Your Government Doesn’t Love You – Page 112

United States Government Looking to Repeat Security Blunder

As we’re recovering from two vulnerabilities caused by old export restrictions on strong cryptography tools the United States government is looking to repeat that failure:

The U.S. Commerce Department has proposed tighter export rules for computer security tools, a potentially controversial revision to an international agreement aimed at controlling weapons technology.

On Wednesday, the department published a proposal in the Federal Register and opened a two-month comment period.

The changes are proposed to the Wassenaar Arrangement, an international agreement reached in 1995, aimed at limiting the spread of “dual use” technologies that could be used for harm.

Forty-one countries participate in the Wassenaar Arrangement, and lists of controlled items are revised annually.

The Commerce Department’s Bureau of Industry and Security (BIS) is proposing requiring a license in order to export certain cybersecurity tools used for penetrating systems and analyzing network communications.

Another great example of the state making the same mistake, only harder. Restricting the export of strong cryptographic tools put everybody at risk of attack and an export restriction against penetration testing tools would put everybody at risk of missing basic vulnerabilities in their networks.

Penetration testing tools, like any technology, can be used for good and bad. If you properly utilize the tools on your network you can discover vulnerabilities that are exploited by those tools and patch them. Not utilizing these tools allows an malicious actor to exploit your network using those tools. Any restriction on exporting these tools will leave networks vulnerable to them.

Why would the United States government propose implementing restrictions that put the entire world at risk? Most likely it’s because government agencies utilize penetration testing tools to exploit networks and would therefore gain considerably by making defending against them more difficult. This proposal shows just how self-centered the state really is because it’s willing to put billions of people at risk just to make its task of exploiting networks a little easier. Its narcissism is so bad that it doesn’t even care that this restriction would also make every network more vulnerable to exploitation by its enemies (if the United States can hack your network then foreign countries such as North Korea can as well).

Fortunately we learned what happens when restrictions are placed on ideas during the crypto wars. Even though the United States restricted the export of strong cryptographic algorithms the knowledge spread quickly. It’s pretty hard to restrict something that can literally be printed on a t-shirt, especially when you have a worldwide network that specializes in information sharing. If this restriction is put into place it will be entirely ineffective at everything but giving the state justification to put several very intelligent people in a cage for the crime of making our networks safer.

Market Solutions Versus State Solutions: Global Positioning System

Continuing on my theme of comparing market solutions to state solutions, today I’m going to discuss the Global Positioning System (GPS). For those of you unfamiliar with GPS it’s a network of satellites that provides positional information for navigation purposes. Development started in 1973 by the Department of Defense (DoD) and it became fully operational in 1995. Today anybody who uses a computer navigation system, say their phone or a dedicated GPS receiver, relies on this network.

There are several points to note about GPS. It was originally developed to improve the DoD’s ability to blow up people in foreign countries. Civilians were begrudgingly given access to the network but only through a degraded signal. In 2000 civilians were finally allowed to access a non-degraded GPS signal and that’s when the real innovation began.

The DoD’s exclusive access to the full capabilities of GPS resulted in no notable quality of life improvements for everyday people. Instead the DoD saw GPS as a way of improving its ability to kill people. Even today the state still uses GPS to enhance its own power. The Federal Bureau of Investigations (FBI), for example, uses GPS to perform warrantless surveillance.

Meanwhile the market has been utilizing GPS to improve the lives of everyday people. In 1991 a GPS receiver weighing less than 3 pounds was finally created. Today GPS receivers are so small that they fit in our phones. Using these miniaturized GPS receivers we are able to navigate with our phones. Google and (to a much lesser extent) Apple’s mapping services give consumers free access to constantly updated maps that enable real-time turn-by-turn navigation when coupled with a GPS signal. Market access to GPS gave rise to Geocaching, a game where players use GPS to locate hidden caches. Task management apps allow users to create reminders that will fire off when they enter their home or place of work. Bicycling apps allow cyclists to keep track of where they road, how fast they were going, and how high the hills the ascended were. Phones and other devices can utilize GPS to report their location so they can be easily recovered if stolen. Thanks to the market you can even use GPS to defend yourself against the state. Apps such as Waze will alert you to reported police presence before you’re close enough to be clocked on a radar gun.

Where the state saw a network of navigational satellites only as a means of improving its ability to kill and spy the market saw it as a means of improving our lives in a vast number of ways. Thanks to the market GPS is so integrated into our daily lives that we take it for granted.

