You’re Doing it Wrong – Page 19

The FBI Heroically Saves Us Yet Again From A Criminal It Created

Just one week after heroically saving us from a terrorist it created, the Federal Bureau of Investigations (FBI) has saved us from yet another criminal it created:

US authorities depict Franey as an unstable anti-government militant who deserved a closer look to see how far he might go. One of his neighbors told FBI agents that Franey said he hated the US military for not allowing him “to leave the Army” after he enlisted, and that he railed at the system for “taking away his kids.” As US Attorney Hayes put it, the Justice Department was obligated to “pursue all available leads to ensure the public was protected from any possible harm.”

But while it seems Franey talked often and enthusiastically about plotting a terrorist attack, there’s little indication he ever had any intention of following through with his threats until the FBI’s undercover agent came along. After befriending Franey, the agent took him on an eight-month ride — sometimes literally, including a road trip along the West Coast — while recording their conversations, doling out cash, furnishing him with guns, and then busting him for illegal possession of the weapons.

I once heard that the FBI used to arrest criminals it didn’t create. Does it still do that once in a while? Is that still a thing?

What happened here is the same thing that always happens. The FBI identified somebody, likely of lukewarm intelligence, who it thought was capable of being radicalized into a threat. It then assigned an agent to befriend the individual and slowly radicalize him. After radicalizing him the agent then provided him a means to perpetuate an attack. The operation then closed with the agent arresting the guy for basically being a radicalized individual in possession of a means to commit an attack.

In this case the FBI’s prey was arrested for illegally possessing weapons. Weapons which were given to him by the FBI.

These operations rely on taking a hypothetical scenario and making it a reality. The individuals they target are those the agency deems capable of being radicalized. If left to their own devices the individuals would almost certainly remain harmless. Most of these individuals are socially isolated, aren’t the brightest bulbs in the box, and are seldom go-getters. Since they’re socially isolated they’re usually desperate for friendship, which makes them vulnerable to FBI agents. Their lukewarm intelligence also makes them more susceptible to being influenced. When you combine social isolation with lukewarm intelligence you have a recipe for an individual who can be easily manipulated to do bad things. But even if they’re manipulated into doing something bad they seldom have the motivation or means. So the FBI prods these individuals into performing an attack and provides them a means with which to pull it off. Finally, with all the pieces in place the FBI arrests its creation.

What the FBI is doing is preying on vulnerable individuals, convincing them to do something bad, and then providing the means to do that bad thing. If the FBI didn’t involve itself these people would normally just fade into the annals of history. The FBI isn’t protecting us from anything with these operations. It’s creating a bad situation and then claiming to save everybody from it.

Religious Freedom*

Mississippi recently passed House Bill 1523 [PDF] into law. The bill was described by its proponents as legislation to protect religious freedom by prohibiting the government from discriminating against actions performed due to strong religious convictions. What the proponents of the bill forgot to mention was the giant asterisk that noted the restrictions. House Bill 1523 only protects your religious freedom as long as you believe the right things:

SECTION 2. The sincerely held religious beliefs or moral convictions protected by this act are the belief or conviction that:

(a) Marriage is or should be recognized as the union of one man and one woman;

(b) Sexual relations are properly reserved to such a marriage; and

(c) Male (man) or female (woman) refer to an individual’s immutable biological sex as objectively determined by anatomy and genetics at time of birth.

If your religious beliefs our outside of those three criteria this bill does not protect them. For example, members of the Church of the Phenomenological Agorist hold a strong moral conviction that participation in the black market is not only righteous but a holy duty. Even though black market participation is a strongly held moral conviction the government will still ruthlessly pursue discriminatory action against them.

Do your religious beliefs acknowledge polygamy? If so those beliefs actually directly go against this bill since it only protects beliefs that acknowledge marriage as a union of one man and one woman. Don’t like it? Tough shit. You should have chosen a governmentally protected religion.

So long as you believe one of the three approved beliefs the government of Mississippi will not prosecute you for refusing to perform a wedding or bake a cake nor will it prosecute you for enforcing bathroom assignments. It will not restrain itself from prosecuting you for, for example, refusing service to police officers, something the Church of the Phenomenological Agorist strongly encourages, or people who discriminate against polygamous families.

This bill isn’t about religious freedom, it’s about religious discrimination. It creates two tiers for religions: those that subscribe to the beliefs specifically noted in the bill and those that do not. Members of religions in the first tier receive special treatment from the Mississippi government. Members of all other religions have to suffer the full brunt of the government’s boot stomping down on their faces.

