A Geek With Guns

Chronicling the depravities of the State.

Archive for the ‘News You Need to Know’ Category

Degrees of Anonymity

without comments

When a service describes itself as anonymous how anonymous is it? Users of Yik Yak may soon have a chance to find out:

Yik Yak has laid 70 percent of employees amid a downturn in the app’s growth prospects, The Verge has learned. The three-year-old anonymous social network has raised $73.5 million from top-tier investors on the promise that its young, college-age network of users could one day build a company to rival Facebook. But the challenge of growing its community while moving gradually away from anonymity has so far proven to be more than the company could muster.

[…]

But growth stalled almost immediately after Sequoia’s investment. As with Secret before it, the app’s anonymous nature created a series of increasingly difficult problems for the business. Almost from the start, Yik Yak users reported incidents of bullying and harassment. Multiple schools were placed on lockdown after the app was used to make threats. Some schools even banned it. Yik Yak put tools in place designed to reduce harassment, but growth began to slow soon afterward.

Yik Yak claimed it was an anonymous social network and on the front end the data did appear anonymous. However, the backend may be an entirely different matter. How much information did Yik Yak regularly keep about its users? Internet Protocol (IP) addresses, Global Positioning System (GPS) coordinates, unique device identifiers, phone numbers, and much more can be easily collected and transmitted by an application running on your phone.

Bankruptcy is looking like a very real possibility for Yik Yak. If the company ends up filing then its assets will be liquidated. In this day and age user data is considered a valuable asset. Somebody will almost certainly end up buying Yik Yak’s user data and when they do they may discover that it wasn’t as anonymous as users may have thought.

Not all forms of anonymity are created equal. If you access a web service without using some kind of anonymity service, such as Tor or I2P, then the service has some identifiable information already such as your IP address and a browser fingerprint. If you’re access the service through a phone application then that application may have collected and transmitted your phone number, contacts list, and other identifiable information (assuming, of course, the application has permission to access all of that data, which it may not depending on your platform and privacy settings). While on the front end of the service you may appear to be anonymous the same may not hold true for the back end.

This issue becomes much larger when you consider that even if your data is currently being held by a benevolent company that does care about your privacy that may not always be the case. Your data is just a bankruptcy filing away from falling into the hands of somebody else.

Written by Christopher Burg

December 9th, 2016 at 10:00 am

So Much for Farook’s Phone

without comments

Shortly after the attack in San Bernardino the Federal Bureau of Investigations (FBI) tried to exploit the tragedy in order to force Apple to assist it in unlocking Syed Rizwan Farook’s iPhone. According to the FBI Farook’s phone likely contained information that would allow them to find his accomplices, motives, and basically solve the case. Apple refused to give the FBI the power to unlock any iPhone 5C willy nilly but the agency eventually found a third party that had an exploit that would allow the built-in security to be bypassed.

One year later the FBI hasn’t solved the case even with access to Farook’s iPhone:

They launched an unprecedented legal battle with Apple in an effort to unlock Farook’s iPhone and deployed divers to scour a nearby lake in search of electronic equipment the couple might have dumped there.

But despite piecing together a detailed picture of the couple’s actions up to and including the massacre, federal officials acknowledge they still don’t have answers to some of the critical questions posed in the days after the Dec. 2, 2015, attack at the Inland Regional Center.

Most important, the FBI said it is still trying to determine whether anyone was aware of the couple’s plot or helped them in any way. From the beginning, agents have tried to figure out whether others might have known something about Farook and Malik’s plans, since the couple spent months gathering an arsenal of weapons and building bombs in the garage of their Redlands home.

Officials said they don’t have enough evidence to charge anyone with a crime but stressed the investigation is still open.

This shouldn’t be surprising to anybody. Anybody who had the ability to plan out an attack like the one in San Bernardino without being discovered probably had enough operational security to not use an easily surveilled device such as a cellular phone for the planning. Too many people, including those who should know better, assume only technological wizards have the knowhow to plan things without using commonly surveilled communication methods. But that’s not the case. People who are committed to pulling off a planned attack that includes coordination with third parties are usually smart enough to do their research and utilize communication methods that are unlikely to be accessible to prying eyes. It’s not wizardry, it’s a trick as old as human conflict itself.