Opposing the War on Immigrants

One of the issues anarchist and statist libertarians often butt heads is immigration. Us anarchist libertarians don’t believe the imaginary lines created by illegitimate entities should exist. Statist libertarians often cherish those imaginary lines to such a point that they demand fences, guard towers, and armed patrols to keep people on the other side out.

The problem with strong borders is that they necessarily require a strong enforcer. A strong enforcer in the hands of the state will always lead to the expansion of state power:

Libertarians should pay more attention to the ban on immigration. These regulations are big government at its worst: over-militarization, over-criminalization, over-regulation, anti-market, and anti-liberty. Nearly every aspect of American life is affected by them, yet many libertarians are still ambivalent.

Its consequences are devastating. Consider this fact: the number one reason for arrests under federal law last year was for unsanctioned entry into the United States. And it’s not even close. Half of all federal arrests in the United States are for immigration offenses — drugs are a distant second at just 15 percent.

If libertarians are focused on reducing government power and intrusion into the lives of peaceful people, immigration ought to receive at least as much attention as the drug war. But it’s almost like the liberty movement is stuck in the 1980s when illegal immigration, though common, was largely ignored.

Statist libertarians, and other opponents of freedom of movement that claim to support small government, cannot have both a small government and heavily defended borders. Anybody who follows a philosophy that advocates free markets should understand the problem here. The state is a monolithic entity that is slow to adapt to changes and relies on violence to accomplish all of its goals. Meanwhile immigrants are more akin to market actors. There are millions of them and when you have millions of people who can quickly adapt to changes going against a single entity that seldom adapts to changes the former group is going to win.

We see this today. When the state throws up border crossings on major highways immigrants use less traveled routes. When the state builds a wall immigrants climb over it, cut through it, or tunnel under it. When the state patrols the border immigrants watch their patrol patterns and learn how to avoid them. No matter what the state does immigrants adapt their strategies to compensate.

Furthermore immigrants seldom have a lot of money so they come up with cheap solutions. This harkens back to asymmetrical warfare. One side uses cheap tactics to take out the other side’s very expensive equipment. Eventually the size utilizing cheap tactics wins by simply bleeding the other side dry. Immigrants, likewise, use cheap tactics that the state tries to counter with extremely expensive equipment and tactics. A handful of immigrants crossing the border can cause the state to spend out police patrols to pull over anybody who has a bit too much melanin in their skin to check for their citizenship papers. Patrols like that cost a lot of money.

Libertarians, even those who believe those imaginary lines are important, should oppose the war on immigrant on the grounds that it’s incredibly inefficient and a detriment to liberty.

Market Solutions Versus State Solutions: Google Edition

Xcel Energy demonstrated the difference between how markets and the state utilize drones. Now Google unwittingly provided another demonstration. When Google created the Play Store it saw it as a service that would improve the lives of their customers by providing a method to easily download Android applications. When the National Security Agency (NSA) saw the Play Store it saw it as a method to infect Android phones so they could be surveilled:

The information about Irritant Horn comes from documents provided by Edward Snowden to The Intercept and CBC. The program, which appears to have been in its early stages in 2011-2012, had NSA analysts use a type of man-in-the-middle attack to implant spyware on Android devices connecting to the Android Market or Samsung’s apps store. Basically, besides the requested app, the targets were served malicious software that allowed spooks to eavesdrop on everything that happened on the device. The NSA even explored using the capability to modify the target device, for propaganda or disinformation purposes.

Google wants to provide Android users with Firefox so they can browse the web. The NSA wants to provide Android users with a modified version of Firefox that reports on their browsing habits and potentially feeds them disinformation.

Whether the NSA was successful in highjacking Google’s service is up in the air. I think the answer to that heavily depends on the security used by the Play Store. If the Play Store uses effective tools to encrypt communications between an Android device and the Play Store as well as digitally sign provided software the likelihood of the NSA being successful is low. This is because a properly secured connection cannot be highjacked and digitally signing the software will alert you if it has been altered. Even if Google cooperated with the NSA the user would be able to tell if the software was modified so long as the developer signed it (that still leaves the possibility of the NSA enlisting the developer but then the problem isn’t the Play Store).

Two lessons should be taken away from this story. First, the market sees services as means to fulfill consumer wants whereas the state sees services as means to exploit them. Second, proper security is important and markets actors should focus on it to protect consumers from the state (and other malicious entities).

Giving Back to Society

It amuses me when people talk about the wealthy market actors needing to “give back to society” and then saying holding a political office is a public service.

