A Geek With Guns

Chronicling the depravities of the State.

Archive for the ‘Security’ tag

CryptoPartyMN Meeting Tonight

without comments

For those of you who don’t know, CryptoPartyMN is a group that focuses on teaching individuals how to utilize secure communication tools. We meet every other week and host a few hands-on workshops each year. With the sudden concern about privacy as it related to Internet Service Providers (ISP) tonight’s meeting will discuss Virtual Private Networks (VPN).

If you’re interested in learning about defending your privacy against your ISP please feel free to join us.

Written by Christopher Burg

April 4th, 2017 at 11:00 am

Posted in Events

Tagged with , ,

Political Solutions Don’t Work

without comments

A lot of people here in the United States are flipping out because the rulers are voting to allow Internet Service Providers (ISP) to sell customer usage data:

A US House committee is set to vote today on whether to kill privacy rules that would prevent internet service providers (ISPs) from selling users’ web browsing histories and app usage histories to advertisers. Planned protections, proposed by the Federal Communications Commission (FCC) that would have forced ISPs to get people’s consent before hawking their data – are now at risk. Here’s why it matters.

It amazes me that more people seem to be upset about private companies selling their usage information for profit than providing their usage data to law enforcers so the wrath of the State’s judicial system can be brought upon them. Personally, I’m far more concerned about the latter than the former. But I digress.

This vote demonstrates the futility of political solutions. At one point the privacy laws were put into place by the State. The process of getting those laws put into place probably involved a lot of begging and kowtowing from the serfs. But Congress and the presidency have been shuffled around and the new masters disagree with what the former masters did so all of that begging and kowtowing was for nothing.

The problem with political solutions is that they’re temporary. Even if you can get the current Congress and president to pass laws that will solve your particular problems, it’s only a matter of time until Congress and the presidency changes hands and undoes the laws you begged so hard to have passed.

If you want a problem solved you have to solve it yourself. In the case of Internet privacy, the best defense against snoopy ISPs is to utilize a foreign Virtual Private Network (VPN) provider that respects your privacy and is in a country that is difficult for domestic law enforcement to coerce. Using a VPN will deprive your ISP, and by extent domestic law enforcement, of your usage data.

Written by Christopher Burg

March 28th, 2017 at 11:00 am

Living Under a Criminal Enterprise

without comments

Will you look at that, it’s a day ending in “y.” You know what that means, right? It means another Internet scam is afoot! This time the scam involves a flaw in Mobile Safari that was just patched yesterday:

The flaw involved the way that Safari displayed JavaScript pop-up windows. In a blog post published Monday afternoon, researchers from mobile-security provider Lookout described how exploit code surreptitiously planted on multiple websites caused an endless loop of windows to be displayed in a way that prevented the browser from being used. The attacker websites posed as law-enforcement actions and falsely claimed that the only way users could regain use of their browser was to pay a fine in the form of an iTunes gift card code to be delivered by text message. In fact, recovering from the pop-up loop was as easy as going into the device settings and clearing the browser cache. This simple fix was possibly lost on some uninformed targets who were too uncomfortable to ask for outside help.

Patch your shit, folks.

I had a friend comment that he couldn’t believe that anybody would be stupid enough to fall for this since law enforcement would never highjack a phone and demand payment in iTunes gift cards. Although demanding payment in iTunes gift cards would be unusual for law enforcement, the actions being taken by the scammers aren’t that different than many actions taken by law enforcement. The scammers used a threat in order to extort wealth from their victim just as law enforcement agents do. When people have lived their entire life worrying about being pulled over and threatened with violence if they don’t pay a fine for driving too fast or, worse yet, having their vehicle and cash confiscated under civil forfeiture laws, the idea that police officers would highjack your browser and demand payment probably doesn’t seem that odd.

We all live under a massive criminal enterprise known as the State. It has taught us that being extorted is just a way of life. With that in mind, it’s not too surprising to me that there are people who fall for these kinds of scams.

Written by Christopher Burg

March 28th, 2017 at 10:00 am

Let’s Encrypt

without comments

Most of you probably didn’t notice but over the weekend I changed this blog over to Let’s Encrypt. There really aren’t any changes for you but this is a project that I’ve been planning to do for a while now.

Since I changed this site over to HTTPS only, I’ve been using StartSSL certificates. However, when it was announced that StartCom, the owner of StartSSL, was bought by WoSign I was wary to renew my certificates through them. When it was later announced that StartCom and WoSign were backdating certificates to get around the SHA-1 depreciation deadline I knew it was time to move on. The good news is that Let’s Encrypt is far easier than StartSSL was. Setting it up took a bit of time because Nginx support in Let’s Encrypt is still experimental and the other options for pulling certificates without shutting down the server required some server customizations. But once everything was setup it was simple to pull certificates.

