A Geek With Guns

Discount security adviser to the proles.

Archive for the ‘Technology’ Category

Technology Empowers Individuals

with one comment

In all regions of the planet having sex is legal. But in many regions being paid to have sex is illegal. Some of those areas to have a caveat where you can legally be paid for sex but you have to be filmed doing it. Either way, governmental restrictions on sex work have made the trade more dangerous. Many sex workers have been relegated to operating under the authority of abusive pimps. However, technology is changing that:

Soon after Kate ran into trouble at the nightclub—like many other fresh-faced high school girls in Hong Kong today—she discovered online forums to run her own business as a sex worker. On HK Big Man and HK Mensa, where ads are proliferating everyday, so-called “compensated daters” offer their services without the help of a middleman.

Bowie Lam Po-yee, who runs an organization called Teen’s Key that provides outreach for these girls, says that it’s common for one girl to find an ad she likes, and then copy it—with just minor adjustments. Then, girls leave their contact information and negotiate where they’ll meet and how much they’ll charge. It’s easier to evade the cops that way: they’re less likely to be caught for solicitation if they’ve checked a client out to see if he’s legitimate. Police can be obvious as to their identity when it comes to brokering a deal over a chat app.

The job of a pimp has been to market out sex workers and they often use their position abusively. Ubiquitous communication technology allows sex workers to market themselves. Forums, smartphones, and chat applications allow sex workers to cut out the middle man, which allows them to keep all of the profits as well as not be reliant on an abusive individuals.

This isn’t just true for sex workers. Online communication technology has also made the drug trade safer. Technology often acts as a balance to the State. When the State makes a market more dangerous by declaring it illegal technology helps make it safe again.

Written by Christopher Burg

August 19th, 2016 at 10:30 am

You Ought to Trust the Government with the Master Key

with one comment

The Federal Bureau of Investigations (FBI) director, James Comey, has been waging a war against effective cryptography. Although he can’t beat math he’s hellbent on trying. To that end, he and his ilk have proposed schemes that would allow the government to break consumer cryptography. One of those schemes is call key escrow, which requires anything encrypted by a consumer device be decipherable with a master key held by the government. It’s a terrible scheme because any actor that obtains the government’s master key will also be able to decrypt anything encrypted on a consumer device. The government promises that such a key wouldn’t be compromised but history shows that there are leaks in every organziation:

A FBI electronics technician pleaded guilty on Monday to having illegally acted as an agent of China, admitting that he on several occasions passed sensitive information to a Chinese official.

Kun Shan Chun, also known as Joey Chun, was employed by the Federal Bureau of Investigation since 1997. He pleaded guilty in federal court in Manhattan to one count of having illegally acted as an agent of a foreign government.

Chun, who was arrested in March on a set of charges made public only on Monday, admitted in court that from 2011 to 2016 he acted at the direction of a Chinese official, to whom he passed the sensitive information.

If the FBI can’t even keep moles out of its organization how are we supposed to trust it to guard a master key that would likely be worth billions of dollars? Hell, the government couldn’t even keep information about the most destructive weapons on Earth from leaking to its opponents. Considering its history, especially where stories like this involving government agents being paid informants to other governments, there is no way to reasonably believe that a master key to all consumer encryption wouldn’t get leaked to unauthorized parties.

Written by Christopher Burg

August 3rd, 2016 at 10:00 am

Americans aren’t Ready for Most Things

with 3 comments

One of the worst characteristics of American society, which is probably common in most societies, is the popular attitude of resisting change. Many Americans resist automation because they’re afraid that it will take people’s jobs. Many Americans resist genetically modified crops because they think nature actually gives a shit about them and therefore produces pure, healthy foodstuffs. Many Americans resist wireless communications because their ignorance of how radiation works has convinced them that anything wireless causes cancer.

With such a history of resisting advancement I’m not at all surprised to read that most Americans are resistant to human enhancement:

Around 66 and 63 percent of the respondents even said that they don’t want to go through brain and blood enhancements (respectively) themselves. They were more receptive to the idea of genetically modifying infants, though, with 48 percent saying they’re cool with making sure newly born humans won’t ever be afflicted with cancer and other fatal illnesses. Most participants (73 percent) are also worried about biotech enhancers’ potential to exacerbate inequality. Not to mention, there are those who believe using brain implants and blood transfusions to enhance one’s capabilities isn’t morally acceptable.