Let’s consider the difference between a wealthy person who created a product that people wanted versus a politicians. Steve Jobs, for example, became an extremely wealthy man by producing computers, portable music players, and phones that people really wanted. People wanted these products so much that they were willing to give him money in exchange. How can one claim he needs to “give back to society” when he already gave people in society what they wanted?

Politicians are the polar opposite. Instead of fulfilling the wants of people in society politicians dictate what they want society to want. When a politician says a community needs a new school they don’t build one with their own money and see if members of the community want it. What they do is hold a meeting with their fellow politicians, vote to build a new school, then plunder more money from the community by issuing a tax increase to build it. Where a market actor gives to the community a politician takes from the community. How can holding political office be considered a public service when the job involves stealing from people?

If anybody needs to “give back to society” it’s the politicians and they can start by giving back all of the money they’ve plundered from me over the years. I chose to give Steve Jobs my money of my own volition. The only reason I give the politicians money is because the alternative involves a cop smashing my face in with a truncheon.

Political Solutions Versus Technical Solutions

When discussing pervasive surveillance I focus exclusively on technical solutions. People involved in political activism often ask me why I don’t also involve myself in political solutions. My reason is that I don’t like investing effort into worth that is unlikely to pay off when I can invest it in work that will pay off.

Consider the political solution. Say, in spite of everything we know about the state, Congress decides to ban the National Security Agency (NSA) from spying on American citizens and actually enforces that ban. What then? You’re still vulnerable to spying from the Government Communications Headquarters (GCHQ) as well as the intelligence agency of every other major world government. In addition to that your Internet service provider (ISP) can still spy on you and inject malicious code into websites you visit. Political solutions are also temporary. Once the Congress that voted to prohibit the NSA from spying is replaced with a new Congress that ban could be reversed.

Technical solutions avoid those limitations. When you use security forms of communication that the NSA, GCHQ, and other intelligence agencies can’t crack then they are unable to spy on regardless of where the political winds blow. Furthermore ISPs are unable to surveil your traffic or inject malicious code into websites you visit. Technical solutions fix the holes needed to spy on you and therefore defends you against all surveillance and not only for temporary stretches of time (assuming the secure communication tools continue to be maintained so any discovered vulnerabilities are fixed).

I, like everybody else, only have a limited amount of time. Why would I invest some of that precious time into something that is, at best, temporary and only guards against a select few bad actors when I can focus on something that is more permanent and works against all bad actors? It just doesn’t make sense.

Another Vulnerability Caused by State Meddling

In March a security vulnerability, given the fancy marketing name FREAK, was discovered. FREAK was notable because it was caused by government meddling in computer security. Due to cryptography export restrictions quality cryptographic algorithms were not allowed to be put into widespread use, at least legally, and many legacy systems were built around weak algorithms. FREAK may be behind us but a new vulnerability was just discovered:

Tens of thousands of HTTPS-protected websites, mail servers, and other widely used Internet services are vulnerable to a new attack that lets eavesdroppers read and modify data passing through encrypted connections, a team of computer scientists has found.

The vulnerability affects an estimated 8.4 percent of the top one million websites and a slightly bigger percentage of mail servers populating the IPv4 address space, the researchers said. The threat stems from a flaw in the transport layer security protocol that websites and mail servers use to establish encrypted connections with end users. The new attack, which its creators have dubbed Logjam, can be exploited against a subset of servers that support the widely used Diffie-Hellman key exchange, which allows two parties that have never met before to negotiate a secret key even though they’re communicating over an unsecured, public channel.

The weakness is the result of export restrictions the US government mandated in the 1990s on US developers who wanted their software to be used abroad. The regime was established by the Clinton administration so the FBI and other agencies could break the encryption used by foreign entities. Attackers with the ability to monitor the connection between an end user and a Diffie-Hellman-enabled server that supports the export cipher can inject a special payload into the traffic that downgrades encrypted connections to use extremely weak 512-bit key material. Using precomputed data prepared ahead of time, the attackers can then deduce the encryption key negotiated between the two parties.

We’ll likely be dealing with the consequences of those export restrictions for some time to come. The only upside to this is that it is a reminder of what happens when the government meddles in security for its own purposes. Cryptography export restrictions were put in place because the United States government feared it would be unable to spy on foreign entities (and, as it turns out, domestic entities). Now the government, operating under similar concerns for its ability to spy, is discussing mandating the inclusion of back doors in systems that use strong cryptography. If this happens and developers actually comply we’ll have a repeat of what we’re dealing with today. Security vulnerabilities will arise from government mandated cryptography weaknesses that will put the masses at risk.

