Your Government Doesn’t Love You – Page 90

Another Day, Another Attack Against Cryptography Made Possible By Government Meddling

This week another vulnerability was discovered in the OpenSSL library. The vulnerability, given the idiotic marketing name Decrypting RSA with Obsolete and Weakened eNcryption (DROWN), allows an attacker to discover a server’s TLS session keys if it has SSLv2 enabled. Like FREAK and Logjam before it, DROWN was made possible by government meddling in cryptography:

For the third time in less than a year, security researchers have found a method to attack encrypted Web communications, a direct result of weaknesses that were mandated two decades ago by the U.S. government.

These new attacks show the dangers of deliberately weakening security protocols by introducing backdoors or other access mechanisms like those that law enforcement agencies and the intelligence community are calling for today.

[…]

Dubbed DROWN, this attack can be used to decrypt TLS connections between a user and a server if that server supports the old SSL version 2 protocol or shares its private key with another server that does. The attack is possible because of a fundamental weakness in the SSLv2 protocol that also relates to export-grade cryptography.

The U.S. government deliberately weakened three kinds of cryptographic primitives in the 1990s — RSA encryption, Diffie-Hellman key exchange, and symmetric ciphers — and all three have put the security of the Internet at risk decades later, the researchers who developed DROWN said on a website that explains the attack.

We’d all be safer if the government didn’t meddle in mathematical affairs.

This exploit also shows the dangers of supporting legacy protocols. While there may exist users that have software so old it doesn’t support TLS or even SSLv3, supporting them creates a hazard to every other user. There’s a point where you have to tell that user of ancient software to either upgrade to modern software or stop using the service. From a business standpoint, potentially losing one customer due to not having legacy support is far better than losing a lot of customers due to their trust in your company being lost because of a major security compromise.

FBI Asks Apple, “What If We Do What We’re Planning To Do?”

On Tuesday there was a congressional hearing regarding encryption. I didn’t watch it because I had better shit to do. But I’ve been reading through some of the highlights and the hearing was like most hearings. A handful of competent individuals were brought in to testify in front of a group of clueless idiots who are somehow allowed to pass policies. What was especially funny to me was a comment made by the director of the Federal Bureau of Investigations (FBI), James Comey (which should really be spelled James Commie):

When Florida Congressman Ted Deutch asked Comey if the potential repercussions of such a back door falling into the wrongs hands were of valid concern, Comey responded by posing a hypothetical situation in which Apple’s own engineers were kidnapped.

“Slippery slope arguments are always attractive, but I suppose you could say, ‘Well, Apple’s engineers have this in their head, what if they’re kidnapped and forced to write software?'” Comey said before the committee. “That’s where the judge has to sort this out, between good lawyers on both sides making all reasonable arguments.”

Comey likely made the comment to highlight how Apple is capable of creating a back door to break the iPhone’s encryption, a fact the company has admitted.

Comey should have said, “Well, Apple’s engineers have this in their head, what will happen when my agency kidnaps them and forces them to write the backdoor?” Because that’s exactly what his agency is trying to accomplish in the San Bernardino case. The FBI wants the court to order Apple to write a custom version of iOS that would bypass several security features and brute force the encryption key. If the court does issue such an order and Apple doesn’t obey some federal goons will kidnap members of Apple (likely Tim Cook). Of course, the FBI couches its criminal activities in euphemisms such as “arrest” to make them appear legitimate.

But what would happen? As it turns out, not much. Kidnapping one of Apple’s engineers wouldn’t give access to the company’s software signing key. Without that key any software the engineer was forced to write wouldn’t load onto an iOS device.

The Busses Have Ears

Surveillance is pervasive in our society. You can hardly walk down a street without some nosey camera recording your movements or ride public transportation without some snoopy microphone recording your conversation:

MTA began using recording devices inside some of its buses in 2012, without seeking legislative approval. Nearly 500 of its fleet of 750 buses now have audio recording capabilities. Officials say the devices can capture important information in cases of driver error or an attack or altercation on a bus.

They can also record conversations so they can later be requested by law enforcers looking to nail somebody to a cross. The dangers of pervasive surveillance are almost always understated by statists. Surveillance fetishists always justify their spying by claiming it’ll protect the children, thwart terrorism, or otherwise help combat some overblown concern. What they leave out is that the data is also available to prosecute nonviolent individuals.