Humans are both unpredictable and adaptable, which is what makes mass surveillance useless. When an agency such as the National Security Agency (NSA) performs mass surveillance they get an exponentially greater amount of noise than signal. We’re not even talking about a 100:1 ratio. It would probably be closer to 1,000,000,000,000:1. Furthermore, people with enough intelligence to pull off coordinated attacks are usually paranoid enough to assume the most commonly available communication mechanisms are being surveilled so they adapt. Mass surveillance works well if you want a lot of grandmothers’ recipes, Internet memes, and insults about mothers made by teenagers. But mass surveillance is useless if you’re trying to identify individuals who are a significant threat. Sure, the NSA may get lucky once in a while and catch somebody but that’s by far the exception, not the rule. The rule, when it comes to identifying and thwarting significant threats, is that old fashioned investigative techniques must be employed.

Written by Christopher Burg

December 6th, 2016 at 11:00 am

Take Care of Yourself

with 3 comments

Anybody who has worked in system administration, software development, or information security is probably familiar with the stereotypical “rockstar” employee. These are the employees that are too busy to eat, work ridiculously long hours, and replace sleep with caffeine. They’re often held up on a pedestal by other “rockstars” and sometimes even admired by their fellow coworkers and managers. Unfortunately, they also the model many computer science students strive to be.

The problem with these “rockstars” is that they have a short shelf life. You can only keep up that lifestyle for so long until you start facing major health issues, which is why I was happy to see Lesley Carhart write a short post aimed at hackers offering them advice to take care of themselves. Computer science disciplines need more people discussing the importance of taking care of yourself.

I’ve never been much for the “rockstar” lifestyle. I like getting a decent amount of sleep (which is about six hours for me) each night, socializing, eating decent food, exercising (which I’ve started to take very seriously this year), and not dealing with work during my off hours. While this lifestyle hasn’t made me a millionaire I can say that my quality of life is pretty awesome.

Don’t spend every waking hour working. Take time off for lunch. Eat a decent supper. Try to workout at least a few times per week. Go out with friends and do something not related to work. Go to bed at a decent hour so you can get some actual sleep. Not only will your qualify of life improve but your ability to handle stress, such as those days where you absolutely have to put in long hours at work or those days where you get sick, will be greatly improved as well.

Written by Christopher Burg

December 6th, 2016 at 10:00 am

Posted in News You Need to Know

Tagged with

It was Going to Happen Eventually

with 8 comments

Whenever there is an attack on a school or college campus most people tend to focus on the tool used by the attacker. So far we’ve been fortunate that a majority of these attackers have preferred firearms to explosives, which have the potential to cause far more damage and are only addressed in a limited capacity by current security measures. Unfortunately, yesterday an attacker decided to utilize an automobile and knife to attack the Ohio State University:

Police are investigating whether an attack at Ohio State University which left 11 injured was an act of terror.

Abdul Razak Ali Artan, 18, rammed his car into a group of pedestrians at the college and then began stabbing people before police shot him dead on Monday.

This is the second major incident where a knife was one of the weapons used by the attacker. A few months ago a guy went on a rampage with a knife in St. Cloud (and the police were good enough to lockdown the mall so people were trapped inside with the attacker). But this is the first time, at least in recent history, that this type of attack was perpetrated in part with one of the most dangerous commonly available weapons, an automobile.

The amount of energy something has is based on its mass and velocity. A 230 grain .45 bullet traveling at 900 feet per second will give you 414 foot pounds of energy. A 124 grain 9mm bullet traveling at 1,200 feet per second will give you 384 foot pounds of energy. A 1.5 ton vehicle moving at 30 miles per hour will give you 90,259 foot pounds of energy. As you can see, a vehicle can deliver a tremendous amount of energy and therefore can deliver a tremendous amount of damage. On top of that a vehicle provides the driver with some amount of protection against police weapons (in part because it’s capable of moving fast, in part because part of the driver is concealed, and in part because the engine block can protect the driver from a lot of types of commonly used ammunition). And then there’s the fact that an automobile contains combustable fuel.

So far people have been fortune that most of these attackers have opted for firearms on foot rather than using a vehicle. Even in this case the amount of damage the attacker could have caused was reduced because he opted to exit the vehicle and continue is rampage on foot with a knife.

Fortunately, it doesn’t appear as though the attacker had much success. He did manage to injure 11 people but so far it appears that he didn’t kill anybody. However, if the next attacker decides to study previous attacks to learn from them they could leave a bodycount in their wake. So the big question is, what can be done?