The concern about exacerbating inequality really made me guffaw. Few pursuits could reduce inequality as much as biotech. Imagine a world where paralysis could be fixed with a quick spinal implant. Suddenly people who were unable to walk can become more equal with those of us who can. Imagine a world where a brain implant could help people with developmental disabilities function as an average adult. Suddenly people suffering from severe autism can function at the same level as those of us not suffering from their disability. Imagine a world where a brain implant can bypass the effects of epilepsy or narcolepsy. Suddenly people who cannot drive due to seizures or falling asleep uncontrollably can drive.

Human enhancement can do more to create equality amongst people than anything else. Physical and mental disparities can be reduced or even eliminated. Anybody who can’t see that is a fool. Likewise, any moral system that declares self-improvement immoral is absurd in my opinion. Fortunately, the future doesn’t give two shits about opinion polls and the technology will advance one way or another.

Written by Christopher Burg

July 28th, 2016 at 11:00 am

All Full-Disk Encryption isn’t Created Equal

without comments

For a while I’ve been guarded when recommending Android devices to friends. The only devices I’ve been willing to recommend are those like the Google Nexus line that receive regular security updates in a timely manner. However, after this little fiasco I don’t know if I’m willing to recommend any Android device anymore:

Privacy advocates take note: Android’s full-disk encryption just got dramatically easier to defeat on devices that use chips from semiconductor maker Qualcomm, thanks to new research that reveals several methods to extract crypto keys off of a locked handset. Those methods include publicly available attack code that works against an estimated 37 percent of enterprise users.

A blog post published Thursday revealed that in stark contrast to the iPhone’s iOS, Qualcomm-powered Android devices store the disk encryption keys in software. That leaves the keys vulnerable to a variety of attacks that can pull a key off a device. From there, the key can be loaded onto a server cluster, field-programmable gate array, or supercomputer that has been optimized for super-fast password cracking.

[…]

Beniamini’s research highlights several other previously overlooked disk-encryption weaknesses in Qualcomm-based Android devices. Since the key resides in software, it likely can be extracted using other vulnerabilities that have yet to be made public. Beyond hacks, Beniamini said the design makes it possible for phone manufacturers to assist law enforcement agencies in unlocking an encrypted device. Since the key is available to TrustZone, the hardware makers can simply create and sign a TrustZone image that extracts what are known as the keymaster keys. Those keys can then be flashed to the target device. (Beniamini’s post originally speculated QualComm also had the ability to create and sign such an image, but the Qualcomm spokeswoman disputed this claim and said only manufacturers have this capability.)

Apple designed its full-disk encryption on iOS very well. Each iOS device has a unique key referred to as the device’s UID that is mixed with whatever password you enter. In order to brute force the encryption key you need both the password and the device’s UID, which is difficult to extract. Qualcomm-based devices rely on a less secure scheme.

But this problem has two parts. The first part is the vulnerability itself. Full-disk encryption isn’t a novel idea. Scheme for properly implementing full-disk encryption have been around for a while now. Qualcomm not following those schemes puts into question the security of any of their devices. Now recommending a device involves both ensuring the handset manufacturers releases updates in a timely manner and isn’t using a Qualcomm chipset. The second part is the usual Android problem of security patch availability being hit or miss:

But researchers from two-factor authentication service Duo Security told Ars that an estimated 37 percent of all the Android phones that use the Duo app remain susceptible to the attack because they have yet to receive the patches. The lack of updates is the result of restrictions imposed by manufacturers or carriers that prevent end users from installing updates released by Google.

Apple was smart when it refused to allow the carriers to be involved in the firmware of iOS devices. Since Apple controls iOS with an iron fist it also prevents hardware manufacturers from interfering with the availability of iOS updates. Google wanted a more open platform, which is commendable. However, Google failed to maintain any real control over Android, which has left uses at the mercy of the handset manufacturers. Google would have been smart to restrict the availability of its proprietary applications to manufacturers who make their handsets to pull Android updates directly from Google.