Imagine if two people were making a peaceful drug transaction on one of these surveillance buses. Without the microphones in place the transaction would probably go unnoticed. But because the data exists it would only take one law enforcer or concerned citizen to listen to it to turn that previously peaceful transaction into a violent home raid.

Surveillance is dangerous precisely because law enforcers are willing to use any collected data to ruthlessly enforce victimless crimes. That’s a reality that is never mentioned by the surveillance state’s proponents.

Because Punishing The Victim Makes Sense

Hypothetically let’s say a student stole a cell phone from their teacher. The teacher, being an average person and almost entirely ignorant on security, didn’t set a lock code. Because there was no lock code the student was able to log in. After logging in the student found embarrassing pictures of the teacher and sent them to friends.

In this situation would you punish the teacher or the student? Although not setting a lock code on your phone isn’t a wise decision there is no victim involved when somebody is ignorant. There is, however, a victim when a theft occurs. That being the case, I would argue the student should be punished but the teacher should not. Of course, that’s not how things work in our society:

A South Carolina high-school teacher may be charged with contributing to the delinquency of a minor after a student stole her cellphone and distributed partially nude photos from it around the school. Administrators say she should have password-protected the phone.

[…]

One might think that the student would at least face disciplinary action from the school, if not criminal charges of some sort. But thus far, the school has not moved to hold the 16-year-old student accountable at all. Arthur, however, is another story. After teaching in Union County for 13 years, she resigned when district officials gave her the choice to do so immediately or start the firing process.

Interim superintendent David Eubanks told The State that Arthur might also be charged with contributing to the delinquency of a minor. “I think we have a right to privacy, but when we take inappropriate information or pictures, we had best make sure it remains private,” he said.

I would argue that this is the inevitable result of combining zero tolerance policies, a total lack of critical thinking when “it’s for the children”, and having a legal system instead of a justice system.

The only victim here was the teacher because her phone was stolen. But since children saw her nude photos the fact that she was the victim of theft and didn’t send the photos is ignored. To make matters worse, the thief is left unpunished because, well, reasons.

So here we are, continuing to wallow in a society that punishes victims and lets criminals go unscathed.

Brazilian Government Unable To Break WhatsApp’s Encryption, Retaliates By Kidnapping A Facebook Employee

This may be a preview of things to come here. The Brazilian government is a bit peeved that it is unable to bypass WhatsApp’s encryption. Furthermore, it has been unable to convince Facebook, the owner of WhatsApp, to include a backdoor in the software. In what appears to be an act of retaliation the government has decided to harass Facebook by kidnapping one of its employees:

The arrest was made at the request of officials from the state of Sergipe, in Brazil’s north-east. In a statement, the federal police said Facebook/WhatsApp had repeatedly failed to comply with court orders relating to an organized crime and drug-trafficking investigation.

[…]

WhatsApp said in a statement that it was disappointed at the arrest and is unable to provide information it does not have, due to the architecture of its service. “We cooperated to the full extent of our ability in this case and while we respect the important job of law enforcement, we strongly disagree with its decision,” the unit said.

I wish companies would stop including all the nonsense about understanding the important job of law enforcement. Enforcing laws isn’t important. Providing justice to victims is important but that’s not what law enforcers primarily do.

What makes this kidnapping even weirder is that WhatsApp is apparently a separate operational entity from Facebook so the Brazilian government didn’t even kidnap a person who is in any way responsible for the app:

Facebook issued a distinct statement, noting that WhatsApp is operationally separate from the mothership, making the arrest of a Facebook exec “extreme and disproportionate.”

This is what it looks like when a government throws a temper tantrum. Hopefully the Brazilian government will release the poor schmuck it kidnapped. Although it wouldn’t surprise me (OK, it would surprise me a little bit) if it decided to threaten to kill him if Facebook didn’t give in to its demands. Either way, if I were Facebook I’d strongly consider moving all operations out of Brazil. Operating in that country has obviously become a liability.