Of course colleges can try to hinder automobiles from entering the campus by erecting concrete pillars akin to those in front of many stores. But maintenance and delivery people often need to get vehicles on campus so some means of access has to remain. And blocking vehicle traffic will only cause an attacker to seek another tool. The only real defense against these kinds of attacks is a decentralized response system. One of the biggest weaknesses that allows these attacks to meet a high degree of success is the highly centralized security measures currently in place. When one of these attacks starts an alert is sent to the police. The police then need to get to the location of the attack, find the attacker, and engage them. This usually means that the attacker has several minutes of free reign. The faster the attacker can be engaged the less time they have to perpetuate their indiscriminate attack. Any further centralized security measures will meet with limited success. At most they will force an attacker to change their strategy to something not addressed by the centralized system.

Obviously legalizing the carrying of firearms on campus is a good start. Permit holders add a great deal of uncertainty for attackers because anybody could potentially engage them. Since permit holders don’t wear obvious uniforms an attacker also can’t know which individuals to take out first (and by surprise so the unformed security person doesn’t have a chance to respond). Another thing that can be done to make these attacks more difficult is getting rid of the shelter in place concept. Sheltering in place can be an effective defensive strategy if the people sheltering have a means of defending themselves. If they don’t then they’re basically fish in a barrel if the attacker finds them and gains entry to their shelter (although in the case of a vehicle sheltering in place can be effective, especially in a relatively hardened building like those on many college campuses).

Written by Christopher Burg

November 29th, 2016 at 11:00 am

Who Would Have Guessed

without comments

Americans love torture. Republicans are at least honest about this as they campaign to bring back waterboarding but the Democrats love it as well so long as their guy is in charge of it. During the campaign Donald Trump stated that he wanted to bring waterboarding back. Hopefully he changed his mind about that though. Waterboarding was one of the things discussed in Trumps meeting with James Mattis and Mattis pointed out the bloody obvious:

Trump said that the advice from Mattis, a front-runner for the defense secretary post in a Trump administration, would weigh heavily on whether he will go forward with campaign pledges to bring back waterboarding and torture in interrogations by the military and the CIA.

In his meeting last week with the man he calls “Mad Dog Mattis,” Trump said he asked, “What do you think of waterboarding? He said — I was surprised — he said, ‘I’ve never found it to be useful.’ ”

Trump said Mattis told him, ” ‘I’ve always found, give me a pack of cigarettes and a couple of beers and I do better with that than I do with torture.’ “

Who would have guessed that treating somebody at least somewhat decently would net you more reliable information than beating them until they told you what they thought you wanted to hear in the hopes that you’d stop beating them?

Statists seem to believe that if violence isn’t solving your problem then you’re not using enough of it. But violence doesn’t solve all problems. For example, if you want to get reliable information out of somebody beating it out of them isn’t the way to go. When you start beating them they will simply tell you what they think you want to hear, not what is truthful. On the other hand, if you build a relationship with them that makes them feel positive about you then they’re more apt to give you reliable information because they like you and want to make you happy. It’s the same reason why bombing a people until they like you is much more difficult than establishing positive business relationships with them via trade.

Written by Christopher Burg

November 29th, 2016 at 10:30 am

Karma is a Bitch

with one comment

A few months back Geofeedia was discovered to be buying user data on social networking sites and selling it to law enforcers. Needless to say, this didn’t go over well with anybody but law enforcers. Most of the social networking sites cut Geofeedia off. Apparently surveillance was the company’s only revenue stream because the company announced that it laid off half of its staff:

Chicago-based Geofeedia, a CIA-backed social-media monitoring platform that drew fire for enabling law enforcement surveillance, has let go 31 of its approximately 60 employees, a spokesman said Tuesday.

[…]

Geofeedia cut the jobs, mostly in sales in the Chicago office, in the third week of October, the spokesman said. It has offices in Chicago, Indianapolis and Naples, Fla. The cuts were first reported by Crain’s Chicago Business.

An emailed statement attributed to CEO Phil Harris said Geofeedia wasn’t “created to impact civil liberties,” but in the wake of the public debate over their product, they’re changing the company’s direction.

You have to love the claim that Geofeedia wasn’t created to impact civil libertarians even though the company’s only product was selling data to law enforcers. When you make yourself part of the police state you implicitly involve yourself in impacting civil liberties. I really hope the company goes completely bankrupt over this.