Written by Christopher Burg

July 5th, 2016 at 10:30 am

The Phones Have Ears

with one comment

the-walls-have-ears

Smartphone are marvelous devices but they also collect a great deal of personal information about us. Data stored locally can be encrypted but data that is uploaded to third party servers is at the mercy of the security practices of the service provider. If your mobile phone, for example, uploads precise location information to Google’s servers then Google has that information and can be compelled to provide it to law enforcers:

So investigators tried a new trick: they called Google. In an affidavit filed on February 8th, nearly a year after the initial robbery, the FBI requested location data pulled from Graham’s Samsung Galaxy G5. Investigators had already gone to Graham’s wireless carrier, AT&T, but Google’s data was more precise, potentially placing Graham inside the bank at the time the robbery was taking place. “Based on my training and experience and in consultation with other agents,” an investigator wrote, “I believe it is likely that Google can provide me with GPS data, cell site information and Wi-fi access points for Graham’s phone.”

That data is collected as the result of a little-known feature in Google Maps that builds a comprehensive history of where a user has been — information that’s proved valuable to police and advertisers alike. A Verge investigation found affidavits from two different cases from the last four months in which police have obtained court orders for Google’s location data. (Both are embedded below.) Additional orders may have been filed under seal or through less transparent channels.

This problem isn’t unique to location data on Android devices. Both Android and iOS have the ability to backup data to “the cloud” (Google and Apple’s servers respectively). While the data is encrypted in transport it is not stored in an encrypted format, at least no an encrypted format that prevents Google or Apple from accessing the data, on the servers. As Apple mentioned in the Farook case, had the Federal Bureau of Investigations (FBI) not fucked up by resetting Farook’s iCloud password, it would have been feasible to get the phone to backup to iCloud and then Apple could have provided the FBI with the backed up data. Since the backed up data contains information such as plain text transcripts of text messages the feature effectively bypasses the security offered by iMessage. Android behaves the same way when it backs up data to Google’s servers. Because of this users should be wary of using online backup solutions if they want to keep their data private.

As smartphones continue to proliferate and law enforcers realize how much data the average smartphone actually contains we’re going to see more instances of warrants being used to collect user information stored on third party servers.

Written by Christopher Burg

June 2nd, 2016 at 10:30 am

If It Isn’t Broken, Don’t Fix It

with one comment

When it comes to effective technology the federal government has a dismal record. Recently news organizations have been flipping out over a report that noted that the federal government is still utilizing 8″ floppy disks for its nuclear weapons program:

The U.S. Defense Department is still using — after several decades — 8-inch floppy disks in a computer system that coordinates the operational functions of the nation’s nuclear forces, a jaw-dropping new report reveals.

The Defense Department’s 1970s-era IBM Series/1 Computer and long-outdated floppy disks handle functions related to intercontinental ballistic missiles, nuclear bombers and tanker support aircraft, according to the new Government Accountability Office report.

The department’s outdated “Strategic Automated Command and Control System” is one of the 10 oldest information technology investments or systems detailed in the sobering GAO report, which calls for a number of federal agencies “to address aging legacy systems.”

I’m not sure why that report is “jaw-droping.” There is wisdom in updating systems incrementally as key components become obsolete. There is also wisdom in not fixing something that isn’t broken.

This reminds me of the number of businesses and banks that still rely on software written in COBOL. A lot of people find it odd that these organizations haven’t upgraded their systems to the latest and greatest. But replacing a working system that has been debugged and fine tuned for decades is an expensive prospect. All of the work that was done over those decades is effectively thrown out. Whatever new system is developed to replace the old system will have to go through a painful period of fine tuning and debugging. Considering that and considering the current systems still fulfill their purposes, why would an organization sink a ton of money into replacing them?

The nuclear program strikes me as the same thing. While 8″ floppy disks and IBM Series/1 computers are ancient, they seem to be fulfilling their purpose. More importantly, those systems have gone through decades of fine tuning and debugging, which means they’re probably more reliable than any replacement system would be (and reliability is pretty important when you’re talking about weapons that can wipe out entire cities).

Sometimes old isn’t automatically bad, even when you’re talking about technology.

Written by Christopher Burg

May 27th, 2016 at 10:00 am

Posted in Technology

Tagged with

Fly, You Fools

without comments

In addition to creating fake terrorist attacks so it can claim glory by thwarting them, the Federal Bureau of Investigations (FBI) also spends its time chasing brilliant minds out of the country:

FBI agents are currently trying to subpoena one of Tor’s core software developers to testify in a criminal hacking investigation, CNNMoney has learned.