Don’t Stick Just Anything In Your Port

Universal Serial Bus (USB) flash drives are ubiquitous and it’s easy to see why. For a few dollars you can get a surprising amount of storage in a tiny package that can be connected to almost any computer. Their ubiquity is also the reason they annoy me. A lot of people wanting to give me a file to work on will hand me a USB drive to which I respond, “E-mail it to me.” USB drives are convenient for moving files between local computers but they’re also hardware components, which means you can do even more malicious things with them than malicious software alone.

The possibility of using malicious USB drives to exploit computers isn’t theoretical. And it’s a good vector for targeted malware since the devices are cheap and a lot of fools will plug any old USB drive into their computer:

Using booby-trapped USB flash drives is a classic hacker technique. But how effective is it really? A group of researchers at the University of Illinois decided to find out, dropping 297 USB sticks on the school’s Urbana-Champaign campus last year.

As it turns out, it really works. In a new study, the researchers estimate that at least 48 percent of people will pick up a random USB stick, plug it into their computers, and open files contained in them. Moreover, practically all of the drives (98 percent) were picked up or moved from their original drop location.

Very few people said they were concerned about their security. Sixty-eight percent of people said they took no precautions, according to the study, which will appear in the 37th IEEE Symposium on Security and Privacy in May of this year.

Leaving USB drives lying around for an unsuspecting sucker to plug into their computer is an evolution of the old trick of leaving a floppy drive labeled “Payroll” lying around. Eventually somebody’s curiosity will get the better of them and they’ll plug it into their computer and helpfully load your malware onto their network. The weakest link in any security system is the user.

A lot of energy has been invested in warning users against opening unexpected e-mail attachments, visiting questionable websites, and updating their operating systems. While it seems this advice has mostly fallen on deaf ears it has at least been followed by some. I think it’s important to spend time warning about other threats such as malicious hardware peripherals as well. Since it’s something that seldom gets mentioned almost nobody thinks about it and that helps ensure experiments like this will show disappointing results.

If You Don’t Own It, It’s Not Yours

If you don’t own it, it’s not yours. A lot of people are learning that lesson today after Google announced that it would be disabling customers’ Revolv smart-home hub in spite of the promised lifetime subscription:

As we reported on Tuesday, shutting down the Revolv smart-home hubs does not mean Nest is ceasing to support its products, leaving them vulnerable to bugs and other unpatched issues. It means that the $300 (£211) devices and accompanying apps will stop working completely.

[…]

And the decision to deliberately disable the smart-home hubs comes despite the fact they were previously advertised as having a “lifetime subscription.”

Do you own the devices you purchase? If you read most license agreements, which you usually can’t read until you’ve purchased and opened the product, you’re not buying the product but a license to use the product. This is especially true with products that include software, which are regulated under easily abused copyright laws. John Deere, for example, claims you don’t own your tractor, you’re merely licensing it. Because of that John Deere argues that you’re not allowed to fix the tractor as that is a violation of the license you agreed to.

The problem with licenses is that they can be revoked. In this case Google is not only ceasing online services for the Revolv but is entirely bricking the devices themselves, which is likely allowed under the device’s license agreement (those agreements basically read, “We can do whatever we want and you agree to like it.”) regardless of any marketing promises of a “lifetime subscription.”

Had the Revolv been a device that ran open source software with a permissive license its fate wouldn’t be so bleak. At least the option would exist for developers to continue updating the software and creating an alternate online service. That’s the type of freedom ownership allows but licensing usually doesn’t.

As more devices are needlessly tied to “the cloud” we’re going to see more bullshit like this. In my eyes it’s the “in-app purchases” economy brought into the physical world. Many applications used to sell for a one-time fee only for the developers to change their mind and start relying on in-app purchases. An example of this is Cyclemeter. When I first purchased the app it included everything. Now you need to pay a yearly subscription fee via the in-app purchase feature to unlock most of the features. The same bait and switch is coming to our physical world via the Internet of Things. Manufacturers will brick older devices to persuade customers to buy the latest model. Since these devices are almost exclusively licensed instead of owned there will be little recourse for customers. It’s going to be a large scale demonstration of if you don’t own it, it’s not yours.

Having Your Surveillance Cake And Eating It Too

At one point it wasn’t uncommon for employers to issue company devices to employees. Things have changed however and now it is common for employers to expect employees to use their personal devices for work. It seems like a win-win since employees don’t have to carry two cell phones or use whatever shitty devices their company issues and employers safe money on having to buy devices. However, it leads to an interesting situation. What happens when the employer wants to surveil an employee’s personal device? That’s the battle currently being waged by Minnesota’s state colleges and their employees:

Two faculty unions are up in arms over a new rule that would allow Minnesota’s state colleges and universities to inspect employee-owned cellphones and mobile devices if they’re used for work.