It’s also nice to see services like Facebook and Twitter cut off companies involved in surveillance. One of my biggest concerns is the way private surveillance becomes public surveillance. This issue is exacerbated by the fact that private surveillance companies stand to profit heavily by handing over their data to the State.

Written by Christopher Burg

November 23rd, 2016 at 10:00 am

The Surveillance State Hidden in Plain Sight

with one comment

Everybody should have been suspicious of the giant unadorned building in New York City that looks like something ripped right out of the 1984 movie. As it turns out the building’s appearance betrays its purpose as it is part of the Orwellian surveillance state:

THEY CALLED IT Project X. It was an unusually audacious, highly sensitive assignment: to build a massive skyscraper, capable of withstanding an atomic blast, in the middle of New York City. It would have no windows, 29 floors with three basement levels, and enough food to last 1,500 people two weeks in the event of a catastrophe.

But the building’s primary purpose would not be to protect humans from toxic radiation amid nuclear war. Rather, the fortified skyscraper would safeguard powerful computers, cables, and switchboards. It would house one of the most important telecommunications hubs in the United States — the world’s largest center for processing long-distance phone calls, operated by the New York Telephone Company, a subsidiary of AT&T.

[…]

Documents obtained by The Intercept from the NSA whistleblower Edward Snowden do not explicitly name 33 Thomas Street as a surveillance facility. However — taken together with architectural plans, public records, and interviews with former AT&T employees conducted for this article — they provide compelling evidence that 33 Thomas Street has served as an NSA surveillance site, code-named TITANPOINTE.

Inside 33 Thomas Street there is a major international “gateway switch,” according to a former AT&T engineer, which routes phone calls between the United States and countries across the world. A series of top-secret NSA memos suggest that the agency has tapped into these calls from a secure facility within the AT&T building. The Manhattan skyscraper appears to be a core location used for a controversial NSA surveillance program that has targeted the communications of the United Nations, the International Monetary Fund, the World Bank, and at least 38 countries, including close U.S. allies such as Germany, Japan, and France.

TITANPOINTE? Again, we have a National Security Agency (NSA) codename that sounds really stupid. Considering how obvious they were trying to be with the building design and such were I the NSA I’d have just called the project BIGBROTHER.

TITANPOINTE appears to be another example of the public-private surveillance partnership I periodically bring up. While all of the cellular providers are in bed with the State to some extent, AT&T appears to have a very special relationship with the NSA. From Room 641A to 33 Thomas Street we have seen AT&T grant the NSA complete access to its services. This means that any surveillance performed by AT&T, which is often considering “safe” surveillance by many libertarians because it’s done by a private entity, becomes NSA surveillance without so much as a court order. Since your phone calls and text messages are available to AT&T they’re also available to the NSA.

Fortunately, you can take some measures to reduce the information available to AT&T and the NSA. While standard phone calls and text messages are insecure, there are several secure communication tools available to you. Apple’s iMessage is end-to-end encrypted (but if you backup to iCloud your messages are backed up in plaintext and therefore available to Apple) as are WhatsApp and Signal. I generally recommend Signal for secure messaging because it’s easy to use, the developers are focused on providing a secure service, and it has a desktop application so you can use it from your computer. None of these applications are magic bullets that will fix all of your privacy woes but they will reduce the amount of information AT&T and the NSA can harvest from their position in the communication routing system.

Written by Christopher Burg

November 22nd, 2016 at 10:30 am

Jeronimo Yanez Being Charged in the Death of Philando Castile

with one comment

In July Philando Castile was killed during a traffic stop by Officer Jeronimo Yanez. One of the things that made this shooting different is that Castile’s girlfriend, Diamond Reynolds, live streamed the aftermath of the shooting. Another thing that made this shooting different is the fact that Castile had a carry permit so the usual go to justifications used by cop apologists, such as claiming the victim had a history of violence, couldn’t be used to excuse the shooting.

Yesterday, in a rather surprising turn of events considering the history of officer involved shootings, Ramsey County Attorney John Choi announced that Yanez would be charged:

Ramsey County Attorney John Choi announced Wednesday that he has charged police officer Jeronimo Yanez in the July 6 killing of Philando Castile during a traffic stop in Falcon Heights.

Yanez is charged by the Ramsey County Attorney’s Office with second-degree manslaughter and two felony counts for dangerous discharge of a firearm near the passengers in the car at the time of the shooting.