But the developer, who goes by the name Isis Agora Lovecruft, fears that federal agents will coerce her to undermine the Tor system — and expose Tor users around the world to potential spying.

That’s why, when FBI agents approached her and her family over Thanksgiving break last year, she immediately packed her suitcase and left the United States for Germany.

Because of the State’s lust for power, the United Police States of America are becoming more hostile towards individuals knowledgable in cryptography. The FBI went after Apple earlier this year because the company implemented strong cryptography so it’s not too surprising to see that the agency has been harassing a developer who works on an application that utilizes strong cryptography. Fortunately, she was smart enough to flee before the FBI got a hold of her so none of its goons were able to slap her with a secret order or any such nonsense.

What’s especially interesting about Isis’ case is that the FBI wouldn’t tell her or her lawyer the reason it wanted to talk to her. It even went so far as to tell her lawyer that if agents found her on the street they would interrogate her without his presence. That’s some shady shit. Isis apparently wasn’t entirely dense though and decided it was time to go while the going was good. As this country continues to expand its police state don’t be afraid to follow her example.

Written by Christopher Burg

May 19th, 2016 at 10:30 am

Linksys Won’t Lock Out Third-Party Firmware

without comments

The Federal Communications Commission (FCC), an agency that believes it has a monopoly on the naturally occurring electromagnetic spectrum, decreed that all Wi-Fi router manufacturers are now responsible for enforcing the agency’s restrictions on spectrum use. Any manufacturer that fails to be the enforcement arm of the FCC will face consequences (being a government agency must be nice, you can just force other people to do your work for you).

Most manufacturers have responded to this decree by taking measures that prevent users from loading third-party firmware of any sort. Such a response is unnecessary and goes beyond the demands of the FCC. Linksys, fortunately, is setting the bar higher and will not lock out third-party firmware entirely:

Next month, the FCC will start requiring manufacturers to prevent users from modifying the RF (radio frequency) parameters on Wi-Fi routers. Those rules were written to stop RF-modded devices from interfering with FAA Doppler weather radar systems. Despite the restrictions, the FCC stressed it was not advocating for device-makers to prevent all modifications or block the installation of third-party firmware.

[…]

Still, it’s a lot easier to lock down a device’s firmware than it is to prevent modifications to the radio module alone. Open source tech experts predicted that router manufacturers would take the easy way out by slamming the door shut on third-party firmware. And that’s exactly what happened. In March, TP-Link confirmed they were locking down the firmware in all Wi-Fi routers.

[…]

Instead of locking down everything, Linksys went the extra mile to ensure owners still had the option to install the firmware of their choice: “Newly sold Linksys WRT routers will store RF parameter data in a separate memory location in order to secure it from the firmware, the company says. That will allow users to keep loading open source firmware the same way they do now,” reports Ars Technica’s Josh Brodkin.

This is excellent news. Not only will it allow users to continue using their preferred firmware, it also sets a precedence for the industry. TP-Link, like many manufacturers, took the easy road. If every other manufacturer followed suit we’d be in a wash of shitty firmware (at least until bypasses for the firmware blocks were discovered). By saying it would still allow third-party firmware to be loaded on its devices, Linksys has maintained its value for many customers and may have convinced former users of other devices to buy its devices instead. Other manufacturers may find themselves having to follow Linksys’s path to prevent paying customers from going over to Linksys. By being a voice of reason, Linksys may end up saving Wi-Fi consumers from only having terrible firmware options.

Written by Christopher Burg

May 19th, 2016 at 10:00 am

Updating Your Brand New Xbox One When It Refuses To Update

without comments

The new Doom finally convinced me to buy a new console. I debated between a PlayStation 4 and an Xbox One. In the end I settled on the Xbox One because I still don’t fully trust Sony (I may never get over the fact that they included malicious root kits on music CDs to enforce their idiotic copy protection and I’m still unhappy about them removing the Linux capabilities for the PlayStation 3) and I was able to buy a refurbished unit for $100.00 off (I’m cheap).

