Tag: You’re Doing it Right

NIST Publishes New Password Best Practices

g’70A32KsZQ8H2n0JkJ__rfy[JsFzJ(wN(y1,F’Ou1kH(TQcSyNYs”3CSXYPbXQm

That looks like a secure password, right? It is. However, there’s no way I could possibly type that in accurately or remember it. Passwords that cannot be typed or remembered aren’t a big deal for online services if you use a password manager. They are a big deal for passwords you have to type in, like the one to log into your computer. Unfortunately, conventional password wisdom has it that users should be required to have complex passwords instead of memorable passwords. The National Institute of Standards and Technology (NIST) recently published changes to its password best practices. Its changes reflect conventional wisdom when it comes to password security:

Among other things, they make three important suggestions when it comes to passwords:

  1. Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don’t help that much. It’s better to allow people to use pass phrases.
  2. Stop it with password expiration. That was an old idea for an old way we used computers. Today, don’t make people change their passwords unless there’s indication of compromise.
  3. Let people use password managers. This is how we deal with all the passwords we need.

The good news here isn’t so much that NIST published these recommendations but that system administrators are willing to follow NIST’s guidelines. None of the changes published by NIST are new, these practices have been advocated by security professionals for some time now. Unfortunately, many, if not most, system administrators have kept the old guidelines in place, which has lead to users having to come up with passwords that are complex enough to satisfy password policy requirements but simple enough to remember for the several months that password is valid for. Hopefully NIST publishing these changes will convince those administrators of the errors of their ways.

Defense Distributed Enters the Handgun Market

Defense Distributed, Cody Wilson’s enterprise that proves the fallacy of gun control, released the Ghost Gunner, a computer numerically controlled (CNC) machine that specializes in milling AR-15 lower receivers, to the chagrin of gun control advocates. The Ghost Gunner made it simple for individuals with relatively little skill to manufacture an AR-15 lower receiver, the part of the gun that is serialized and therefore regulated. Now Defense Distributed has entered the handgun market:

Today, that scope widens: Wilson and Defense Distributed are now in the handgun business, too.

Defense Distributed will offer two of the most common handgun “80 percent” receivers—for Glocks and single-stack M1911s—for interested customers to complete using the Ghost Gunner. “What we’ve done for ARs we’re going to do for handguns now,” Wilson tells Ars. Defense Distributed’s store now carries new fixtures, frames, and tooling to create these two handguns, in addition to its previously offered AR-15 lower receivers and jig sets.

Building a firearm isn’t rocket science. Anybody with basic machining knowledge and competency in firearm design can do it. This fact has always made gun control a pipe dream. But as technology improves so does the ease of manufacturing. CNC machines reduced the machining knowledge necessary to manufacture a great many goods, which made controlling those goods even less feasible.

I’m sure gun control advocates will demand that the Ghost Gunner be prohibited but it’s nothing more than a specialized CNC machine and there is no way gun control advocates are going to get CNC machines banned. Likewise, CNC machines will continue to drop in price and increase in capabilities. In a few years it will be easy to pick up a general CNC machines that is as affordable as the Ghost Gunner and even more capable.

Gun control is effectively dead. Technology killed it just as it ultimately kills all restrictions.

Catalonia Claiming to Declare Independence in a Matter of Days

It seems that Spain’s clubs failed to break the spirits of Catalans. Even though Spanish law enforcers beat down over 800 people, Catalonia is still planning to declare its independence:

Catalonia will declare independence from Spain in a matter of days, the leader of the autonomous region has told the BBC.

In his first interview since a disputed vote on Sunday, Carles Puigdemont said his government would “act at the end of this week or the beginning of next”.

If the Catalan government follows through with its promise, Spain will have to either acquiesce or use force. Judging by its response to the vote, I’m lead to believe that Spain isn’t planning to acquiesce. Needless to say, this could escalate into a civil war. Hopefully Spain will recognize the fact that it has no right to claim ownership of Catalonia or its people and steps aside. But history has shown that few government will recognize or admit to their illegitimacy.

