You’re Doing it Wrong – Page 17

All Full-Disk Encryption isn’t Created Equal

For a while I’ve been guarded when recommending Android devices to friends. The only devices I’ve been willing to recommend are those like the Google Nexus line that receive regular security updates in a timely manner. However, after this little fiasco I don’t know if I’m willing to recommend any Android device anymore:

Privacy advocates take note: Android’s full-disk encryption just got dramatically easier to defeat on devices that use chips from semiconductor maker Qualcomm, thanks to new research that reveals several methods to extract crypto keys off of a locked handset. Those methods include publicly available attack code that works against an estimated 37 percent of enterprise users.

A blog post published Thursday revealed that in stark contrast to the iPhone’s iOS, Qualcomm-powered Android devices store the disk encryption keys in software. That leaves the keys vulnerable to a variety of attacks that can pull a key off a device. From there, the key can be loaded onto a server cluster, field-programmable gate array, or supercomputer that has been optimized for super-fast password cracking.

[…]

Beniamini’s research highlights several other previously overlooked disk-encryption weaknesses in Qualcomm-based Android devices. Since the key resides in software, it likely can be extracted using other vulnerabilities that have yet to be made public. Beyond hacks, Beniamini said the design makes it possible for phone manufacturers to assist law enforcement agencies in unlocking an encrypted device. Since the key is available to TrustZone, the hardware makers can simply create and sign a TrustZone image that extracts what are known as the keymaster keys. Those keys can then be flashed to the target device. (Beniamini’s post originally speculated QualComm also had the ability to create and sign such an image, but the Qualcomm spokeswoman disputed this claim and said only manufacturers have this capability.)

Apple designed its full-disk encryption on iOS very well. Each iOS device has a unique key referred to as the device’s UID that is mixed with whatever password you enter. In order to brute force the encryption key you need both the password and the device’s UID, which is difficult to extract. Qualcomm-based devices rely on a less secure scheme.

But this problem has two parts. The first part is the vulnerability itself. Full-disk encryption isn’t a novel idea. Scheme for properly implementing full-disk encryption have been around for a while now. Qualcomm not following those schemes puts into question the security of any of their devices. Now recommending a device involves both ensuring the handset manufacturers releases updates in a timely manner and isn’t using a Qualcomm chipset. The second part is the usual Android problem of security patch availability being hit or miss:

But researchers from two-factor authentication service Duo Security told Ars that an estimated 37 percent of all the Android phones that use the Duo app remain susceptible to the attack because they have yet to receive the patches. The lack of updates is the result of restrictions imposed by manufacturers or carriers that prevent end users from installing updates released by Google.

Apple was smart when it refused to allow the carriers to be involved in the firmware of iOS devices. Since Apple controls iOS with an iron fist it also prevents hardware manufacturers from interfering with the availability of iOS updates. Google wanted a more open platform, which is commendable. However, Google failed to maintain any real control over Android, which has left uses at the mercy of the handset manufacturers. Google would have been smart to restrict the availability of its proprietary applications to manufacturers who make their handsets to pull Android updates directly from Google.

The B-Team

In 2016 a wannabe commando unit was sent to a holding cell by a civilian judge to stand trial for a crime they did commit. These men promptly escaped from jail to the New York City underground by posting bail. Today, still wanted by the police, they survive as soldiers of fortune. If you have a problem, if no one else can help, and if you can’t afford anybody better, maybe you can hire the B-Team.

John Cramsey’s 20-year-old daughter died from a heroin overdose four months earlier in Allentown, Pennsylvania.

He and two friends Dean Smith and Kimberly Arendt were stopped by police for driving with a cracked windscreen.

They told the arresting police officers that they were a group of vigilantes on their way to rescue a teenage girl.

I know this story is going to raise a lot of question. For starters, how did the police identify this crack commando team? Obviously they went to great lengths to be as inconspicuous as possible…

Nothing says inconspicuous like a truck with neon green tastelessly plastered all over a truck. The target reticle painted on the side is a nice touch as well. I’m sure you’re wondering what the B-Team’s load out was.

