A Geek With Guns

Chronicling the depravities of the State.

Archive for the ‘You’re Doing it Wrong’ tag

A Grim Start to the Week

without comments

This week started on a low note as far as computer security is concerned. The first bit of new, which was also the least surprising, was that yet another vulnerability was discovered in Adobe’s Flash Player and was being actively exploited:

TORONTO (Reuters) – Adobe Systems Inc (ADBE.O) warned on Monday that hackers are exploiting vulnerabilities in its Flash multimedia software platform in web browsers, and the company urged users to quickly patch their systems to prevent such attacks.

[…]

Adobe said it had released a Flash security update to fix the problem, which affected Google’s Chrome and Microsoft’s Edge and Internet Explorer browsers as well as desktop versions.

If you’re in a position where you can’t possibly live without Flash, install the update. If you, like most people, can live without Flash, uninstall it if you haven’t already.

The next bit of bad security news was made possible by Infineon:

A crippling flaw in a widely used code library has fatally undermined the security of millions of encryption keys used in some of the highest-stakes settings, including national identity cards, software- and application-signing, and trusted platform modules protecting government and corporate computers.

The weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. The five-year-old flaw is also troubling because it’s located in code that complies with two internationally recognized security certification standards that are binding on many governments, contractors, and companies around the world. The code library was developed by German chipmaker Infineon and has been generating weak keys since 2012 at the latest.

This flaw impacts a lot of security devices including Estonia’s electronic identification cards, numerous Trusted Platform Modules (TPM), and YubiKeys shipped before June 6, 2017. In the case of YubiKeys, the flaw only impacts Rivest–Shamir–Adleman (RSA) keys generated on the devices themselves. Keys generated elsewhere and uploaded to the device should be fine (assuming they weren’t generated with a device that uses the flawed Infineon library). Moreover, other YubiKey functionality, such as Universal 2nd Factor (U2F) authentication, remains unaffected. If your computer has a TPM, check to see if there is a firmware update available for it. If you have an impacted YubiKey, Yubico has a replacement program.

The biggest security news though was the announcement of a new attack against Wi-Fi Protected Access (WPA), the security protocol used to secure wireless networks. The new attack, labeled key reinstallation attacks (KRACKs, get it? I wonder how long it took the researchers to come up with that one.), exploits a flaw in the WPA protocol itself:

The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.

Fortunately, KRACKs can be mitigated by backwards compatible client and router software updates. Microsoft already released a patch for Windows 10 on October 10th. macOS and iOS have features that make them more difficult to exploit but a complete fix is apparently in the pipeline. Google has stated that it will release a patch for Android starting with its Pixel devices. Whether or not your specific Android device will receive a patch and when will depend on the manufacturer. I suspect some manufacturers will be quick to release a patch while some won’t release a patch at all. Pay attention to which manufacturers release a patch in a timely manner. If a manufacturer doesn’t release a patch for this or doesn’t release it in a timely manner, avoid buying their devices in the future.

Written by Christopher Burg

October 17th, 2017 at 10:00 am

With “Friends” Like These

with 2 comments

The National Rifle Association (NRA) has a history of supporting gun rights when its convenient but throwing gun rights under the buss when its politically expedient. That being the case, it probably came as no surprise that the organization expressed support for legal restrictions on bump stocks:

The National Rifle Association has called for “additional regulations” on bump-stocks, a rapid fire device used by the Las Vegas massacre gunman.

The group said: “Devices designed to allow semi-automatic rifles to function like fully-automatic rifles should be subject to additional regulations.”

It would have been nice if the NRA would have at least waited until the fight began before capitulating. Not surprisingly, the Republicans have expressed a willingness to implement such a restriction. Despite their rhetoric, like the NRA, Republicans have a tendency to support gun control whenever opposing it becomes politically inconvenient.

Written by Christopher Burg

October 9th, 2017 at 10:30 am

Communication Breakdown

without comments

When you’re filming on location it’s wise to contact the local law enforcers to let them know. It’s also a smart idea to request an officer onsite during the filming. Why would I suggest voluntarily interacting with the police? Because, in the case of on location filming, it could avoid a situation like this:

Police in Indiana fired a gunshot at a man who they thought was a thief on Tuesday, but was actually just an actor playing one.

The incident occurred after Indiana State Police responded to the scene of a possible robbery at Backstep Brewing Co. in Crawfordsville, Indiana, according to Fox 8 Cleveland.

When actor Jim Duff exited the building, wearing a ski mask and holding a gun, police reportedly thought he was the suspect they were looking for.

My guess is that either the film crew didn’t alert the local law enforcers that they would be filming there or they did inform the local law enforcers but that information didn’t communicated down the chain. Having a local law enforcer present could have prevented this since when the other officers arrived at the scene a known individual could have informed them that the “robbery” was being shot for a movie.

There are no absolute rules in the universe. While I normally recommend against voluntarily interacting with law enforcers, there are circumstances where doing so may be the less bad option.