You can read the filed charges here [PDF]. The evidence, which includes the dashcam footage from the officer’s car, brought fourth by the prosecution team is pretty damning. According to the filing between 9:05:52 PM and 9:05:55 PM Castile calmly informed Yanez that he was carrying a firearm. By 9:06:02 PM Yanez had unloaded seven rounds into Castile. Further reading shows that the firearm Castile was carrying was still firmly in his pocket as the medical team removed it when they were placing him on a backboard.

I’m sure this case will get a decent amount of coverage but I’ll do my best to keep everybody updated regardless.

I also think that it’s important to discuss the matter of how permit holders should handle themselves when interacting with the police. In Minnesota you are not required to divulge the fact that you’re carrying a firearm to an officer unless they specifically ask you if you’re carrying. There are two schools of thought on how permit holders should respond if pulled over by an officer. The first school of thought is that you should, as a courtesy, voluntarily inform the officer that you’re carrying and ask them how they want you to proceed. The second school of though, which I subscribe to, is that you should keep your mouth shut unless the officer asks if you’re carrying. Castile’s death illustrates one of the risks of voluntarily divulging such information as it seems that immediately after being informed Yanez went from calm to trigger happy. You have to decide how you will handle interactions with police officers yourself but I would prefer if you made the decision after being informed of the risks.

Written by Christopher Burg

November 17th, 2016 at 11:00 am

They’re the Only Ones with Enough Training

with one comment

Many advocates for gun control really don’t want gun control, they want to give law enforcers and the military a monopoly on possessing firearms. When you point out this hypocritical stance gun control advocates are quick to claim that those two groups of individuals are the only ones with enough training to responsibly own and carry firearms. However, despite their claims, we keep reading stories like this:

AUBURN, MI — A teacher was struck by a bullet when a Bay County Sheriff’s deputy fired a gun inside a high school classroom last week.

The shooting occurred at about 12:30 p.m. on Friday, Nov. 11, inside Bay City Western High School, 500 W. Midland Road. The deputy, a school resource officer, was in a room by himself when he negligently discharged a gun, said Michigan State Police Special 1st Lt. David Kaiser.

The bullet went through at least one wall and struck a female teacher in an adjacent room, Kaiser said.

“The teacher was struck in the neck area, but she was not injured,” Kaiser said. “The round did not break the skin.”

Why was the officer playing with his firearm? Even rudimentary training would have taught the officer that you leave your firearm in your holster unless you need to use it. Failing to do is can lead to a negligent discharge that his some poor teacher’s neck with a bullet.

Time and again we see stories involving officers negligently discharging firearms. This either shows a severe lack of training in many departments or that officers feel as though they can disregard their training. The latter seems plausible because officers common avoid suffering consequences for bad behavior, which is part of why I find gun control advocate’s willingness to allow police officers to remain armed so hypocritical. As a non-police officer I usually have to face the consequences of my bad decisions. If I negligently discharge a firearm and hit somebody I will likely end up facing some kind of criminal charge and then face a civil lawsuit if I hit somebody. Officers seldom have to face such issues. That being the case, I am going to be safer on average with a firearm than most police officers.

Written by Christopher Burg

November 17th, 2016 at 10:00 am

Too Good to be True

without comments

If something sounds like it’s too good to be true it probably is. For example, if you come across a decently specced Android phone that costs $50 chances are the manufacturer is making money on it in some other way, such as surveilling the user to sell their information:

WASHINGTON — For about $50, you can get a smartphone with a high-definition display, fast data service and, according to security contractors, a secret feature: a backdoor that sends all your text messages to China every 72 hours.

Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages. The American authorities say it is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence.

Is the data being used for advertising or for the Chinese government? Why not both? If the Chinese government is anything like the United States government it’s willing to pay a pretty penny to coax companies into spying on users. I doubt this scam is solely for intelligence gathering since it’s a high cost (manufacturing lots of handsets) strategy with no guarantee of return (how do you convince people with intelligence worth harvesting to use one of these unknown Android phones over an iPhone) but the collected data very well may be sent off to the Chinese government.

This story goes along with the There Ain’t No Such Thing as a Free Lunch (TANSTAAFL) principle. If you’re using a product or service for free then chances are that you’re the product. Likewise, if you’re using a product or service that appears to be subsidized then the provider is making money back some other way. In the case of cellular network providers subsidized phones were a convenient way to lock customers into two year contracts. In the case of handset manufacturers phones can be subsidized by collecting user data to sell to advertisers.

Written by Christopher Burg

November 16th, 2016 at 10:00 am