A camouflage helmet, seven guns including rifles, and knives were recovered from the car, as well as cannabis, body armour and 2,000 rounds of ammunition.

2,000 rounds of ammunition? I bet they were planning on using discount Mini-14s (Is there a discount Mini-14? Maybe, like, a Hi-Point carbine or something?) and didn’t plan to hit anything they shot at.

“Libertarian” Vice Presidential Candidate

Supposedly the Libertarian Party tries to get libertarians elected into offices. The party has a funny way of going about that goal though. For example, the party hasn’t nominated an actual libertarian presidential candidate for at least as long as I’ve been old enough to vote. This year’s ticket is no different.

Gary “Ban the Burqa” Johnson was nominated to be the Libertarian Party’s presidential candidate this year. Although the Libertarian Party doesn’t allow presidential candidates to outright pick their running mates, the party voters are usually willing to roll over and approve whoever their presidential candidate wants. Johnson wanted Bill Weld and the Libertarian Party, apparently deciding it didn’t want any libertarians on its presidential ticket, was happy to comply.

After the shooting in Orlando Weld decided to show his anti-libertarian colors:

Bill Weld, the former governor of Massachusetts now running as the Libertarian Party’s candidate for vice president, called today for a 1,000-agent task force to combat Islamic State adherents in the United States, and for a tip line where Muslims could inform on radicalism.

“Let’s face it: The United States is under attack right now by ISIS and ISIS copycats,” Weld said. “They have a deep pool to pull from. There are over 3 million Muslims in the United States — maybe Mr. Trump will want to deport them all, but the better approach is to work with the community.”

Weld, who served as U.S. attorney and then assistant attorney general in the DOJ’s criminal justice division, suggested that the DOJ could take a cue from a program that worked in Massachusetts. The “Drop-a-Dime Project,” a nonprofit tip line created by community leaders, was used by law enforcement to pursue tips about crime in Boston’s black neighborhoods and to achieve breakthroughs in drug investigations.

“We’d get all kinds of tips,” Weld said. “The residents of Dorchester and Mattapan were only too happy to help. There may be some people out there leaning toward ISIS, people who would want to shelter the people going around killing other people. But for every pair of ears that would be sympathetic, there will be pairs that will not be sympathetic.”

I thought the Libertarian Party was all about shrinking government, not growing it. I guess this is what happens when the party doesn’t nominates a libertarian for its vice presidential candidate.

I know the Libertarian Party, especially now that it’s pulling people from the Republican Party, has a lot of statists within its ranks so this idea may sound appealing to them. Let’s consider the effectiveness of such a program. I’ll start by once again quoting Bruce Schneier, “If you ask amateurs to act as front-line security personnel, you shouldn’t be surprised when you get amateur security.” This is something libertarians tend to inherently understand. If you setup a program where average Joes are expected to rat out their neighbors you will get a lot of noise and very little, if any, signal.

How do you tell if somebody expressing sympathies for the Islamic State (IS) is merely angry at the way the United States and European countries have treated the Middle East or is planning to commit acts of murder in the organization’s name? Most people can’t tell and that’s the problem with this kind of tip line. It would be flooded with “tips” from people who think somebody speaking out against the United States dropping bombs on wedding parts is sympathizing with IS. Many of the “tips” would likely come from people who just don’t like their Muslim neighbors and see the tip line as a way to get the State to harass them. Well’s proposal would create a 1,000-agent (you do have to appreciate how all of these proposals involve an arbitrary number of agents that is almost always cleanly divisible by 10) task force that does nothing productive (in other words, it’ll be just like every other government agency).

I’m glad I don’t play politics anymore. If I did I’d be depressed this election cycle because there are exactly zero acceptable candidates running for office.

