A Geek With Guns

Discount security adviser to the proles.

Archive for the ‘You Can’t Cure Stupid’ tag

Airport Security Isn’t The Only Security The TSA Sucks At

without comments

The Transportation Security Administration (TSA) sucks at providing airport security. But the agency isn’t a one trick pony. Demonstrating its commitment to excellence — at sucking — the TSA is working hard to make its computer security just as good as its airport security:

The report centers on the the way TSA (mis)handles security around the data management system which connects airport screening equipment to centralized servers. It’s called the Security Technology Integrated Program (STIP), and TSA has been screwing it up security-wise since at least 2012.

In essence, TSA employees haven’t been implementing STIP properly — that is, when they’ve been implementing it at all.

STIP manages data from devices we see while going through security lines at airports, namely explosive detection systems, x-ray and imaging machines, and credential authentication.

[…]

In addition to unpatched software and a lack of physical security that allowed non-TSA airport employees access to IT systems, the auditors found overheated server rooms and computers using unsupported systems — and much more.

The observed “lack of an established disaster recovery capability” noted by the OIG is particularly scary. If a data center was taken out by natural disaster, passenger screening and baggage info would be rendered inaccessible.

Not only that, but there was no security incident report process in place, and there was “little employee oversight in maintaining IT systems.” And, auditors were not pleased at all that non-TSA IT contractors maintained full admin control over STIP servers at airports.

At what point do we write the TSA off as a failed experiment? I know, it’s a government agency, it’ll never go away. But the fact that the TSA continues to fail at everything and is allowed to continue existing really demonstrates why the market is superior to the State. Were the TSA forced to compete in a market environment it would have been bankrupted and its assets would have been sold to entrepreneurs who might be able to put them to use.

It’s time to ask the million dollar question. What will happen now? One of the reason government agencies fail to improve their practices is because there’s no motivation to do so. A government agency can’t go bankrupt and very rarely do failures lead to disciplinary action. In the very few cases where disciplinary action does happen it’s usually something trivial such as asking the current head of the agency to retire will full benefits.

Meanwhile air travelers will still be required to submit to the TSA, which not only means going through security theater but now potentially means having their personal information, such as images from the slave scanners, leaked to unauthorized parties.

Being Able To Lookup Your Neighbor’s Income Online Is A Terrible Idea

without comments

Statists come up with the dumbest ideas. One of latest stupid statist ideas is the idea that Norway’s practice of posting everybody’s tax returns online is a good idea:

But maybe the demand that Trump post his returns doesn’t go far enough. Maybe everyone’s tax returns should be a matter of public record. It sounds nuts, but in Norway, Sweden, and Finland, it’s the law, and it works. Norway’s been putting out records since 1814; in Sweden, they’ve been public since 1903.

Public tax returns help reduce gender and racial pay disparities, make labor markets more efficient, encourage workers to bargain for higher pay, prevent tax evasion, and create a rich font of data for economists and other researchers. The US ought to give the idea a try.

Why should anybody have any right to privacy at all? We might as well just put our medical records, voting records, and any other type of records online for everybody to see! And fuck those people who want to have control over their personal information. They’re obviously hiding something.

If you read the article you will discover that the author is a jealous individual trying to disguise that jealousy as pragmatism. He starts off by arguing that making tax return information publicly available would improve the job market. This claim is backed up by a great deal of statist nonsense such as imply that markets require perfect information (they don’t) and claiming that it’s impossible for employees to find out what their fellows at other companies are making if tax return records or private (apparently it never occurred to the author that you can just ask). But he eventually get’s to his real point:

Another thing about pay transparency: It makes it harder to evade your taxes. Adding scrutiny from not only the tax collection agency but your neighbors and competitors makes it tougher to fudge your reported income.

Making tax returns publicly available makes it easier for the State to steal wealth to fund its law enforcers, war machine, economic protectionism, and other atrocities. This is ultimately what every statist’s opposition to privacy boils down to. As believers in the One True State, they want to make it as difficult as possible for anybody who opposes their political god. Are private tax returns making it harder for their political god to steal? Make the records public! Is end-to-end cryptography making it harder for their political god to keep the citizenry in line? Restrict effective cryptography! Are anonymizing services allowing people to peacefully cell illicit goods? Ban anonymizing services!

This is why privacy is so important. The State and its worshippers want to know as much about you as possible. That way they can better know what you have so they can steal it and identify dissidents so they can crush them. Know that when somebody advocates that privacy must be curtailed they’re necessarily arguing that the State must be further empowered. Also know that the empowerment of the State always comes at the expense of individual freedom.