The unions say the rule, which is set to take effect on Friday, would violate the privacy of thousands of faculty members, many of whom use their own cellphones and computers to do their jobs.

“[It’s] a free pass to go on a fishing expedition,” said Kevin Lindstrom, president of the Minnesota State College Faculty.

But college officials say they have an obligation under state law to protect any “government data” that may be on such devices, and that as public employees, faculty members could be disciplined if they refuse to comply.

If the universities have such a legal obligation then they damn well should be issuing devices. Data is at the mercy of the security measures implemented on whatever devices it is copied to. When businesses allow employees to use personal devices for work any data that ends up on those devices is secured primarily by whatever measure the employee has put into place. While you can require certain security measures such as mandating a lock screen password on the employee’s phone, employees are still generally free to install any application, visit any website, and add any personal accounts to the device. All of those things can compromise proprietary company data.

By issuing centrally managed devices, the universities could restrict what applications are installed, what webpages devices are willing to visit, and what accounts can be added.

There is also the issue of property rights. What right does an employer have to surveil employee devices? If so, how far does that power extend? Does an employer has the right to surveil an employee’s home if they work form home or ever take work home? Does an employer have the right to surveil an employee’s vehicle if they use that vehicle to drive to work or travel for work? When employers purchase and issue devices these questions go away because the issued devices are the employer’s property to do with as they please.

If an employer wants to surveil employee devices then they should issue devices. If an employer is unwilling to issue devices then they should accept the fact they can’t surveil employee devices. If an employer is under a legal obligation to protect data then it needs to issue devices.

FBI Heroically Saves Us From Yet Another Person It Radicalized

Without the Federal Bureau of Investigations (FBI) who would protect us from the people radicalized by the FBI? Without the heroics of the agency a lot of people might be dead today — killed by a terrorist radicalized by the FBI:

KHALIL ABU RAYYAN was a lonely young man in Detroit, eager to find a wife. Jannah Bride claimed she was a 19-year-old Sunni Muslim whose husband was killed in an airstrike in Syria. The two struck up a romantic connection through online communications.

Now, Rayyan, a 21-year-old Michigan man, is accused by federal prosecutors of supporting the Islamic State.

Documents released Tuesday show, however, that Rayyan was motivated not by religious radicalism but by the desire to impress Bride, who said she wanted to be a martyr.

Jannah Bride, not a real name, was in fact an FBI informant hired to communicate with Rayyan, who first came to the FBI’s attention when he retweeted a video from the Islamic State of people being thrown from buildings. He wrote later on Twitter: “Thanks, brother, that made my day.”

According to the FBI, the agency discovered a radicalized supporter of the Islamic State that was going to perpetrate a terrorist attack. But the attack never happened because the FBI was able to discover the individual ahead of time and intervene.

Put into normal people lingo, the FBI found somebody with neither the motivation or means to perform a terrorist attack. The agency then provided the motivation and eventually the means. If the FBI hadn’t inserted itself into this individual’s life they still wouldn’t have perpetrated a terrorist attack.

I like to say, if it weren’t for the people radicalized by FBI agents there wouldn’t be any terrorists for the FBI to capture. When I first started saying that it was done with a modicum of sarcasm because I assumed the agency did manage to fight some actual crime once in a while. But so many of these FBI created cases exist that they literally fill a book. It’s getting to the point where seems the agency’s only job is dealing with the “terrorists” it creates.

FIREClean Sues Andrew Tuohy And Everett Baker

Gun owners had a spot of fun at FIREClean’s expense. FIREClean, a product sold for cleaning and lubricating firearms, turned out to appear very similar to Crisco when analyzed with infrared spectroscopy. Many of us laughed and a lot of FIREClean customers weren’t amused by the thought that they were charged a premium price for what appeared to be essentially Crisco.

Now that FIREClean’s profits have fallen they’re looking for a scapegoat. That scapegoat took the form of the two individuals who kicked off this entire fiasco by having the audacity to analyze FIREClean’s product:

FIREClean did respond, insisting that “allegations do not focus on actual performance or relevant tests, and draw a misleading picture”. The response did not deny that their product was similar to the oils tested alongside it in the spectroscopy.