Tragedy Of The Commons

Waze is a wonderful app that allows users to alert other users of traffic issues. I use the app because I like to report and know about road pirate activity but it’s also useful for avoiding traffic issues that aren’t caused by thieves with badges. Now that we’ve entered road construction season here in Minnesota Waze is useful to routing around the every changing landscape is the transportation infrastructure. But some people are unhappy with the app because it sometimes routes travelers through their neighborhoods:

When the traffic on Timothy Connor’s quiet Maryland street suddenly jumped by several hundred cars an hour, he knew who was partly to blame: the disembodied female voice he could hear through the occasional open window saying, “Continue on Elm Avenue . . . .”

The marked detour around a months-long road repair was several blocks away. But plenty of drivers were finding a shortcut past Connor’s Takoma Park house, slaloming around dog walkers and curbside basketball hoops, thanks to Waze and other navigation apps.

“I could see them looking down at their phones,” said Connor, a water engineer at a federal agency. “We had traffic jams, people were honking. It was pretty harrowing.”

And so Connor borrowed a tactic he read about from the car wars of Southern California and other traffic-weary regions: He became a Waze impostor. Every rush hour, he went on the Google-owned social-media app and posted false reports of a wreck, speed trap or other blockage on his street, hoping to deflect some of the flow.

He continued his guerrilla counterattack for two weeks before the app booted him off, apparently detecting a saboteur in its ranks. That made Connor a casualty in the social-media skirmishes erupting across the country as neighborhoods try to contend with suddenly savvy drivers finding their way on routes that were once all but secret.

Cry me a river. Mr. Conner must have quite the ego if he thinks he has some kind of right to decide who can and cannot use roads he doesn’t even own.

The issue he’s seeing, without being intelligent enough to realize it, is a tragedy of the commons. Most roads in this country are considered public (which is a fancy word for the State claiming exclusive ownership rights). They’re funded by money that has been stolen from the population in the form of taxes. That being the case, Conner has no right to bitch about how the road in his neighborhood is used. If it suddenly becomes popular with motorists and that popularity causes the road to degrade faster and to be less usable by people living in the neighborhood then there’s no recourse for the people of the neighborhood.

There is a solution to this: private roads. Suddenly everything changes. The people using your private road without your permission are trespassers. If they do want to use your road they can attempt to negotiate a deal with you. If you’re not interested in a deal then you can tell them to buzz off. But none of that is possible if the roads are public because then the State gets to decide who can and cannot use them.

Instead of whining about people using the road that they were forced to pay for, Mr. Conner should really try to see if there is a way to privatize the road so his neighbors and him can decide who gets to use it.

Another One Of Those Bad Apples

I’m not sure if this is one of those bad apples that makes the majority look bad, another isolated incident I keep hearing so much about, or a case of an officer who simply wanted to go home to his family at night. Regardless of the typical law enforcer apologist excuse you select, it’s important to remember that the rules are different for men with government badges:

A former Kenosha Police officer who planted evidence in a homicide investigation will not see jail time.

Kyle Baars was sentenced Wednesday to one year probation for felony misconduct in public office.

He was given permission to serve that probation in Illinois, and will be required to serve 80 hours of community service. He could serve a year in jail and one year of extended supervision if he violates the terms of his probation.

Baars could have been sentenced to 18 months in prison and given a $10,000 fine.

The former officer had admitted planting a bullet and an identification card in a backpack during an investigation into the 2014 shooting death of a Kenosha man.

On Wednesday, Baars called planting the evidence “a bad decision” but argued that he should be given credit for eventually admitting his actions and testifying at the homicide trial for one of the defendants that he had planted evidence.

One year of probation for planting evidence in the investigation of a legitimate crime? It’s good to be in the king’s employ. The sentence is ridiculous but the way the officer was handled with kid gloves is almost as ridiculous. Neither his fellow officers, the district attorney, or the judge ripped his ass properly. Instead he received a mild chiding by the judge for blaming other people.

