Archive for the ‘Security’ tag
For those of you who don’t know, CryptoPartyMN is a group that focuses on teaching individuals how to utilize secure communication tools. We meet every other week and host a few hands-on workshops each year. With the sudden concern about privacy as it related to Internet Service Providers (ISP) tonight’s meeting will discuss Virtual Private Networks (VPN).
If you’re interested in learning about defending your privacy against your ISP please feel free to join us.
A lot of people here in the United States are flipping out because the rulers are voting to allow Internet Service Providers (ISP) to sell customer usage data:
A US House committee is set to vote today on whether to kill privacy rules that would prevent internet service providers (ISPs) from selling users’ web browsing histories and app usage histories to advertisers. Planned protections, proposed by the Federal Communications Commission (FCC) that would have forced ISPs to get people’s consent before hawking their data – are now at risk. Here’s why it matters.
It amazes me that more people seem to be upset about private companies selling their usage information for profit than providing their usage data to law enforcers so the wrath of the State’s judicial system can be brought upon them. Personally, I’m far more concerned about the latter than the former. But I digress.
This vote demonstrates the futility of political solutions. At one point the privacy laws were put into place by the State. The process of getting those laws put into place probably involved a lot of begging and kowtowing from the serfs. But Congress and the presidency have been shuffled around and the new masters disagree with what the former masters did so all of that begging and kowtowing was for nothing.
The problem with political solutions is that they’re temporary. Even if you can get the current Congress and president to pass laws that will solve your particular problems, it’s only a matter of time until Congress and the presidency changes hands and undoes the laws you begged so hard to have passed.
If you want a problem solved you have to solve it yourself. In the case of Internet privacy, the best defense against snoopy ISPs is to utilize a foreign Virtual Private Network (VPN) provider that respects your privacy and is in a country that is difficult for domestic law enforcement to coerce. Using a VPN will deprive your ISP, and by extent domestic law enforcement, of your usage data.
Will you look at that, it’s a day ending in “y.” You know what that means, right? It means another Internet scam is afoot! This time the scam involves a flaw in Mobile Safari that was just patched yesterday:
Patch your shit, folks.
I had a friend comment that he couldn’t believe that anybody would be stupid enough to fall for this since law enforcement would never highjack a phone and demand payment in iTunes gift cards. Although demanding payment in iTunes gift cards would be unusual for law enforcement, the actions being taken by the scammers aren’t that different than many actions taken by law enforcement. The scammers used a threat in order to extort wealth from their victim just as law enforcement agents do. When people have lived their entire life worrying about being pulled over and threatened with violence if they don’t pay a fine for driving too fast or, worse yet, having their vehicle and cash confiscated under civil forfeiture laws, the idea that police officers would highjack your browser and demand payment probably doesn’t seem that odd.
We all live under a massive criminal enterprise known as the State. It has taught us that being extorted is just a way of life. With that in mind, it’s not too surprising to me that there are people who fall for these kinds of scams.
Most of you probably didn’t notice but over the weekend I changed this blog over to Let’s Encrypt. There really aren’t any changes for you but this is a project that I’ve been planning to do for a while now.
Since I changed this site over to HTTPS only, I’ve been using StartSSL certificates. However, when it was announced that StartCom, the owner of StartSSL, was bought by WoSign I was wary to renew my certificates through them. When it was later announced that StartCom and WoSign were backdating certificates to get around the SHA-1 depreciation deadline I knew it was time to move on. The good news is that Let’s Encrypt is far easier than StartSSL was. Setting it up took a bit of time because Nginx support in Let’s Encrypt is still experimental and the other options for pulling certificates without shutting down the server required some server customizations. But once everything was setup it was simple to pull certificates.
So you can breathe easy knowing that you browsing experience is even safer now than it was before.
The Internet of Things (IoT) should be called the idiotic attempt to connect every mundane device to the Internet whether there’s a good reason or not. I admit that my more honest version is a mouthful but I believe it would remind people about what they’re actually buying and that could avoid fiasco like this:
Since Christmas day of last year and at least until the first week of January, Spiral Toys left customer data of its CloudPets brand on a database that wasn’t behind a firewall or password-protected. The MongoDB was easy to find using Shodan, a search engine makes it easy to find unprotected websites and servers, according to several security researchers who found and inspected the data.
The exposed data included more than 800,000 emails and passwords, which are secured with the strong, and thus supposedly harder to crack, hashing function bcrypt. Unfortunately, however, a large number of these passwords were so weak that it’s possible to crack them, according to Troy Hunt, a security researcher who maintains Have I Been Pwned and has analyzed the CloudPets data.
When you buy something you should ask yourself what the benefits and costs are. People often make the mistake of thinking that the cost is purely the amount you have to pay at the store. But there are always other hidden costs. In the case of these IoT stuffed animals one of the costs is brining a surveillance apparatus into your home. Sure, most people probably aren’t too worried about toy manufacturers having a bug in their home. But another cost is the risk of the remotely accessible surveillance device being accessed by an unauthorized party, which is what happened here.
The sordid history of security failures that plagues the IoT market should be considered whenever you’re buying an IoT product.
When I discuss anarchism with statists they always have a litany of excuses to justify why they believe the violence of the State is necessary. Roads are a popular one but another popular excuse are the police. Statists always want to know who will provide protection in a stateless society. One characteristic of statists that always amuses me is their insistence that anarchists solve problems that their precious government haven’t managed to solve. So my usual response to the question of police is asking who provides protection now.