When The State Isn’t Wrecking The Technology Industry It’s Begging It For Help

Do you know what’s especially funny about the fight between Apple and the Federal Bureau of Investigations (FBI)? While one part of the State is trying to destroy computer security another part is begging for help:

Carter will visit a Pentagon outpost in the heart of Silicon Valley, speak at a cybersecurity conference in San Francisco and go to Microsoft and Amazon headquarters in Seattle to highlight the risks of cyberattacks and the need for greater digital cooperation with the Pentagon.

His visit to the West Coast — his third in less than a year, more than he’s made to Kabul or Baghdad — marks the latest effort by the Obama administration to recruit telecommunications, social media and other technology companies as partners in national security operations despite deep suspicion in Silicon Valley about government surveillance.

Statism in a nutshell. When computer security stands in the way of the State’s power it attempts to crush it mercilessly. But when it needs computer security to solidify and maintain its power it comes crawling back to the very people it tried to execute only a short while ago.

In the end the State wants the best of both worlds. It wants a world where its networks and devices are secure but nobody else’s are. Why should security professionals provide the State any assistance when it constantly tries to bite their hands?

ATF Says Certain Medical Patients Prohibited From Owing Firearms

Should people who require certain medications lose the right to self-defense? According to the Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF) they should:

What has forged this quirky convergence of advocacy — tokers, meet shooters — is a September letter from the federal Bureau of Alcohol, Tobacco, Firearms and Explosives saying it is illegal for medical-marijuana patients to own firearms.

Everybody who buys a gun must fill out ATF Form 4473, which asks: “Are you an unlawful user of, or addicted to, marijuana or any depressant, stimulant, narcotic drug, or any other controlled substance?”

Answer yes, and you don’t get the gun. Falsely answer no, and you’ve just committed a crime.

The ATF’s letter, sent out Sept. 21, clarifies that the bureau includes medical-marijuana patients in that group of prohibited buyers because their marijuana use is inherently illegal federally.

The absurdity, of course, is that the 4473 form asks if you are an unlawful user. People who have a medical exemption card are lawfully using cannabis and therefore should not be prohibited by law.

More importantly though, the fact that somebody can lose the right to defend themselves because they need cannabis is ridiculous. Cannabis is far safer than most other drugs including alcohol (which you can use and still legally own a firearm), which is responsible for a great deal of poor life choices.

There’s no valid reason to prohibit somebody from owning firearms just because they use certain drugs. So long as people don’t use their firearms while under the influence of drugs there is no real danger. And many drugs have no side effects that make firearm usage dangerous to the users or bystanders.

This is yet another example of a policy put forth by the ATF that demonstrates the agency is interested in restricting firearm ownership.

Los Angeles Teaching Homeless People To Not Be Homeless By Stealing Their Homes

Governments hate the homeless. Some people find this surprising but only because they don’t understand the nature of the State. The State exists on and for plunder. Every law it creates is created to further its plundering. That being the case, people who have nothing to take are effectively worthless to the State. Because rounding them up and killing them wouldn’t go over well with the general populace local municipalities have opted for another solution to their homeless “problem.” They try to make the lives of homeless individuals so miserable that they go elsewhere and becomes another municipality’s problem.

Los Angeles may be sinking to a new low in this endevour though. Recently city officials have begun teaching the homeless a lesson about being homeless by taking their homes:

Escalating their battle to stamp out an unprecedented spread of street encampments, city officials have begun seizing tiny houses from homeless people living on freeway overpasses in South Los Angeles.

Three of the gaily painted wooden houses, which come with solar-powered lights and American flags, were confiscated earlier this month and seven more are planned for impound Thursday, a Bureau of Sanitation spokeswoman said.

As is always the case in these situations, city officials are citing their own bureaucratic nonsense. These thefts are being perpetrated under the guise of sanitation. City officials also, as it always the case, claimed to be offering a better solution without offering any other solution:

Mayor Eric Garcetti’s spokeswoman, Connie Llanos, said he is committed to getting homeless people into permanent and not makeshift housing.

“Unfortunately, these structures can be hazardous to the individuals living in them and to the community at large,” Llanos said in a statement on the mayor’s behalf.

“When the city took the houses, they didn’t offer housing, they straight kicked them out,” Summers said.

What Mr. Garcetti means by permanent housing is getting the homeless out of the city so they’re no longer his problem. Maybe the homeless population of Los Angeles should consider seizing some of the government’s buildings. They’re technically unowned (since the State, being a criminal organization that has acquired everything in its possession through theft, cannot legitimately own property) and would provide permanent housing.