Whenever the government wishes the involve itself in something that only appropriate answer for the people to give is a loud “No!” This is especially true when it comes to security because the government has a direct interest in ensuring that each and every one of us is vulnerable to its surveillance apparatus.

State Solutions Versus Market Solutions

Technology is a double-edged sword. One edge improves the lives of people. The other edge enables bad people to do bad things. When you want to see both edges of a technology you need only compare how it is used by the state versus the market. Consider drones. States use drones to spy and drop bombs on people. Meanwhile the market utilizes them to provide better services to individuals. Xcel Energy is planning to utilize drones to inspect power infrastructure:

Xcel Energy says it has approval from federal regulators to use drones to inspect more than 320,000 miles of electric and natural gas infrastructure.

The Federal Aviation Administration says Xcel can use the small unmanned aircraft systems to visually inspect electric transmission and distribution lines, power plants, renewable energy facilities, substations and pipelines.

This will allow more reliable provision of power by identifying flaws in the infrastructure before they become a major problem. It will also allow fast identification of problem sources as aerial inspection of power infrastructure is usually faster than ground inspection. Instead of using drones to terrorize entire nations Xcel Energy is another company that has found yet another way to utilize the technology to enhance the lives of people.

Why Political Activism Won’t Stop Mass Surveillance

Time and again people ask me why I don’t involve myself in political activism to stop mass surveillance. My answer is doing so is pointless because no matter how hard you beg the state it will never handicap itself. Case in point, the Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-collection and Online Monitoring (USA FREEDOM) Act (I hope a staffer was paid a nice bonus for coming up with that acronym). It has been hailed as a solution to the National Security Agency’s (NSA) mass surveillance practices. However the bill, as so often is the case, does the opposite of what its name implies and advocates claim. Instead of curtailing NSA surveillance the bill codifies it:

After only one hour of floor debate, and no allowed amendments, the House of Representatives today passed legislation that seeks to address the NSA’s controversial surveillance of American communications. However, opponents believe it may give brand new authorization to the U.S. government to conduct domestic dragnets.

[…]

However, the legislation may not end bulk surveillance and in fact could codify the ability of the government to conduct dragnet data collection.

“We’re taking something that was not permitted under regular section 215 … and now we’re creating a whole apparatus to provide for it,” Rep. Justin Amash, R-Mich., said on Tuesday night during a House Rules Committee proceeding.

“The language does limit the amount of bulk collection, it doesn’t end bulk collection,” Rep. Amash said, arguing that the problematic “specific selection term” allows for “very large data collection, potentially in the hundreds of thousands of people, maybe even millions.”

In a statement posted to Facebook ahead of the vote, Rep. Amash said the legislation “falls woefully short of reining in the mass collection of Americans’ data, and it takes us a step in the wrong direction by specifically authorizing such collection in violation of the Fourth Amendment to the Constitution.”

Political activism can’t solve problems. At most is can be used to convince the state to rewrite its rules, and then only temporarily, so that it can continue doing the same thing but claim it isn’t. The only way widespread surveillance can be curtailed is if every one of us begins encrypting all of our communications. Even if some of us utilize weak cryptography it will still increase the overall cost of operating the system. Clear text requires no resources to read. Weak cryptography still requires some resources to identify the algorithm(s) used and to reverse them. Furthermore the text of any encrypted communication is unknown to the eavesdropper until it’s unencrypted. Strong cryptographic tools, on the other hand, are practically (as in the time required is longer than the information’s usefulness) impossible for spies to crack.

Stop begging the state to neuter its spying capabilities and take back your privacy. A good place to start is to begin utilizing tools that allow secure communications.

Minneapolis’ Finest Mace a 10 Year-Old

Officer safety is a huge concern for the Minneapolis Police Department (MPD). When you’re a cop you can never been too careful. For example, if you come across a 10 year-old boy at a protests can you be certain that kid isn’t going to rough you up? Of course not! That’s why you need to mace him:

Minneapolis authorities launched an investigation into police response during a downtown street protest that turned unruly Wednesday night in which chemical spray used by officers hit a 10-year-old boy.

Police Chief Janeé Harteau and Mayor Betsy Hodges called a news conference Thursday asking witnesses to come forward.

“It is critical for everyone involved that we complete a thorough investigation, so I need the public’s help,” the chief said. “We must have the full set of facts.”

I’m betting this is going to be another case of “we investigated ourselves and found that we did nothing wrong.” But this shows that the officers of the MPD are either so pathetic that they’re afraid of a 10 year-old boy or are so sadistic that they like to cause children great deals of pain.