Written by Christopher Burg

May 20th, 2016 at 10:00 am

I Guess Oracle Will Sue MariaDB Next

without comments

Oracle is still butthurt over the fact that it snapped up Java when it purchased Sun Microsystems and still hasn’t figured out how to make it profitable. Google on the other hand, managed to take the Java application programming interface (API) and use it for Android, which is turning the company a tidy profit. After getting its ass handed to it in court only to have a dimwitted judge reverse the decision, Oracle is pushing forward with its desperate attempt to get its hands on some of the wealth Google created. Oracle is now claiming that Google owes damages. Why? Apparently because it’s offering Android for free:

Catz also testified that Oracle’s Java licensing business was hurt by Android. Customers that used to buy licenses for Java, including Samsung, ZTE, Motorola, and others, don’t buy licenses from Oracle anymore. “They don’t take a license from us anymore, because they use Android, which is free,” she said.

Licensing contracts that used to be $40 million deals are now $1 million deals, Catz said. She gave the example of Amazon, which was formerly a customer but chose to go with Android for the Kindle Fire. When Amazon came out with its popular mid-range Kindle, the Paperwhite, the e-reader company chose to license Java only after Oracle offered a massive discount.

“In order to compete, we ended up giving a 97.5 percent discount for the Paperwhite,” she said, “because our competition was free.”

As for the mobile licensing business, since the launch of Android, it has performed “very, very poorly,” Catz said.

What’s next? Will Oracle sue the people behind MariaDB? For those who don’t know, MariaDB is a fork of MySQL, which is another product that Oracle acquired when it purchased Sun Microsystems. MariaDB, like the Android API, is a free product based on software Oracle acquired through its purchase of Sun Microsofts that could be taking market share from its expensive software!

Should manufacturers and developers of a product that’s sold directly for money be able to sue competitors who offer a free alternative? If you ask some antitrust supporters the answer is yes. But if you ask anybody with a brain the answer is no.

Consider Oracle’s situation. Android basically ate its lunch because nobody is buying its mobile Java software. Does that indicate that Google is somehow at fault because it made Android free? No. Such an assumption would imply that free products always win in the market when that isn’t the case. Sometimes a free product is so shitty that an expensive alternative still wins out. Consider Microsoft Windows. It’s still the most popular desktop operating system out there even though Linux, FreeBSD, OpenBSD, and a number of other free alternatives exist. Why? Because Windows offers features that consumers want and alternative don’t offer. Software compatibility, driver support, etc. are desirable features to many people. So desirable in fact that they’re willing to pay for them even though a free alternative exists. Without those features consumers see the free alternatives as so shitty that the savings associated with using them aren’t worth it. In spite of what the famous saying says, you actually can compete with free.

Android isn’t winning over mobile Java simply because it’s free. It’s winning because it offers features that consumers want. There is a massive software library available for Android that isn’t available for mobile Java. Google includes many desirable applications including clients for its popular Maps and Gmail services. Hardware developers want consumers to buy their phones so they tend to favor software that consumers want, which is part of the reason so many Android mobile devices exist while so few Windows ones do.

Google isn’t responsible for Oracle’s dwindling mobile Java profits, Oracle is for not making it a compelling product.

Written by Christopher Burg

May 18th, 2016 at 10:00 am

The Ignorant Stupidity That Is America

with 2 comments

They say ignorance makes people fearful. If that’s the case the United States must be one of the most ignorant countries on Earth. People here in the United States like to talk a big game but it seems like most of them are scared of their own shadows. This is made most obvious when people fight against any attempt to defang the State. If you mention cutting military or law enforcement budgets you’ll suddenly find yourself surrounded by people saying, “But then the child molesting hacker terrorists will get us!”

This fear has becoming especially ridiculous amongst airline passengers. 15 years after 9/11 and airline passengers are still seeing terrorists in every seat. Does the person next to you speak a language that sounds Middle Easter? They’re a terrorist! Is the person next to you writing Arabic numerals? They’re also a terrorist:

Menzio said he was flying from Philadelphia to Syracuse on Thursday night and was solving a differential equation related to a speech he was set to give at Queen’s University in Ontario, Canada. He said the woman sitting next to him passed a note to a flight attendant and the plane headed back to the gate. Menzio, who is Italian and has curly, dark hair, said the pilot then asked for a word and he was questioned by an official.

“I thought they were trying to get clues about her illness,” he told The Associated Press in an email. “Instead, they tell me that the woman was concerned that I was a terrorist because I was writing strage things on a pad of paper.”