This is just another case of the court system treating agents of the State differently than the rest of us. I’m fairly certain any non-state agent who planted evidence in a criminal investigation would receive a bit harsher of a sentence than one year of probation. I also doubt that excuses such as a “distinguished career” would be considered a legitimate legal defense. The sentencing would likely include the judge delivering much harsher words than a mere “Tsk, tsk. You shouldn’t have done that. That was naughty.”

Police are like you and me, only better!

Airport Security Isn’t The Only Security The TSA Sucks At

The Transportation Security Administration (TSA) sucks at providing airport security. But the agency isn’t a one trick pony. Demonstrating its commitment to excellence — at sucking — the TSA is working hard to make its computer security just as good as its airport security:

The report centers on the the way TSA (mis)handles security around the data management system which connects airport screening equipment to centralized servers. It’s called the Security Technology Integrated Program (STIP), and TSA has been screwing it up security-wise since at least 2012.

In essence, TSA employees haven’t been implementing STIP properly — that is, when they’ve been implementing it at all.

STIP manages data from devices we see while going through security lines at airports, namely explosive detection systems, x-ray and imaging machines, and credential authentication.

[…]

In addition to unpatched software and a lack of physical security that allowed non-TSA airport employees access to IT systems, the auditors found overheated server rooms and computers using unsupported systems — and much more.

The observed “lack of an established disaster recovery capability” noted by the OIG is particularly scary. If a data center was taken out by natural disaster, passenger screening and baggage info would be rendered inaccessible.

Not only that, but there was no security incident report process in place, and there was “little employee oversight in maintaining IT systems.” And, auditors were not pleased at all that non-TSA IT contractors maintained full admin control over STIP servers at airports.

At what point do we write the TSA off as a failed experiment? I know, it’s a government agency, it’ll never go away. But the fact that the TSA continues to fail at everything and is allowed to continue existing really demonstrates why the market is superior to the State. Were the TSA forced to compete in a market environment it would have been bankrupted and its assets would have been sold to entrepreneurs who might be able to put them to use.

It’s time to ask the million dollar question. What will happen now? One of the reason government agencies fail to improve their practices is because there’s no motivation to do so. A government agency can’t go bankrupt and very rarely do failures lead to disciplinary action. In the very few cases where disciplinary action does happen it’s usually something trivial such as asking the current head of the agency to retire will full benefits.

Meanwhile air travelers will still be required to submit to the TSA, which not only means going through security theater but now potentially means having their personal information, such as images from the slave scanners, leaked to unauthorized parties.

Why Does The TSA Suck? It’s Your Fault You Stupid Slave!

The Transportation Security Administration (TSA) has been receiving a lot of well deserved flak in recent months. Security theater lines have been growing and now the TSA recommends air travelers show up two hours early to ensure they get through. It reminds me of the Department of Motor Vehicles (DMV). When wait times increase the agency doesn’t hire more staff or make its processes more efficient, it demands people take more time out of their day. This shouldn’t surprise anybody though. Nobody has the option of using a competitor to the TSA, DMV, or any other government agency so the agencies have no motivation to improve their service.

But the public is pissed, which means boring congressional hearings could be in the TSA’s future. Probably hoping to avoid going to yet another meeting where they have to pretend to pay attention while congress members pretend to provide oversight, the heads of the TSA are trying to find some reason for its failure that will satiate the public. I doubt the reason it’s giving will work though since it’s resorted to blaming everybody besides itself:

The comments reflect a statement released earlier this week after long lines were reported at Newark, JFK and LaGuardia airport security checkpoints. When asked about those long lines, the TSA essentially blamed you in a press release, specifically passengers who bring too many carry-on items:

There are several factors that have caused checkpoint lines to take longer to screen passengers… including more people traveling with carry-on bags, in many cases bringing more than the airline industry standard of one carry-on bag and one personal item per traveler;

Passenger preparedness can have a significant impact on wait times at security checkpoints nationwide…Individuals who come to the TSA checkpoint unprepared for a trip can have a negative impact on the time it takes to complete the screening process.”