Now it seems that on March 17th, FireClean LLC has filed a lawsuit against Mr. Tuohy and Everett Baker, a man who performed his own tests to verify Tuohy’s findings. In their complaint, FireClean LLC claims that “Tuohy initiated a public smear campaign against FireClean” and holds that Mr. Baker “contacted Tuohy for the express purpose of conspiring with him to further defame and damage FireClean”. FireClean LLC also states that since the publishing of the test, their revenues have fallen by over $25,000 per month.

Before this lawsuit I simply found FIREClean’s situation amusing. But now I think the creators of FIREClean are assholes.

Performing independent analysis and publicly releasing the findings isn’t a smear campaign. Neither person, as far as I can find, every said FIREClean is Crisco. In fact Andrew went to some lengths to clearly state that he didn’t think FIREClean was Crisco. What they said was that FIREClean and Crisco appear very similar when analyzed by infrared spectroscopy. That isn’t a false statement because the data showed exactly that.

The lawsuit itself [PDF] even admits that the defendants didn’t claim FIREClean was Crisco:

47. The statement, “FireClean is probably a modem unsaturated vegetable oil virtually the same as many oils used for cooking,” and its implications, are false.

Notice the word “probably” in that sentence? That makes it speculative and a speculation based on evidence isn’t false. Had the statement been, “FireClean is a modem unsaturated vegetable oil virtually the same as many oils used for cooking,” then there would be grounds that the defendants made a false statement.

One point in the lawsuit note that, “infrared spectroscopy is not scientifically suitable for comparing oils from the same class of compounds, such as triacylglycerides or hydrocarbons.” Another point notes that the tests weren’t performed with any controls. Refuting findings because of insufficient or incorrect testing methods is a perfectly valid rebuttal. Such a rebuttal can be posted publicly without a lawsuit. The fact that FIREClean only brought up these points now and not in its initial rebuttal just makes the company look like a gigantic asshole.

The lawsuit also makes a big stink about the personal opinion expressed by Andrew:

50. Defendant Tuohy also quoted the anonymous professor as saying: “I don’t see any sign ofother additives such as antioxidants or corrosion inhibitors. Since the unsaturation in these oils, especially linoleate residues, can lead to their oligomerization with exposure to oxygen and light, use on weapons could lead toformation o fsolid residues (gum) with time. The more UV and oxygen, the more the oil will degrade.” (Ex. C at 3-4, emphasis in original.)

51. Based on these purported facts, Tuohy wrote that “[g]iven that people in the military are often exposed to both UV and oxygen (such as when they go outdoors) and also need corrosion protection for their firearms, I would not recommend FireClean be used by members ofthe military.” {Id. at 4.)

52. In fact, FTIR spectroscopy is not an appropriate tool to test for corrosion resistance.

53. The suggestion that FIREClean is not suitable for military use is false. The assertion that FIREClean® is not suitable for use in settings with UV, light, moisture and oxygen is false.

Again, the defendant didn’t say, “FIREClean can’t protect against corrosion and breakdown when exposed to ultraviolet radiation and oxygen.” All he did was express an opinion that was based on analysis of the product. That’s not a smear campaign.

This lawsuit, as far as I’m concerned, is entirely frivolous in nature. A lawsuit is also an improper response to diminishing profits. If FIREClean wanted to address the potential damage done by the analysis it should have publicly posted a detailed rebuttal explaining why the testing procedures were insufficient or incorrect. Under such a rebuttal the company could then explain why it found the speculative statements and opinions of Andrew and Everett to be in error.

I’ve never purchased FIREClean so I can’t make a big deal about never doing business with that company again. But I will say that I will never do business with FIREClean in the future. I also threw a few bucks towards the defendants’ GoFundMe legal defense campaign. While I can’t withhold money from a company I’ve never done business with I can give money to help people being legally targeted by it.

A Lack Of Transparency Is Killer

Yesterday Hennepin County Attorney Mike Freeman announced that officers Ringgenberg and Schwarze would not be charged in the death of Jamar Clark:

No charges will be filed against the two Minneapolis officers involved in the shooting death last fall of Jamar Clark, Hennepin County Attorney Mike Freeman announced Wednesday, citing DNA and other evidence showing Clark had a hand on one officer’s gun during a struggle and was not handcuffed when shot by a second officer.

This decision has gone over about as well as anybody could have expected. Those who wanted the officers charged are angry because they don’t believe justice was served. Those on the side of the officers are happy and believe justice was served. In the end the announcement served primarily to galvanize both sides’ biases.