None of Your Business

California may be the second state to allow denizens to list “X” as their gender on government documents. I first heard about this when a self-described libertarian posted it in outrage. This particular libertarian is socially conservative so I can’t say that I was surprised that he was upset about this. However, I appreciate this change and believe many other libertarians should:

Libertarians—even those just fine with the gender binary and their place in it—should celebrate the change. It allows people more choice about how to define themselves in a way that is noncoercive and decreases government control.

Should D.C. ever give residents the option to essentially delist their sex/gender from their driver’s license, I would do it. (At least, you know, the next time my license is up for renewal or if there was some sort of online option; I’m not crazy enough to subject myself to the Department of Motor Vehicles any more than necessary.) And I would hope anarchist, libertarian, and limited-government-supporting types of any sex or gender might do the same.

There is no good reason the state, its representatives, and the countless people tasked with checking IDs for one reason or another need to know every individual’s gender or sex.

Even socially conservative libertarians should be able to appreciate the ability to opt out of having information printed on government documentation. There’s no reason why government documents should list a gender. Ideally there wouldn’t be any government documents but if there are going to be such documents then they should contain, at most, a unique identifier and maybe a picture (only because so many services want to see a picture ID). When you’re pulled over, for example, for driving faster than the arbitrarily selected limit, the officer doesn’t need to know anything about you. They only need a unique identifier to give the person in charge of mailing the extortion fee so they can look up where to send the ticket.

Secession is Good for the Soul

I’ve written about Catalonia’s strive for independence from Spain on several occasions. But Catalonia isn’t the only region trying to break away from a larger government. The Kurds in northern Iraq are also trying to break away from Iraq:

People living in northern Iraq voted overwhelmingly in favour of independence for the Kurdistan Region in Monday’s controversial referendum.

The electoral commission said 92% of the 3.3 million Kurds and non-Kurds who cast their ballots supported secession.

The announcement came despite a last-minute appeal for the result to be “cancelled” from Iraq’s prime minister.

As with every vote related to independence, this vote isn’t binding. But it does show the amount of support in northern Iraq for independence, which will hopefully give proponents for secession more motivation and hope.

Rejoice for Mozilla is Trying Again

Some time ago I switched from Firefox to Chrome. While I far prefer Firefox in many regards, it’s performance had become so bad that I couldn’t realistically use the browser anymore (the entire browser would grind to a halt if, for example, I had Amazon open in a tab). At the time it seems like Mozilla’s only mission was to copy as much of Chrome’s user interface as possible but not bother with the important parts that make Chrome desirable.

It seems like the people at Mozilla finally realized that their strategy wasn’t a winning one because they finally put Mozilla Quantum in beta. I’m happy to say that the beta version of Firefox is fast. Damned fast. While shifting to a multiprocess in the current release of Firefox did help with performance, the changes made in Quantum have significantly boosted performance. On top of that, Mozilla has finally enabled U2F in Firefox’s nightly builds, which means we should see U2F support in the near future.

I’m glad to see that Mozilla is back in the game. While Chrome is a very good browser, I want to keep my Google footprint as small as possible because I don’t like its business model of surveilling users. I also don’t want to see a return to the dark days where one browser, at the time Internet Explorer, held an almost unshakeable monopoly.

APFS and FileValut

Apple released macOS High Sierra yesterday. Amongst other changes, High Sierra includes the new Apple File System (APFS), which replaces the decades old Hierarchical File System (HFS). When you install High Sierra, at least if your boot drive is a Solid State Drive (SSD), the file system is supposed to be automatically converted to APFS. Although Apple’s website says that FileVault encrypted drives will be automatically converted, it didn’t give any details.

I installed High Sierra on two of my systems last night. One was a 2012 MacBook Pro and the other was a 2010 Mac Mini. Both contain Crucial SSDs. Since they’re third-party SSDs I wasn’t sure if High Sierra would automatically convert them. I’m happy to report that both were converted automatically. I’m also happy to report that FileVault didn’t throw a wrench into the conversion. I was worried that converting a FileVault encrypted drive would require copying files from one encrypted container to a new encrypted container but that wasn’t necessary.

If you’re installing High Sierra on a FileVault encrypted drive, the conversion from HFS to APFS won’t take a noticeably greater amount of time.