While I was changing over my certificates I also took the opportunity to implement a Content Security Policy (CSP). Now when you load my page your browser is given a whitelist of locations content can come from. This reduces the threat of potential code injection attacks. Unfortunately, due to WordPress, I had to enable some unsafe options such as executing inline JavaScript and eval() statements. I’ll be looking for ways to get rid of those in the future though.

So you can breathe easy knowing that you browsing experience is even safer now than it was before.

Written by Christopher Burg

March 10th, 2017 at 11:00 am

Posted in Side Notes

Tagged with , ,

Is Your Child’s Toy a Snitch

with one comment

The Internet of Things (IoT) should be called the idiotic attempt to connect every mundane device to the Internet whether there’s a good reason or not. I admit that my more honest version is a mouthful but I believe it would remind people about what they’re actually buying and that could avoid fiasco like this:

Since Christmas day of last year and at least until the first week of January, Spiral Toys left customer data of its CloudPets brand on a database that wasn’t behind a firewall or password-protected. The MongoDB was easy to find using Shodan, a search engine makes it easy to find unprotected websites and servers, according to several security researchers who found and inspected the data.

The exposed data included more than 800,000 emails and passwords, which are secured with the strong, and thus supposedly harder to crack, hashing function bcrypt. Unfortunately, however, a large number of these passwords were so weak that it’s possible to crack them, according to Troy Hunt, a security researcher who maintains Have I Been Pwned and has analyzed the CloudPets data.

When you buy something you should ask yourself what the benefits and costs are. People often make the mistake of thinking that the cost is purely the amount you have to pay at the store. But there are always other hidden costs. In the case of these IoT stuffed animals one of the costs is brining a surveillance apparatus into your home. Sure, most people probably aren’t too worried about toy manufacturers having a bug in their home. But another cost is the risk of the remotely accessible surveillance device being accessed by an unauthorized party, which is what happened here.

The sordid history of security failures that plagues the IoT market should be considered whenever you’re buying an IoT product.

Written by Christopher Burg

March 2nd, 2017 at 10:30 am

Without Government Who Would Protect the People

without comments

When I discuss anarchism with statists they always have a litany of excuses to justify why they believe the violence of the State is necessary. Roads are a popular one but another popular excuse are the police. Statists always want to know who will provide protection in a stateless society. One characteristic of statists that always amuses me is their insistence that anarchists solve problems that their precious government haven’t managed to solve. So my usual response to the question of police is asking who provides protection now.

Let’s consider the security market. If the State’s police were doing an adequate job of providing protection one would expect that the security market would be pretty small. But the security market is booming. Homeowners have subscribed to security services such as alarm systems for decades now. Surveillance cameras have been around for decades as well. At first surveillance cameras were used in stores to deter and identify thieves but now the price of decent quality cameras is low enough that one can find them in homes. Other security products that are becoming popular are films that can be applied to windows to make breaking in by smashing through a windows very difficult. Door locks, padlocks, and other forms of access control have existed for ages. It’s not unusual for companies to hire private security guards. Some companies even hire armed security guards.

Even the personal defense market is booming. Self-defense classes are available in even modestly sized townships. The number of carry permits being issued has continued to increase because many people, such as myself, realize that the only effective form of self-defense is what you have on you. In addition to carry permits, handguns designed to be easy to carry have been selling very well because people realize that the State’s police will take minutes, if you’re lucky, to get to you.

The State hasn’t done an effective job of providing security, which is why the market has stepped in. In the absence of government the market will continue serving the exact same function it’s serving today.

Written by Christopher Burg

February 23rd, 2017 at 11:00 am

Your Browser is a Snitch

with one comment

The privacy-surveillance arms race will likely be waged eternally. The State wants to spy on people so it can better expropriate their wealth. Private companies want to spy on people so they can collect data to better serve them and better target ads at them. The State wants the private companies to spy on their users because it can get that information via a subpoena. Meanwhile, users are stuck being constantly watched.