I guess the should have used Roman numerals. In all seriousness though, the fact that the woman sitting next to him saw a terrorist when she couldn’t make sense of what he was writing shows just how fearful this society has become. It’s even more absurd that the flight attendant who she passed the note to didn’t ignore the concern outright. Without any evidence the flight attendant called the badged men with guns to the plane to harass a passenger. Further adding to the absurdity was the security guards not dismissing the call for lack of evidence. But they were likely afraid of losing their jobs if the reporting passenger or flight attendant told the press that they reported a suspected terrorist and the security team failed to respond. And the media would certainly take the angle of lazy security guards putting passengers at risk of a terrorist attack over the angle of the security team acting in a reasonable manner when no evidence of wrongdoing is presented.

Written by Christopher Burg

May 17th, 2016 at 10:30 am

Anatomy Of A Scam

with 3 comments

Kickstarter is used to get some really cool projects off of the ground but it’s also packed with half-baked ideas and outright scams. What I present here is a case of the latter. Meet the first encryption software engineered to defeat hacking programs, granting impenetrable data protection, and cloud storage (their words, not mine).

I’m not even sure where to start with this one so I guess I’ll start with the most obvious red flag, impenetrable anti-hacking software. Before starting this Kickstarter I assume the team worked on a unicorn ranch because they apparently have a knack for delivering the impossible. And if designing impenetrable software is possible it certainly isn’t going to be done by this team. Pulling off such a feat would require a great deal of technical knowledge and this team doesn’t appear to have that as I will demonstrate. Let’s begin with their statement regarding the Advanced Encryption Standard (AES):

AES Hacking Solutions are readily available for sale on dark web.

In the late 1990’s, AES, while under ‘well-intentioned’ government oversight, somehow, a ‘back-door’ found its way into this ‘approved’ data security solution, — as has been widely reported. The unintended consequences of this back-door allows for complete access to your data, without your permission, to data monitoring, data-mining and active eavesdropping. Effectively, voiding your right to privacy and confidently. So common is this practice it has a name: Active Snooping.

There are known attacks against AES but none of them are practical. But the elite team of entrepreneurs (I’ll get to that in a bit) supposedly know of a backdoor. In fact this backdoor has supposedly been widely reported! Yet I’ve never heard of it, which I find odd because I follow the publications of quite a few computer security experts. I guess everybody from Bruce Schneier to Dan Kaminsky just missed that piece of news as well as this piece:

SSL is a Myth. Cybercriminals know about these flaws and back-door. They are stealing, compromising, and profiting from your data everyday.

SSL is a myth? Huh. As somebody who has spent many hours configuring it I would beg to differ. SSL, more accurately TLS, is a very real thing. It’s also secure so long as it’s configured correctly. Speaking of myths, or more accurately fiction:

You don’t have to be 007 to Use the DataGateKeeper Encryption Software…

I’m glad they mentioned 007 because this page reads like the “hacking” Q did in Skyfall. That is to say it’s nonsensical and entirely fictitious. Q gets a pass though because he’s a fictional character in a fictional universe where anything is possible. Even something as infeasible as a Walther PPK feeding reliably can happen in the James Bond’s universe.

Earlier I questioned DataGateKeeper’s team’s technical knowledge. This isn’t because they posted an incorrect minor detail about a complex mathematical factoid. It’s because they can’t even get basic units of measure correct:

so-many-kilobits

So. Many. Kilobits! Even if you’re only marginally aware of AES you’ve probably seen a mention of a 128-bit and a 256-bit mode. A kilobit is 1,000 bits so according to this chart DataGateKeeper has 512,000-bit encryption whereas services such as Dropbox and OneDrive lack even 128,000-bit AES encryption. Well that’s a no brainer since 128,000-bit AES doesn’t exist. Even if it did no consumer computer would have the processing power to use it. This chart should have added a row for unicorns. None of the competing services offer unicorns and I wouldn’t put it past the DataGateKeeper team to claim they offer unicorns.

Regardless of feasibility, DataGateKeeper is offering all of the kilobits:

  • 512kb Civilian – 50 Years of protection. Available on Kickstarter.
  • 768kb First Responders, Police, Retired & Active Duty Military – 73 years of protection. Donation of your choice.
  • 1024kb – Enterprise & SMB

That’s a lot of kilobits! But wait… now I’m confused. Earlier on the page it said:

MyDataAngel.com provides Impenetrable Civilian Data Protection plans beginning at 512-bit encryption.