Written by Christopher Burg

September 29th, 2017 at 10:00 am

I Disagree

with 4 comments

It’s no secret that the people living in the United States of America are becoming more polarized. People increasingly refuse to even entertain the possibility that their ideas may not be the only correct ideas. What makes this matter especially bad is that there appears to be an inverse correlation between polarization and disagreement. As a population becomes more polarized, it seems to become less willing to entertain disagreement:

To listen and understand; to question and disagree; to treat no proposition as sacred and no objection as impious; to be willing to entertain unpopular ideas and cultivate the habits of an open mind — this is what I was encouraged to do by my teachers at the University of Chicago.

It’s what used to be called a liberal education.

[…]

That habit was no longer being exercised much 30 years ago. And if you’ve followed the news from American campuses in recent years, things have become a lot worse.

According to a new survey from the Brookings Institution, a plurality of college students today — fully 44 percent — do not believe the First Amendment to the U.S. Constitution protects so-called “hate speech,” when of course it absolutely does. More shockingly, a narrow majority of students — 51 percent — think it is “acceptable” for a student group to shout down a speaker with whom they disagree. An astonishing 20 percent also agree that it’s acceptable to use violence to prevent a speaker from speaking.

These attitudes are being made plain nearly every week on one college campus or another.

Rhetoric and debate are being replaced by religious zeal. An increasing number of Americans appear to be holding their beliefs as infallible scripture. If you disagree with their beliefs, you are seen as a heretic and may find yourself excommunicated or even attacked.

Discussion and debate were once considered a cornerstone of education. You were expected to hold your beliefs because evidence had lead you to them and you were therefore also expected to be able to defend your beliefs from critics using the art of debate. In modern times you are expected to have faith in the beliefs dictated to you by your “betters.” Since people who hold beliefs because they were told to do so have not actually researched their beliefs thoroughly, many people today are unable to debate and thus resort to other tactics, which are sometimes violent.

Admittedly, part of me looks forward to the televised death matches that are the logical conclusion of this polarization. However, I’m already weary of every minor disagreement resulting in screaming matches or physical fights.

Written by Christopher Burg

September 27th, 2017 at 11:00 am

Corporate Welfare Commission Decides Cheap Solar Panels Are Bad

without comments

Big corporations tend to be very friendly with big government because big government can help them monopolize their market. While this process of monopolization is bad for consumers, neither the government nor the corporations that have allied themselves with it give a damn. For example, solar power has become increasingly viable over the years thanks to cheap solar panels. However, these cheap panels are being produced overseas, where the lack of government restrictions makes it more viable to make cheap products. To compensate domestic solar panel manufacturers for the restrictions it put in place, the Corporate Welfare Commission, sometimes mistakenly referred to as the International Trade Commission (ITC), has ruled that overseas panels are a threat to domestic manufacturers:

On Friday, the International Trade Commission (ITC) sided with bankrupt solar panel manufacturer Suniva, voting 4-0 that cheap imported solar panels and modules have harmed domestic panel manufacturers.

The commission now has until November to send recommendations on remedies to President Trump, who will be responsible for either setting a tariff on imported solar materials or finding some other remedy. Given Trump’s promises to bolster American manufacturing, it’s likely that he’ll favor restrictions on solar panel imports.

I’m sure the ITC will settle on a tariff because the other remedy, removing government created restrictions from domestic manufacturers, is unthinkable. What does this mean for consumers? It means us consumers will be paying more for solar panels. This is a bit ironic since the government dumped so much money into encouraging manufacturers to make solar panels affordable in the first place. But what government giveth, government taketh away. It may favor cheap solar panels today and oppose them tomorrow.

Written by Christopher Burg

September 26th, 2017 at 10:30 am

But Wait, There’s More

without comments

Equifax already displayed a staggering level of incompetence but like a Billy Mays commercial there’s more:

The official Equifax Twitter account encouraged people to visit a knock-off website that mocks the company’s security practices instead of the site the company created to warn of a massive data breach. That recent breach exposed personal details for as many as 143 million US consumers.

In a tweet on Tuesday afternoon, an Equifax representative using the name Tim wrote: “Hi! For more information about the product and enrollment, please visit: securityequifax2017.com.” The message came in response to a question about free credit monitoring Equifax is offering victims. The site is a knock-off of the official Equifax breach notification site, equifaxsecurity2017.com. A security researcher created the imposter site to demonstrate how easy it is to confuse a legitimate name with a bogus one. The Equifax tweet suggests that even company representatives can be easily fooled. The tweet was deleted late Wednesday morning, more than 18 hours after it went live.

It’s almost as if large credit agencies like Equifax aren’t held accountable for screwing up and therefore aren’t motivated to do an effective job. Weird.

Statists continue to claim that government is necessary to deliver justice when large corporations like this screw up. However, I’m still waiting to see the government do anything more than give a corporation like this a minor slap on the wrist for fuck ups of this magnitude. Hell, I’m still waiting to see the government give Equifax a stern talking to over this series of amateur mistakes. As far as I can tell, government seems exists primarily to protect large corporations like this from competitors that would currently be tearing it apart if there was a free market.