Due Process Was A Pain In The Ass Anyways

I like to believe that a previous age existed where due process was value. If such an age existed it is obvious long since gone. More and more people seem willing to toss due process aside whenever it negatively impacts their ideological opposites. Throwing out due process is done in many ways. Some of those ways are as blatant as denying people rights based on where they were born. Other ways are more subtle, such as creating a new permit in order to punish an unreleased action:

As it stands, cops who suspect someone of prostitution must actually prove it before arresting them. But that’s a lot of work. So Eau Claire, Wisconsin, officials have a new plan: make non-sexual commercial companionship illegal without the proper paperwork.

To this end, the Eau Claire City Council is considering an ordinance that would require anyone advertising as an escort to get an occupational license from the government.

[…]

But because being an escort does not necessarily mean one is engaged in prostitution, police can’t just go around arresting anyone who advertises as an escort. Not yet, anyway. Ostensibly, cops must still interact with the individual and get them to agree to some sort of sexual activity for a fee. As Eau Claire Assistant City Attorney Douglas Hoffer put it, police are forced to do “intensive investigations” and get their targets to use “explicit language” in order to make charges stick.

Now city officials want to change that. Under their proposed legislation, escorts and escort businesses would have to be licensed by the city and subject to extensive regulations. Any escort operating without a license would be subject to a fine of up to $5,000.

But that’s not all: the proposed law would also punish customers who contract with unlicensed escorts. Hoffner said the idea is to end “demand” for prostitution. Anyone attempting to hire an unlicensed escort could also be charged up to $5,000, as well.

As the article notes, police cannot go after any escort business because many aren’t offering illegal services. This means the police have to effectively create a case with a sting operation or find evidence that a law was broken (but not evidence of a crime being committed since crimes require victims and voluntary prostration involves no victims). When situations like this arise it’s common for the local authorities to create some kind of permit requirement.

With permit requirements in place a police officer can arrest an escort and their customer on the grounds of the escort not having the proper paperwork. It’s a much easier violation to prove than prostitution. In fact the Eau Claire City Attorney admitted to exactly that:

Said Eau Claire City Attorney Stephen Nick: “This is another means, as opposed to actually having evidence of an act of prostitution, pandering, or offering a sexual act for money, so we can follow up” on sex-work suspects.

Cases like this should receive more publicity. It’s not enough for people to only get up in arms over overt violations of due process. People must learn about the more subtle methods as well.

It’s Not Just Once iPhone The FBI Wants Unlocked

There are people siding with the Federal Bureau of Investigations (FBI) in its current court battle with Apple. These misguided souls are claiming, amongst other nonsensical things, that the FBI only wants a single iPhone unlocked. They believe that it’s somehow OK for Apple to open Pandora’s box by releasing a signed firmware with a backdoor in it so long as it’s only for unlocking a single iPhone. Unfortunately, as those of us siding with Apple have been pointing out, this case isn’t about a single iPhone. The FBI wants a court precedence so it can coerce Apple into unlocking other iPhones:

In addition to the iPhone used by one of the San Bernardino shooters, the US government is pursuing court orders to force Apple to help bypass the security passcodes of “about a dozen” other iPhones, the Wall Street Journal reports. The other cases don’t involve terror charges, the Journal’s sources say, but prosecutors involved have also sought to use the same 220-year-old law — the All Writs Act of 1789 — to access the phones in question.

By setting a precedence in the San Bernardino case the FBI would have grounds to coerce Apple, and other device manufacturers, to unlock other devices. We know the FBI already has a dozen or so phones in the pipeline and it will certainly have more in the coming years.

Besides the precedence there is also the problem of the firmware itself. If Apple creates a signed firmware that disables iOS security features and automates brute forcing passwords it could be installed on other iPhones (at least other iPhone 5Cs but possibly other iPhone). With this firmware in hand the FBI wouldn’t even need to coerce Apple into helping each time, the agency could simply install the firmware on any compatible devices itself. This is why Apple believes creating such a firmware is too dangerous.

You can never believe the government when it claims to be taking an exceptional measure just once. Those exceptional measures always become standard practice.