2.wp.com https://chart.googleapis.com; style-src 'self' 'unsafe-inline' https://fonts.googleapi.com; font-src 'self' data: https://fonts.gstatic.com; object-src 'none'; media-src 'self'; child-src 'self' https://www.youtube-nocookie.com https://akismet.com; form-action 'self';";

After I did that my site loaded in Safari again. Then I reverted my configuration to the original multiline version but changed the standard UNIX new line character \n to the Windows (which is also the standard for the web) \r\n. After I did that my site failed to load again. Safari simply didn’t like new line characters appearing in a header entry.

It seemed that Safari 11 was unhappy with something that every other browser, including its predecessors, are still perfectly happy with. I suspected this was a bug in Safari but decided to do some digging before submitting a bug report. This was a good choice because I was mistaken. Searching for information about multiline headers lead me to this entry on Stack Overflow, which lead me to RFC 7230. Amongst other things, RFC 7230 deprecated multiline header fields:

Historically, HTTP header field values could be extended over multiple lines by preceding each extra line with at least one space or horizontal tab (obs-fold). This specification deprecates such line folding except within the message/http media type (Section 8.3.1). A sender MUST NOT generate a message that includes line folding (i.e., that has any field-value that contains a match to the obs-fold rule) unless the message is intended for packaging within the message/http media type.

It turns out that Safari 11 is adhering strictly to RFC 7230. And as of this writing it’s the only browser doing so. It also turns out that I’ve been unknowingly writing my CSP against the HTTP standard all along.

The moral of the story is if Safari 11 throws an NSPOSIXErrorDomain:100 error, check your HTTP headers to ensure they don’t contain multiline values.

Oh, and if you’re wondering, Safari 11 uses significantly less CPU power than Firefox Quantum. Chrome also uses significantly less CPU power than Firefox Quantum. But it’s worth noting that Firefox Quantum is beta software and its CPU usage may improve before its final release.

Written by Christopher Burg

October 18th, 2017 at 11:00 am

Everything is a Big Ol’ Conspiracy

without comments

Can anything occur this day and age without people claiming that it’s part of a conspiracy? Almost immediately after the shooting in Las Vegas, before any investigation had a chance to even begin, people were claiming that the event was part of some conspiracy. As with most conspiracy theories, this conspiracy theory is based on spurious evidence. So far the dumbest “evidence” that “doesn’t add up” is news that the shooter used the freight elevator at Mandalay Bay:

Law enforcement sources told CBS News that Las Vegas shooter Stephen Paddock is believed to have used the freight elevator at the Mandalay Bay hotel casino in the days leading up to last week’s deadly attack.

It wasn’t clear what Paddock used the freight elevator for or how often he used it.

How could the shooter have accessed a restricted freight elevator without help from the inside? Obviously this is proof that he had help!

Anybody who claims that doesn’t realize just how poor building security generally is. I’ve used freight elevators on numerous occasions, including in casinos, without authorization. They’re usually “hidden” behind a nondescript door or one with a sign that says “Employees Only.” In almost every case the door is unlocked and the elevator lacks any form of access control. If the owners of the building are really concerned about security, there might be cameras that aren’t monitored by anybody facing the freight elevator doors although even that’s pretty rare.

Another way of gaining access to a freight elevator is to ask the person working at the front desk if you can use it to haul up a bunch of luggage. As it turns out, the person at the front desk who is tasked with making the customer happy will often let you use the freight elevator if it makes you happy. Humans are often wonderfully helpful creatures.

So I’m sorry to report that using a freight elevator isn’t evidence that “doesn’t add up.” It adds ups quite cleanly. Although I suspect that access control on freight elevators will become more common now that this information has been released.

Written by Christopher Burg

October 12th, 2017 at 10:00 am

The Number of Guns is Irrelevant

without comments

The media and gun control advocates are making a big deal about the number of guns recovered from the hotel room the Las Vegas attacker used. According to ABC News law enforcers found 47 guns in the room.

Realistically an individual can operate one gun at a time. Technically an individual can operate two handguns simultaneously but not very effectively. So why does it matter how many guns an individual owns? It doesn’t. The media makes a big deal out of the number of guns because it catches people’s attention and therefore leads to more page hits and accompanying ad impressions. Media outlets exist to make money so that isn’t surprising. Gun control advocates make a big deal out of the number of guns for similar reasons although their goal isn’t as noble as making money, their goal is to drum up outrage so they can coax politicians into punishing innocent gun owners by passing restrictive laws.