Browser fingerprinting is one of the more effective tools in the private companies’ arsenal. Without having to store data on users’ systems, private companies are able to use the data surrendered by browsers to track users with a surprising degree of accuracy. But fingerprinting has been limited to individual browsers. If a user switches browsers their old fingerprint is no longer valid… until now:

The new technique relies on code that instructs browsers to perform a variety of tasks. Those tasks, in turn, draw on operating-system and hardware resources—including graphics cards, multiple CPU cores, audio cards, and installed fonts—that are slightly different for each computer. For instance, the cross-browser fingerprinting carries out 20 carefully selected tasks that use the WebGL standard for rendering 3D graphics in browsers. In all, 36 new features work independently of a specific browser.

New browser features are commonly used for tracking users. In time those features are usually improved in such a way that tracking becomes more difficult. I have no doubts that WebGL will follow this path as well. Until it is improved through, it wouldn’t be dumb to disable it if you’re trying to avoid being tracked.

Written by Christopher Burg

February 15th, 2017 at 10:30 am

Tips for Getting Past Customs

with 3 comments

Customs in the United States have become nosier every year. It makes one wonder how they can enter the country without surrendering their life by granting access to their digital devices. Wired put together a decent guide for dealing with customs. Of the tips there is one that I highly recommend:

Make a Travel Kit

For the most vulnerable travelers, the best way to keep customs away from your data is simply not to carry it. Instead, like Lackey, set up travel devices that store the minimum of sensitive data. Don’t link those “dirty” devices to your personal accounts, and when you do have to create a linked account—as with iTunes for iOS devices—create fresh ones with unique usernames and passwords. “If they ask for access and you can’t refuse, you want to be able to give them access without losing any sensitive information,” says Lackey.

Social media accounts, admittedly, can’t be so easily ditched. Some security experts recommend creating secondary personas that can be offered up to customs officials while keeping a more sensitive account secret. But if CBP agents do link your identity with an account you tried to hide, the result could be longer detention and, for non-citizens, even denial of entry.

I believe that I first came across this advice on Bruce Schneier’s blog. Instead of traveling with a device that contains all of your information you should consider traveling with a completely clean device and accessing the information you need via a Virtual Private Network (VPN) when you reach your destination. When you’re ready to return home wipe all of the data.

The most effective way to defend against the snoops at the border is to not have any data for them to snoop.

The other tips are good to follow as well but aren’t as effective as simply not having any data in the first place. But I understand that isn’t always feasible. In cases where you’re traveling somewhere that has unreliable Internet connectivity, for example, you will need to bring the data you need with you. If you’re in such a situation I recommend only brining the data you absolutely need.

Written by Christopher Burg

February 15th, 2017 at 10:00 am

CryptoPartyMN Meeting Tonight

without comments

I don’t have a lot of material for you today since I was busy prepping for tonight’s CryptoPartyMN meeting.

Tonight we’ll be discussing how cryptography can be used to defend against phishing scams. Everybody is welcome. We’re meeting at Rudolphs Bar-B-Que at 6:30 pm.

Written by Christopher Burg

February 7th, 2017 at 10:00 am

Posted in Events

Tagged with , ,

Social Media for Activists

with one comment

After eight years of unexplained absence, neoliberals who are critical of the State have returned. I’m not sure where they were hiding but I’m glad to see that they’re safe and sound. But a lot has change in eight years so I’m sure many of them are out of the loop when it comes to online security. For example, what if you’re a federal employee who was told by your employer to shut up and you wanted to criticize them for it but didn’t want to be fired from your parasitic job? This isn’t as easy as opening a Twitter account and blasting criticisms out 140 characters at a time. Your employer has massive surveillance powers that would allow it to discover who you are and fire you for disobedience. Fortunately, The Grugq has you covered.

The information in his post regarding Twitter is applicable to any activist who is utilizing social media and might raise the ire of the State. I think the most important piece of information in that article though is that you shouldn’t immediately jump in with the sharks:

These are a lot of complicated operational rules and guides you’ll have to follow strictly and with discipline. If you “learn on the job” your mistakes will be linked to the account that you’re trying to protect. It would be best that you go through the steps and practice these rules on a non sensitive account. Make sure you’re comfortable with them, that you know how to use the tools, that you understand what you’re supposed to do and why.

Some underground organisations have something they call “the first and last mistake,” which is when you break a security rule and it leads to discovery and exposure. You’re the resistance, you need to make sure you can use the tools of resistance without mistakes – so practice where it is safe, get the newbie mistakes out of the way, and then implement and operate safely where it matters.

If you’re planning to partake in activism you should do a few trail runs of creating and maintaining pseudonymous social media accounts. Maintaining the discipline necessary to avoid detection is no easy feat. It’s best to screw up when it doesn’t matter than to screw up when you could face real world consequences.

Written by Christopher Burg

January 31st, 2017 at 10:30 am