Written by Christopher Burg

September 22nd, 2017 at 10:30 am

Collectivizing Individual Action

without comments

The War on Some Drugs is justified by collectivizing individual action. According to its proponents, drug usage is a societal problem. They try to justify this claim by using other forms of collectivism. For example, proponents of the drug war will claim that drug usage costs “us” fantastic amounts of money in healthcare-related expenses. However, they can only make that claim because the government has collectivized a significant portion of the healthcare market. If the healthcare market were a free market, drug users would be left footing the expenses for their habit.

The drug war’s current hot topic is illegal opioid usage. In an attempt to make illegal opioid usage look like a societal problem, proponents of the drug war are now claiming that opioid usage has lowered the average life expectancy in the United States:

The problem is so bad, in fact, that the epidemic is dragging down the entire country’s life expectancy—by 2.5 months. That’s according to a new analysis by CDC researchers who published Tuesday in JAMA.

The problem with this statistic is that it’s completely meaningless.

Drug usage isn’t a communicable disease like plague or the flu. A drug user can’t transmit the effects of the drugs they’re using to you. Like them, you have to make a conscious decision to use drugs. If my neighbor down the street decides to use heroine, my life expectancy isn’t impacts in any way whatsoever. But if enough people actually realized that, the government would have a difficult time drumming up popular support for its very profitable war.

Let Them Eat Rabbit

without comments

Socialism has brought equality to Venezuelans! Everybody is equally hungry (except for members of the Party but they’re more important than the lowly proles) and it’s not sitting well. Probably hoping to keep his head firmly attached to his neck, President Maduro has offered a plan to deal with the country’s hunger. His plan? Let them eat rabbit:

That was basically the message from President Nicolas Maduro to Venezuelans starving and struggling through severe food shortages brought on by a spiraling economic crisis.

Maduro unveiled “Plan Rabbit” on Wednesday with his agriculture minister, Freddy Bernal, at a meeting that was broadcast on Periscope. (In the video, the announcement comes after the two-hour mark).

Unfortunately for the people of Venezuela, rabbit meat alone doesn’t fend off starvation:

Protein poisoning was first noted as a consequence of eating rabbit meat exclusively, hence the term, “rabbit starvation”. Rabbit meat is very lean; commercial rabbit meat has 50–100 g dissectable fat per 2 kg (live weight). Based on a carcass yield of 60%, rabbit meat is around 8.3% fat while beef and pork are 32% fat and lamb 28%.

Unless Venezuelans can find a source of fat to go with their rabbit meat, they’ll be in the same position they currently are.

Written by Christopher Burg

September 15th, 2017 at 10:30 am

New Levels of Incompetence

without comments

Equifax, one of the largest consumer credit report agencies, recently suffered a major database breech. Of course, you wouldn’t know it if the media wasn’t giving it heavy coverage because Equifax seems to want to keep things hush hush and I understand why. After reading this it would appear that Equifax implemented worse security than most college students in an introductory web development class:

It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

[…]

Each employee record included a company username in plain text, and a corresponding password that was obfuscated by a series of dots.

However, all one needed to do in order to view said password was to right-click on the employee’s profile page and select “view source,” a function that displays the raw HTML code which makes up the Web site. Buried in that HTML code was the employee’s password in plain text.

This is an impressive level of incompetence and I mean that sincerely. Most amateur websites have better security than this. The fact that a company as large as Equifax could implement worse security practices than even the most amateur of amateur web developers is no small feat. Unfortunately, its piss poor security practices has put a lot of people’s sensitive information in the hands of unknown parties.

Written by Christopher Burg

September 15th, 2017 at 10:00 am

Play Stupid Games, Win Stupid Prizes

without comments

On Tuesday night a security officer at St. Cathrine University was shot. The initial report said that an individual had shot the officer but it turns out that the officer shot himself and lied about it. Why did he do that? Because he played a stupid game:

Investigators continued working the case all day Wednesday. While interviewing Ahlers about 9:15 p.m. Wednesday, he told officers that he was in a wooded area of the campus about 9:30 p.m. Tuesday. He had brought his personal handgun from home and was handling it when it accidentally discharged, hitting him in the shoulder.

He told police he’d lied and said he made up the story because he was afraid of losing his job because he’d brought a gun to work with him.

One of the rules of carrying a firearm is that you should leave it in the holster unless you absolutely need to use it. A holstered gun won’t hurt anybody but the second a gun leaves its holster the possibility of it being fired increases from zero.

As an additional note, if the officer wanted to carry a gun he should have sought out an armed job. Then he wouldn’t have had to worry about losing his job for being armed. Now he’ll probably lose his job and find a tough time getting a new job as a security officer since he’s proven himself to be untrustworthy.

Written by Christopher Burg

September 14th, 2017 at 10:30 am