Which side is right? Therein lies the problem. Because of how the investigation was handled it’s hard to know. It was another case of “We investigated ourselves and determined that we did nothing wrong.” The investigation was headed by the Bureau of Criminal Apprehension (BCA) and the Federal Bureau of Investigations (FBI), both of which are law enforcement organizations. In a time when public trust in law enforcement is at a notable low the fact that both investigating organizations are involved in law enforcement cannot go without mention. But the biggest problem is that the investigation took place behind an iron curtain.

The lack of transparency is ultimately what makes the announced findings questionable. Jury trails are by no means perfect but they do take place in the public realm (members of the public can sit in and view court cases) so all evidence and arguments are not only made available but can be witnessed as they are presented. Since the investigation into Jamar Clark’s death took place entirely behind closed doors there’s no way to verify the process that lead to the findings. Without neutral witnesses to that process there is no way to verify whether the announcement was arrived to through honest analysis of the evidence at hand or through an editing process biased in favor of the officers.

Saying an investigation came to a decision is meaningless if the integrity of the investigative process cannot be verified.

How The State Makes Us Less Secure Part MLVII

The State, by claiming to provide for the common defense and declaring a monopoly on justice, has a conflict of interest. Providing for the common defense would require it to disclose any vulnerabilities it discovers but it’s reliant on those vulnerabilities to obtain evidence to prosecute individuals accused of a crime.

Adding a new chapter to this ongoing saga is the Federal Bureau of Investigation’s (FBI) decision to fight a court order to reveal a vulnerability it used to uncover the identify of Tor users:

Last month, the FBI was ordered to reveal the full malware code used to hack visitors of a dark web child pornography site. The judge behind that decision, Robert J. Bryan, said it was a “fair question” to ask how exactly the FBI caught the defendant.

But the agency is pushing back. On Monday, lawyers for the Department of Justice filed a sealed motion asking the judge to reconsider, and also provided a public declaration from an FBI agent involved in the investigation.

In short, the FBI agent says that revealing the exploit used to bypass the protections offered by the Tor Browser is not necessary for the defense and their case. The defense, in previous filings, has said they want to determine whether the network investigative technique (NIT)—the FBI’s term for a hacking tool—carried out additional functions beyond those authorised in the warrant.

People around the world rely on tor to protect themselves from tyrannical regimes. Journalists living in countries such as Iran, China, and Thailand are only able to continue reporting on human rights violations because Tor protects their identities. Sellers and consumers of verboten drugs, neither of whom are causing involuntary harm to anybody, successfully used Tor hidden services to make their trade safer. Victims of domestic abuse rely on Tor to get access to help without being discovered by their abusers. By refusing to publish the vulnerability it used, the FBI is putting all of these individuals in danger.

On another point, I must also emphasize that that the FBI is claiming the defense doesn’t need to know this information, which speaks volumes to the egotistical nature of the agency. Who is the FBI to decide what the defense needs to know and doesn’t need to know? Being the prosecuting party should already disqualify the FBI’s opinion on the matter due to its obvious conflict of interest.

Innocent Until Proven Guilty

The second worst casualty of a major attack is the presumption of innocence. Too often people are demanding heads to role and assume anybody questioned, arrested, or charged because of an attack should be hanged. This leads to a lot of stupidity such as the xenophobia that began running rampant immediately after the attack in Brussels. Investigations take time and a lot of initial judgements based on preliminary evidence are proven wrong as this story illustrates so perfectly:

BRUSSELS — The Belgian authorities on Monday conceded another enormous blunder in their investigation into the attacks last week on Brussels. They freed a man they had charged with terrorism and murder, acknowledging that a witness had mistakenly identified as a bomber in a dark hat and white coat in an airport surveillance photo.

The man, who was arrested on Thursday and charged on Friday, was released after three days in custody, during which some officials publicly vilified him as a terrorist. On Monday, the police said that the real attacker, one of the men who blew up a departure hall at Brussels Airport, remained at large, and they issued a new plea to the public to help identify him.

The release of the man — who has been identified by the Belgian news media and Belgian officials as Fayçal Cheffou, who has called himself a freelance journalist — is a stunning setback for the Belgian authorities, who have struggled for more than a year to get a handle on the growing threat of Islamic State militants.

A lot of people were demanding gallows be built so Cheffou could be immediately executed. Had they gotten their way an innocent man would have been dead and nobody would have been any closer to determining who else was connected to the attack in Brussels. This is why the presumption of innocence is important, especially in high profile event such as this one.

I know everybody hates to hear it but the only appropriate way to respond to the aftermath of an attack is to have patience. Nothing is gained by rash responses. In fact rash responses often cause the same thing as the initial attacks: innocent people being injured or killed.