Let’s consider the security market. If the State’s police were doing an adequate job of providing protection one would expect that the security market would be pretty small. But the security market is booming. Homeowners have subscribed to security services such as alarm systems for decades now. Surveillance cameras have been around for decades as well. At first surveillance cameras were used in stores to deter and identify thieves but now the price of decent quality cameras is low enough that one can find them in homes. Other security products that are becoming popular are films that can be applied to windows to make breaking in by smashing through a windows very difficult. Door locks, padlocks, and other forms of access control have existed for ages. It’s not unusual for companies to hire private security guards. Some companies even hire armed security guards.
Even the personal defense market is booming. Self-defense classes are available in even modestly sized townships. The number of carry permits being issued has continued to increase because many people, such as myself, realize that the only effective form of self-defense is what you have on you. In addition to carry permits, handguns designed to be easy to carry have been selling very well because people realize that the State’s police will take minutes, if you’re lucky, to get to you.
The State hasn’t done an effective job of providing security, which is why the market has stepped in. In the absence of government the market will continue serving the exact same function it’s serving today.
The privacy-surveillance arms race will likely be waged eternally. The State wants to spy on people so it can better expropriate their wealth. Private companies want to spy on people so they can collect data to better serve them and better target ads at them. The State wants the private companies to spy on their users because it can get that information via a subpoena. Meanwhile, users are stuck being constantly watched.
Browser fingerprinting is one of the more effective tools in the private companies’ arsenal. Without having to store data on users’ systems, private companies are able to use the data surrendered by browsers to track users with a surprising degree of accuracy. But fingerprinting has been limited to individual browsers. If a user switches browsers their old fingerprint is no longer valid… until now:
The new technique relies on code that instructs browsers to perform a variety of tasks. Those tasks, in turn, draw on operating-system and hardware resources—including graphics cards, multiple CPU cores, audio cards, and installed fonts—that are slightly different for each computer. For instance, the cross-browser fingerprinting carries out 20 carefully selected tasks that use the WebGL standard for rendering 3D graphics in browsers. In all, 36 new features work independently of a specific browser.
New browser features are commonly used for tracking users. In time those features are usually improved in such a way that tracking becomes more difficult. I have no doubts that WebGL will follow this path as well. Until it is improved through, it wouldn’t be dumb to disable it if you’re trying to avoid being tracked.
Customs in the United States have become nosier every year. It makes one wonder how they can enter the country without surrendering their life by granting access to their digital devices. Wired put together a decent guide for dealing with customs. Of the tips there is one that I highly recommend:
Make a Travel Kit
For the most vulnerable travelers, the best way to keep customs away from your data is simply not to carry it. Instead, like Lackey, set up travel devices that store the minimum of sensitive data. Don’t link those “dirty” devices to your personal accounts, and when you do have to create a linked account—as with iTunes for iOS devices—create fresh ones with unique usernames and passwords. “If they ask for access and you can’t refuse, you want to be able to give them access without losing any sensitive information,” says Lackey.
Social media accounts, admittedly, can’t be so easily ditched. Some security experts recommend creating secondary personas that can be offered up to customs officials while keeping a more sensitive account secret. But if CBP agents do link your identity with an account you tried to hide, the result could be longer detention and, for non-citizens, even denial of entry.
I believe that I first came across this advice on Bruce Schneier’s blog. Instead of traveling with a device that contains all of your information you should consider traveling with a completely clean device and accessing the information you need via a Virtual Private Network (VPN) when you reach your destination. When you’re ready to return home wipe all of the data.
The most effective way to defend against the snoops at the border is to not have any data for them to snoop.
The other tips are good to follow as well but aren’t as effective as simply not having any data in the first place. But I understand that isn’t always feasible. In cases where you’re traveling somewhere that has unreliable Internet connectivity, for example, you will need to bring the data you need with you. If you’re in such a situation I recommend only brining the data you absolutely need.
I don’t have a lot of material for you today since I was busy prepping for tonight’s CryptoPartyMN meeting.
Tonight we’ll be discussing how cryptography can be used to defend against phishing scams. Everybody is welcome. We’re meeting at Rudolphs Bar-B-Que at 6:30 pm.
After eight years of unexplained absence, neoliberals who are critical of the State have returned. I’m not sure where they were hiding but I’m glad to see that they’re safe and sound. But a lot has change in eight years so I’m sure many of them are out of the loop when it comes to online security. For example, what if you’re a federal employee who was told by your employer to shut up and you wanted to criticize them for it but didn’t want to be fired from your parasitic job? This isn’t as easy as opening a Twitter account and blasting criticisms out 140 characters at a time. Your employer has massive surveillance powers that would allow it to discover who you are and fire you for disobedience. Fortunately, The Grugq has you covered.
The information in his post regarding Twitter is applicable to any activist who is utilizing social media and might raise the ire of the State. I think the most important piece of information in that article though is that you shouldn’t immediately jump in with the sharks:
These are a lot of complicated operational rules and guides you’ll have to follow strictly and with discipline. If you “learn on the job” your mistakes will be linked to the account that you’re trying to protect. It would be best that you go through the steps and practice these rules on a non sensitive account. Make sure you’re comfortable with them, that you know how to use the tools, that you understand what you’re supposed to do and why.
Some underground organisations have something they call “the first and last mistake,” which is when you break a security rule and it leads to discovery and exposure. You’re the resistance, you need to make sure you can use the tools of resistance without mistakes – so practice where it is safe, get the newbie mistakes out of the way, and then implement and operate safely where it matters.
If you’re planning to partake in activism you should do a few trail runs of creating and maintaining pseudonymous social media accounts. Maintaining the discipline necessary to avoid detection is no easy feat. It’s best to screw up when it doesn’t matter than to screw up when you could face real world consequences.