NSA Told to Sod Off

After the National Security Agency (NSA) was caught cryptographic algorithms to enhance its surveillance abilities, trust for the agency fell to an all time low. This distrust lead the International Standards Organization (ISO) to reject two encryption algorithms recently submitted by the NSA:

SAN FRANCISCO (Reuters) – An international group of cryptography experts has forced the U.S. National Security Agency to back down over two data encryption techniques it wanted set as global industry standards, reflecting deep mistrust among close U.S. allies.

In interviews and emails seen by Reuters, academic and industry experts from countries including Germany, Japan and Israel worried that the U.S. electronic spy agency was pushing the new techniques not because they were good encryption tools, but because it knew how to break them.

The NSA has now agreed to drop all but the most powerful versions of the techniques – those least likely to be vulnerable to hacks – to address the concerns.

The dispute, which has played out in a series of closed-door meetings around the world over the past three years and has not been previously reported, turns on whether the International Organization of Standards should approve two NSA data encryption techniques, known as Simon and Speck.

This is an appropriate response. The NSA has a track record of manipulating standards organizations in order to make its surveillance apparatus more effective. In security trust is everything. Since the NSA has proven itself to be untrustworthy, it only makes sense to reject any proposals from the agency.

iOS 11 Makes It More Difficult for Police to Access Your Device

One reason I prefer iOS over Android is because Apple has invested more heavily in security than Google has. Part of this comes from the fact Apple controls both the hardware and software so it can implement hardware security features such as its Secure Enclave chip whereas the hardware security features available on an Android device are largely dependent on the manufacturer. However, even the best security models have holes in them.

Some of those holes are due to improperly implemented features while others are due to legalities. For example, here in the United States law enforcers have a lot of leeway in what they can do. One thing that has become more popular, especially at the border, are devices that copy data from smartphones. This has been relatively easy to do on Apple devices if the user unlocks the screen because trusting a knew connection has only required the tapping of a button. That will change in iOS 11:

For the mobile forensic specialist, one of the most compelling changes in iOS 11 is the new way to establish trust relationship between the iOS device and the computer. In previous versions of the system (which includes iOS 8.x through iOS 10.x), establishing trusted relationship only required confirming the “Trust this computer?” prompt on the device screen. Notably, one still had to unlock the device in order to access the prompt; however, fingerprint unlock would work perfectly for this purpose. iOS 11 modifies this behaviour by requiring an additional second step after the initial “Trust this computer?” prompt has been confirmed. During the second step, the device will ask to enter the passcode in order to complete pairing. This in turn requires forensic experts to know the passcode; Touch ID alone can no longer be used to unlock the device and perform logical acquisition.

Moreover, Apple has also included a way for users to quickly disable the fingerprint sensor:

In iOS 11, Apple has added an new emergency feature designed to give users an intuitive way to call emergency by simply pressing the Power button five times in rapid succession. As it turns out, this SOS mode not only allows quickly calling an emergency number, but also disables Touch ID.

These two features appear to be aimed at keeping law enforcers accountable. Under the legal framework of the United States, a police officer can compel you to provide your fingerprint to unlock your device but compelling you to provide a password is still murky territory. Some courts have ruled that law enforcers can compel you to provide your password while others have not. This murky legal territory offers far better protection than the universal ruling that you can be compelled to provide your fingerprint.

Even if you are unable to disable the fingerprint sensor on your phone, law enforcers will still be unable to copy the data on your phone without your password.

Plan Ahead

Planning ahead can save you a great deal of grief, frustration, and money:

Two things are true of all festivals: the security is super tight and the booze is very expensive.

[…]

One guy from New York named Alex found an ingenious way to get past these two road blocks. Three weeks before the Electric Zoo festival in New York City, Alex travelled to the Randall’s Island where the event is located with a bottle of Vodka in arm.

He filled a reusable bottle with the Vodka and using a small shovel that he brought with him, Alex and his friends buried the bottle of booze in the ground a long time before the festival crew arrived to construct the stages for the event.

Alex is a real American hero (I know this story could be fake but I want it to be true so I’m going to believe it is).

On a more serious note, this tactic could also work for smuggling weapons into outdoor festivals. I wonder how many security providers have considered such a threat model. It’s also a difficult threat model to defend against since a security team would have to run metal detectors across the entire grounds and that would only offer protection against metallic weapons.