When I hooked up the Xbox One and powered it up for the first time it said it needed to download and apply an update before doing anything else. I let it download the update, since I couldn’t do anything with it until it finished updating, only for it to report that “There was a problem with the update.” That was the entirety of the error message and the only diagnostic option available was to test the network connection, which reported that everything was fine and I was connected to the Internet. I tried power cycling the device, disconnecting it from power for 30 seconds, and every other magical dance that Microsoft recommended on its useless trouble shooting site. Nothing would convince the Xbox to download and install the update it said it absolutely needed.

After a lot of fucking around I finally managed to update it. If you’re running into this problem you can give this strategy a try. Hopefully it saves you the hour and a half of fucking around I went through. What you will need is a USB flash drive formatted in NTFS (the Xbox One will not read the drive if it’s formatted in a variation of FAT because reasons) and some time to wait for the multi-gigabyte files to download.

Go to Microsoft’s site for downloading the Offline System Update Diagnostic Tool. Scroll down to the downloads. You’ll notice that they’re separated by OS versions. Since you cannot do anything on the Xbox One until the update is applies you can’t look up your OS version (nice catch-22). What you will want to do is download both OSUDT3 and OSUDT2.

When you have the files unzip them. Copy the contents of OSUDT3 to the root directory of the flash drive and connect the flash drive to the side USB port on the Xbox One. Hold down the controller sync button on the side and press the power button on the Xbox One (do not turn the Xbox One on with the controller otherwise this won’t work). Still holding down the sync button now press and hold the DVD eject button as well. You should hear the startup sound play twice. After that you can release the two buttons and the Xbox One should start applying the OSUDT3 update. Once that is finished the system will boot normally and you will return to the initial update screen that refuses to apply any updates.

Remove the flash drive, erase the OSUDT3 files from it, and copy the contents of the OSUDT2 zip file to the root directory of the flash drive. Insert the flash drive into the side USB port on the Xbox One and perform the above dance all over again. Once the update has applied your Xbox One should boot up and actually be something other than a useless brick.

As an aside, my initial impression of the Xbox One is less than stellar.

Written by Christopher Burg

May 17th, 2016 at 10:00 am

Posted in Technology

Tagged with ,

I’m Satoshi Nakamoto! No, I’m Satoshi Nakamoto!

without comments

The price of Bitcoin was getting a little wonky again, which meant that the media must be covering some story about it. This time around the media has learned the real identify of Satoshi Nakamoto!

Australian entrepreneur Craig Wright has publicly identified himself as Bitcoin creator Satoshi Nakamoto.

His admission follows years of speculation about who came up with the original ideas underlying the digital cash system.

Mr Wright has provided technical proof to back up his claim using coins known to be owned by Bitcoin’s creator.

Prominent members of the Bitcoin community and its core development team say they have confirmed his claims.

Mystery sovled, everybody go home! What’s that? Wright provided a technical proof? It’s based on a cryptographic signature? In that case I’m sure the experts are looking into his claim:

SUMMARY:

  1. Yes, this is a scam. Not maybe. Not possibly.
  2. Wright is pretending he has Satoshi’s signature on Sartre’s writing. That would mean he has the private key, and is likely to be Satoshi. What he actually has is Satoshi’s signature on parts of the public Blockchain, which of course means he doesn’t need the private key and he doesn’t need to be Satoshi. He just needs to make you think Satoshi signed something else besides the Blockchain — like Sartre. He doesn’t publish Sartre. He publishes 14% of one document. He then shows you a hash that’s supposed to summarize the entire document. This is a lie. It’s a hash extracted from the Blockchain itself. Ryan Castellucci (my engineer at White Ops and master of Bitcoin Fu) put an extractor here. Of course the Blockchain is totally public and of course has signatures from Satoshi, so Wright being able to lift a signature from here isn’t surprising at all.
  3. He probably would have gotten away with it if the signature itself wasn’t googlable by Redditors.
  4. I think Gavin et al are victims of another scam, and Wright’s done classic misdirection by generating different scams for different audiences.

Some congratulations should go to Wright — who will almost certainly claim this was a clever attempt to troll people so he doesn’t feel luck a schmuck for being too stupid to properly pull off a scam — for trolling so many people. Not only did the media get suckered but even members of the Bitcoin community fell for his scam hook, line, and sinker.

Written by Christopher Burg

May 3rd, 2016 at 10:00 am