So which is it? 512-bits or 512-kilobits? There’s literally a multiple of 1,000 difference. I’m sure that will be clarified at a future data. What we do know is that whatever algorithm they’re using is 6,000,000 times stronger than current data security:

We created a cipher that is 6,000,000 times stronger than current data security, as proven by algorithmic mathematics.

See? They proved it with algorithmic mathematics! That’s, like, the best kind of mathematics!

So how does this miraculous algorithm work? Who knows. The Kickstarter page, not surprisingly, doesn’t include any technical details. Okay, it does include a gif image with a calculator and some math-like stuff. It doesn’t actually explain anything but it’s there.

After reading this Kickstarter page you’re left with the feeling that it was written by marketing people who have no knowledge about cryptography. Even the most basic of information is either wrong or nonsensical. It’s almost as if there are no cryptographers involved with this project. In fact, that may be exactly what the problem is:

Our management team is uniquely qualified to implement our plan of operations, with a combined 75+ years of entrepreneurial experience, at all levels of corporate gestation, from rank start-up through to publicly traded entities. Our experience spans multiple sectors, from entertainment and manufacturing to healthcare and technology. The management team resume includes names such as: PepsiCo, Colgate-Palmolive, Paramount Studios and Merv Griffin Productions. Our President and co-founder, Debra Towsley, oversaw the marketing plan for Universal Studio’s $1.5 billion theme park expansion, Islands of Adventure®, as VP of Marketing. Our Chief Strategy Officer, Frank Ruppen, graduated from Harvard Business School, and cut his teeth as the brand manager for Proctor & Gamble, before accepting positions at McKinsey & Co., Sterling Brands, and Consumer Dynamics; he relocated to work in cities like: Sydney, Caracas and Tokyo. Raymond Talarico, our CEO, has been involved in multiple roll-ups and consolidations. He is credited as having developed companies from a one-sentence mission statement in MEDirect Latino to publicly traded entities with market caps exceeding $160M. The youngest member of our team, Joshua Noel (21), is the Creative Director who is a literal ‘Jack of All Trades’ when it comes to content creation. Yes, they do exist. His talent is on display here in the videos, as well as the vlogs, the overall design of our branding, and iconization.

They have people experienced in entrepreneurship but not a single mention of a cryptographer anywhere on the page is made. That pretty much tells us everything we need to know and explains why this page reads like a marketing person was tasked with writing a sales pitch on a cryptographic service but wasn’t given access to anybody knowledgeable in cryptography to verify any of the claims.

This is what a scam looks like. The product being offered is not only impossible but the entire writeup makes no sense within the framework of the market they’re aiming at. Scam might not even be the correct word for this. I would hope a scam artist would put some effort into making their scam at least appear somewhat believable. The people involved in this page didn’t even accomplish that much! DataGateKeeper’s team are scam artists who couldn’t even create a convincing scam. They’re basically failures who failed at failing.

At this point, when social media backlash destroys any chance of this Kickstarter getting funded, I’m expecting them to claim that this was all an elaborate troll. It really is their only option.

Written by Christopher Burg

May 13th, 2016 at 11:00 am

The State Sucks At Language

without comments

Under any sane legal system the label criminal would be reserved for those who victimize others. But the legal systems of most modern developed countries use the label to describe anybody who has violated any of the State’s decrees, regardless of how arbitrary they may be. Because of this we have people walking around who have been labeled criminals but have never victimized anybody. Fortunately the Department of Justice (DoJ) is finally recognizing this fact, although I doubt it’s intentionally, and is moving away from the term criminal to describe the people it targets:

The Department Of Justice has been phasing out the use of the word “criminal” to describe criminals. On the DOJ website the newer term, “justice-involved individual,” can be traced back to 2009. However, the term has seen more and more daylight over the last couple of years.

I’ve seen quite a few neocons flipping their shit about this but it really is a good move. The DoJ spends a great deal of its time harassing drug buys and sellers, tax evaders, unlicensed firearm dealers, and other people who haven’t actually victimized anybody. That being the case, it makes sense to refer to its targets by something other than criminals.

With that said, the DoJ, like every other government agency, sucks at language. Justice-involved individual is also a misnomer for the same reason the agency’s name is a misnomer; the word justice implies a wrong being righted. Without a victim there is no wrong to right and therefore no justice to be had. A better label would be a legal-involved individual.

Written by Christopher Burg

May 12th, 2016 at 10:00 am

Performing Denial Of Service Attacks Against Airliners Is Ridiculously Simple

without comments

How can you shutdown an airline service? By setting your Wi-Fi hotspot’s Service Set Identifier (SSID) to something quippy:

According to The West Australian, a passenger on QF481 spotted a Wi-Fi hotspot titled “Mobile Detonation Device” and advised a crew member. It wasn’t clear what mobile device it was linked to or where the device was located.