Having more guns doesn’t make a mass shooter more deadly so the number of guns recovered by law enforcers is irrelevant.

Written by Christopher Burg

October 6th, 2017 at 11:00 am

You Have Access to the Collective Knowledge of Humanity, Use It

without comments

If I had a dollar for every time somebody gave incorrect firearm legal advice, I’d be sitting on a mega yacht in the middle of the Atlantic Ocean drinking scotch that is older than I am.

People who have no knowledge about something but talking about it authoritatively isn’t a new phenomenon nor is it restricted solely to gun laws. However, it was far more excusable in the past because the people who did it didn’t have access to the collective knowledge of humanity at their fingertips. If you’re posting something to Facebook then you’re using the Internet. Since you’re using the Internet, you can quickly look things up. For example, if I search for “machine gun law” in Google, the very first link that appears is the Wikipedia article on the National Firearms Act. A brief reading of that article will debunk the claim that anybody can easily buy a machine gun, which is a claim that I’ve seen posted a lot since the attack in Las Vegas.

There is no excuse to not perform at least a basic amount of due diligence this day and age. If you can post to Facebook, you can perform a search on Google to verify whether or not the claim you’re about to make it true or at least plausible. “But Chris,” I can hear somebody say, “why would I suspect that the thing I believe is false and needs to be verified?” Simple, if you didn’t come by that belief by doing your own search, you should suspect it of being false.

There’s already enough bad information being circulated. Rise above the masses, use your access to the collective knowledge of humanity and verify claims before you post them.

Written by Christopher Burg

October 5th, 2017 at 11:00 am

Rewarding Incompetence

without comments

A lot of people are very upset with Equifax at the moment. The company’s amateur hour security practices allow the personal information of millions of people to fall into unauthorized hands. You would think that a screw up of that magnitude would dissuade any rational business from doing business with it. Well the Internal Revenue Service (IRS) isn’t rational or a business so this shouldn’t surprise anybody:

Between March and July of this year, the credit rating agency Equifax, was infiltrated by hackers who made off with the sensitive personal information of more than 140 million Americans. That sounds like the kind of thing that might hurt a company’s credibility when it comes to security. But Politico is now reporting that the IRS will pay Equifax $7.25 million to “verify taxpayer identities and help prevent fraud.”

I don’t know why the IRS feels the need to pay Equifax to verify taxpayer identities when its database is in the wild. I’m sure the IRS could acquire a copy and just perform verify taxpayers itself.

I really need to get into government contracts. It seems like no screw up is so severe that it will dissuade the government from doing business with you.

Written by Christopher Burg

October 5th, 2017 at 10:00 am

Being an Agorist is Easier than Ever

without comments

Samuel Edward Konkin III introduced me to the idea that the State can be starved of resources if more economic activity moved into the unregulated black market. However, I always figured entering the black market would require dealing drugs, guns, or some other highly controversial good or service. I never imagined that I could enter the black market by selling household pets:

California could become the first state to outlaw so-called puppy mills with legislation that bans pet stores from selling dogs, cats and rabbits that do not come from rescue organizations or shelters.

Animal rights activists believe that this bill will eliminate “puppy mills” and other breeding operations that often raise animals in inhumane conditions. However, that won’t be the outcome of this bill. What this bill will do is create a black market for household pets. On the upside, this will deprive California of any licensing and tax revenues associated with breeding pets.

Written by Christopher Burg

October 4th, 2017 at 10:00 am

I Disagree

with 4 comments

It’s no secret that the people living in the United States of America are becoming more polarized. People increasingly refuse to even entertain the possibility that their ideas may not be the only correct ideas. What makes this matter especially bad is that there appears to be an inverse correlation between polarization and disagreement. As a population becomes more polarized, it seems to become less willing to entertain disagreement:

To listen and understand; to question and disagree; to treat no proposition as sacred and no objection as impious; to be willing to entertain unpopular ideas and cultivate the habits of an open mind — this is what I was encouraged to do by my teachers at the University of Chicago.

It’s what used to be called a liberal education.

[…]

That habit was no longer being exercised much 30 years ago. And if you’ve followed the news from American campuses in recent years, things have become a lot worse.