Not surprisingly, it’s also blaming air passengers for not paying the agency its desired extortion fee:

In the past three years, the TSA and Congress cut the number of front-line screeners by 4,622 — or about 10 percent — on expectations that an expedited screening program called PreCheck would speed up the lines. However, not enough people enrolled for TSA to realize the anticipated efficiencies.

Perhaps the TSA should look inward. One of the biggest contributing factors to the length of security theater lines is likely the agency’s inconsistency. If you know what you have to do when you reach the checkpoint you can prepare ahead of time. For example, you might untie or entirely remove your shoes and take off your belt. You might also remove your liquids and laptop from your bags. When you arrive at the actual checkpoint you can efficiently put everything through the x-ray machine, opt out of the slave scanner, and be through as quickly as possible. But you can’t prepare yourself ahead of the checkpoint because you have no idea what you’ll be expected to do until some idiot with a badge is barking order at you.

If PreCheck is supposed to help reduce wait times and the TSA is actually committed to reducing wait times the agency should make the program free. That would encourage more people to sign up for it. You can tell that the program is more about extorting the public than making wait times shorter but the simple fact that PreCheck isn’t free (and since the TSA is a government agency it doesn’t have to concern itself with making a profit so making the program free isn’t a big deal).

Businesses know that the customer is usually right. A private security provider knows that absurdly long wait times in line will reflect negatively on the venue that hired them, which may hinder their chances of getting another contract in the future. Because of that they are more motivated to make the screening process as efficient as possible. They don’t tell an angry venue owner that the wait times are due to the incompetence of the customers because that excuse isn’t going to fly. But the government doesn’t have customers, it citizens (which is a fancy term for people being preyed on by the State). That being the case, it has no problem blaming its own failures on its citizens.

I Guess Oracle Will Sue MariaDB Next

Oracle is still butthurt over the fact that it snapped up Java when it purchased Sun Microsystems and still hasn’t figured out how to make it profitable. Google on the other hand, managed to take the Java application programming interface (API) and use it for Android, which is turning the company a tidy profit. After getting its ass handed to it in court only to have a dimwitted judge reverse the decision, Oracle is pushing forward with its desperate attempt to get its hands on some of the wealth Google created. Oracle is now claiming that Google owes damages. Why? Apparently because it’s offering Android for free:

Catz also testified that Oracle’s Java licensing business was hurt by Android. Customers that used to buy licenses for Java, including Samsung, ZTE, Motorola, and others, don’t buy licenses from Oracle anymore. “They don’t take a license from us anymore, because they use Android, which is free,” she said.

Licensing contracts that used to be $40 million deals are now $1 million deals, Catz said. She gave the example of Amazon, which was formerly a customer but chose to go with Android for the Kindle Fire. When Amazon came out with its popular mid-range Kindle, the Paperwhite, the e-reader company chose to license Java only after Oracle offered a massive discount.

“In order to compete, we ended up giving a 97.5 percent discount for the Paperwhite,” she said, “because our competition was free.”

As for the mobile licensing business, since the launch of Android, it has performed “very, very poorly,” Catz said.

What’s next? Will Oracle sue the people behind MariaDB? For those who don’t know, MariaDB is a fork of MySQL, which is another product that Oracle acquired when it purchased Sun Microsystems. MariaDB, like the Android API, is a free product based on software Oracle acquired through its purchase of Sun Microsofts that could be taking market share from its expensive software!

Should manufacturers and developers of a product that’s sold directly for money be able to sue competitors who offer a free alternative? If you ask some antitrust supporters the answer is yes. But if you ask anybody with a brain the answer is no.

Consider Oracle’s situation. Android basically ate its lunch because nobody is buying its mobile Java software. Does that indicate that Google is somehow at fault because it made Android free? No. Such an assumption would imply that free products always win in the market when that isn’t the case. Sometimes a free product is so shitty that an expensive alternative still wins out. Consider Microsoft Windows. It’s still the most popular desktop operating system out there even though Linux, FreeBSD, OpenBSD, and a number of other free alternatives exist. Why? Because Windows offers features that consumers want and alternative don’t offer. Software compatibility, driver support, etc. are desirable features to many people. So desirable in fact that they’re willing to pay for them even though a free alternative exists. Without those features consumers see the free alternatives as so shitty that the savings associated with using them aren’t worth it. In spite of what the famous saying says, you actually can compete with free.