According to a new survey from the Brookings Institution, a plurality of college students today — fully 44 percent — do not believe the First Amendment to the U.S. Constitution protects so-called “hate speech,” when of course it absolutely does. More shockingly, a narrow majority of students — 51 percent — think it is “acceptable” for a student group to shout down a speaker with whom they disagree. An astonishing 20 percent also agree that it’s acceptable to use violence to prevent a speaker from speaking.

These attitudes are being made plain nearly every week on one college campus or another.

Rhetoric and debate are being replaced by religious zeal. An increasing number of Americans appear to be holding their beliefs as infallible scripture. If you disagree with their beliefs, you are seen as a heretic and may find yourself excommunicated or even attacked.

Discussion and debate were once considered a cornerstone of education. You were expected to hold your beliefs because evidence had lead you to them and you were therefore also expected to be able to defend your beliefs from critics using the art of debate. In modern times you are expected to have faith in the beliefs dictated to you by your “betters.” Since people who hold beliefs because they were told to do so have not actually researched their beliefs thoroughly, many people today are unable to debate and thus resort to other tactics, which are sometimes violent.

Admittedly, part of me looks forward to the televised death matches that are the logical conclusion of this polarization. However, I’m already weary of every minor disagreement resulting in screaming matches or physical fights.

Written by Christopher Burg

September 27th, 2017 at 11:00 am

Selective Collectivism

with 2 comments

One of the most fascinating characteristics of collectivists is how they tended to individualize bad ingroup behavior and good outgroup behavior but collectivize good ingroup behavior and bad outgroup behavior.

Let’s use a supporter of the Democratic Party (party chosen at the flip of a coin) for an example.

If another member of the Democratic Party commits murder, our hypothetical supporter will likely be quick to point out that that murderer is a bad apple and not typical of democrats in general. If another member of the Democratic Party gives money to a homeless man, our hypothetical supporter will likely point out that that charitable individual is proof of the good acts of the Democratic Party.

If a member of the Republican Party commits murder, our hypothetical supporter will likely be quick to accuse the Republican Party of not doing enough to distance itself from the murderer and therefore everybody in that party is tacitly supporting the murderer. If a member of the Republican Party gives money to a homeless man, our hypothetical supporter will likely point out that that charitable individual is an exception and that the Republican Party in general hates the poor.

We see this everyday. How many Christians point out that the misdeeds of a handful of Christians aren’t representative of Christianity but then imply or outright claims that Islam is a religion of violence because a handful of Muslims commit violent acts? How many Americans continue to excuse the terrible acts of the country’s politicians as the acts of a few bad apples who aren’t representative of America as a whole but then collectivize all North Koreans because of the acts of the country’s leader?

Collectivists tend to be selective. They want all of the good credit for their side and all of the bad credit to the other side, which leads to a significant amount of philosophical inconsistency.

Written by Christopher Burg

September 26th, 2017 at 11:00 am

But Wait, There’s More

without comments

Equifax already displayed a staggering level of incompetence but like a Billy Mays commercial there’s more:

The official Equifax Twitter account encouraged people to visit a knock-off website that mocks the company’s security practices instead of the site the company created to warn of a massive data breach. That recent breach exposed personal details for as many as 143 million US consumers.

In a tweet on Tuesday afternoon, an Equifax representative using the name Tim wrote: “Hi! For more information about the product and enrollment, please visit: securityequifax2017.com.” The message came in response to a question about free credit monitoring Equifax is offering victims. The site is a knock-off of the official Equifax breach notification site, equifaxsecurity2017.com. A security researcher created the imposter site to demonstrate how easy it is to confuse a legitimate name with a bogus one. The Equifax tweet suggests that even company representatives can be easily fooled. The tweet was deleted late Wednesday morning, more than 18 hours after it went live.

It’s almost as if large credit agencies like Equifax aren’t held accountable for screwing up and therefore aren’t motivated to do an effective job. Weird.

Statists continue to claim that government is necessary to deliver justice when large corporations like this screw up. However, I’m still waiting to see the government do anything more than give a corporation like this a minor slap on the wrist for fuck ups of this magnitude. Hell, I’m still waiting to see the government give Equifax a stern talking to over this series of amateur mistakes. As far as I can tell, government seems exists primarily to protect large corporations like this from competitors that would currently be tearing it apart if there was a free market.

Written by Christopher Burg

September 22nd, 2017 at 10:30 am