Android isn’t winning over mobile Java simply because it’s free. It’s winning because it offers features that consumers want. There is a massive software library available for Android that isn’t available for mobile Java. Google includes many desirable applications including clients for its popular Maps and Gmail services. Hardware developers want consumers to buy their phones so they tend to favor software that consumers want, which is part of the reason so many Android mobile devices exist while so few Windows ones do.

Google isn’t responsible for Oracle’s dwindling mobile Java profits, Oracle is for not making it a compelling product.

Performing Denial Of Service Attacks Against Airliners Is Ridiculously Simple

How can you shutdown an airline service? By setting your Wi-Fi hotspot’s Service Set Identifier (SSID) to something quippy:

According to The West Australian, a passenger on QF481 spotted a Wi-Fi hotspot titled “Mobile Detonation Device” and advised a crew member. It wasn’t clear what mobile device it was linked to or where the device was located.

The crew member informed the captain, who then broadcast a message to passengers. Passenger John Vidler told the publication the pilot said the device needed to be located before the flight could depart.

If somebody put a bomb on board would they use Wi-Fi to detonate it? Probably not. That would require being in close proximity to the device whereas a cellular device, which are commonly used as remote detonators, allow the perpetrator to be somewhere else in the world. If a bomber did use a Wi-Fi detonator would they set it to broadcast an SSID that indicated it was a detonator? Most likely not. That would increase the chances of the device being discovered before it could be detonated. Holding the flight until the device was located was an overreaction.

In addition to being an overreaction it also gives individuals interested in interfering with airline service a cheap and effective means of accomplishing their goals. With little more than a Wi-Fi access point you can perform a denial of service attack against an airplane.

The War Against Privacy

If you read the erroneously named Bill of Rights (which is really a list of privileges, most of which have been revoked) you might be left with the mistaken impression that you have a right to privacy against the State. From the National Security Administration’s (NSA) dragnet surveillance to local police departments using cell phone interceptors, the State has been very busy proving this wrong. Not to be outdone by the law enforcement branches, the courts have been working hard to erode your privacy as well. The most recent instance of this is a proposed procedural change:

The Federal Rules of Criminal Procedure set the ground rules for federal criminal prosecutions. The rules cover everything from correcting clerical errors in a judgment to which holidays a court will be closed on—all the day-to-day procedural details that come with running a judicial system.

The key word here is “procedural.” By law, the rules and proposals are supposed to be procedural and must not change substantive rights.

[…]

But the amendment to Rule 41 isn’t procedural at all. It creates new avenues for government hacking that were never approved by Congress.

The proposal would grant a judge the ability to issue a warrant to remotely access, search, seize, or copy data when “the district where the media or information is located has been concealed through technological means” or when the media are on protected computers that have been “damaged without authorization and are located in five or more districts.” It would grant this authority to any judge in any district where activities related to the crime may have occurred.

In layman’s terms the change will grant judges the ability to authorize law enforcers to hack into any computer using Tor, I2P, a virtual private network (VPN), or any other method of protecting one’s privacy (the wording is quite vague and a good lawyer could probably stretch it to include individuals using a public Wi-Fi access point in a restaurant). The point being made with this rule proposal is clear, the State doesn’t believe you have any right to protect your privacy.

This should come as no surprise to anybody though. The State has long held that your right to privacy stops where its nosiness begins. You’re not allowed to legally possess funds the State isn’t aware of (financial reporting laws exist to enforce this), manufacture and sell firearms the State isn’t aware of, or be a human being the State isn’t aware of (registering newborn children for Social Security and requiring anybody entering or leaving the country to provide notice and receive approval from the State).