The crew member informed the captain, who then broadcast a message to passengers. Passenger John Vidler told the publication the pilot said the device needed to be located before the flight could depart.

If somebody put a bomb on board would they use Wi-Fi to detonate it? Probably not. That would require being in close proximity to the device whereas a cellular device, which are commonly used as remote detonators, allow the perpetrator to be somewhere else in the world. If a bomber did use a Wi-Fi detonator would they set it to broadcast an SSID that indicated it was a detonator? Most likely not. That would increase the chances of the device being discovered before it could be detonated. Holding the flight until the device was located was an overreaction.

In addition to being an overreaction it also gives individuals interested in interfering with airline service a cheap and effective means of accomplishing their goals. With little more than a Wi-Fi access point you can perform a denial of service attack against an airplane.

Written by Christopher Burg

May 10th, 2016 at 10:00 am

Why Democracy Sucks Part XXI

with one comment

Barack Obama is once again pushing science fiction as official policy. As usual this has caused a great deal of ignorant individuals to voice their unqualified opinions on the matter. Surprisingly, in a sea of shitty media discussion, one publication managed to hit the nail on the head as far as the entire smart gun discussion is concerned:

Guns are a technology, and, like most members of the general public, gun control advocates are thoroughly confused about how guns operate outside of Hollywood — as in, “the Internet is a series of tubes“-level confused. It’s hard for me to overstate just how bad it is out there, even among much of the gun-owning public.
[…]

This, then, is what the NRA is terrified of: that lawmakers who don’t even know how to begin to evaluate the impact of the smallest, most random-seeming feature of a given firearm on that firearm’s effectiveness and functionality for different types of users with different training backgrounds under different circumstances will get into the business of gun design.

And they’re right to be afraid, because it has happened before.

You can substitute gun owners for the National Rifle Association (NRA) since the opposition isn’t limited to just that organization. But the point stands, most lawmakers are entirely ignorant about the technology behind firearms. That brings us to today’s lesson: democracy sucks.

Somewhere along the line the idea that everybody is entitled to their opinion morphed into the idea that everybody’s opinion is equally valid. That idea is nonsense. A theoretically physicist should no more regard my opinion of his work than I should regard the opinion of somebody who has never studied basic mathematics on an algorithm I’ve written. When somebody lacks the basic fundamental knowledge of a field their opinion on that field is not equally as valid as an expert’s.

But such facts are irrelevant to democracy since it is a system where a majority of a voting body makes the rules. Here in the United States that voting body is Congress. Congress is composed of members elected by the majority of their constituents. In the end the only qualification somebody has to have to rule on something in the United States is charisma. This becomes a major problem as soon as members of Congress decided to write a law because they — along with their peers — are entirely ignorant on the subject the law pertains to.

Issues revolving around firearms are being decided by people who are entirely ignorant about firearms. When the issue of smart guns arises the problem is compounded by the same people’s ignorance on computer technology. In the end you have people who know nothing about the technology being discussed voting on how that technology is to be used.

Imagine if we applied democracy to an engineering feat such as building a bridge. Instead of having architects, structural engineers, material engineers, and construction workers designing and building a structurally sound bridge we’d have a bunch of ignorant lawyers voting on how they thought the bridge should be designed and built. The only outcome of that would be failure. If we don’t apply democracy to building a bridge why do we think it’s an acceptable means of mandating laws involving technology?

Sending The Wrong Messages

without comments

Any decent self-defense instructor will point out that the most important aspect in self-defense is situational awareness. If you are aware of your surrounds you have a far better chance of avoiding a fight entirely, which is the best form of self-defense.

The rise of mobile phones has seemingly hampered a great many people’s situational awareness. It’s not uncommon to see people walking around entirely unaware of their surroundings because their faces are looking down at their phones. This phenomenon has become so prevalent that one city is experimenting with crosswalk signals embedded in the ground:

Foreign visitors frequently wonder why crowds of Germans wait for traffic lights to turn green when there are no cars in sight.

That is why officials in the city of Augsburg became concerned when they noticed a new phenomenon: Pedestrians were so busy looking at their smartphones that they were ignoring traffic lights.

The city has attempted to solve that problem by installing new traffic lights embedded in the pavement — so that pedestrians constantly looking down at their phones won’t miss them.

Part of me thinks this sends the wrong message. When people are walking around they should be paying attention to their surroundings. Not only is it important from a self-defense aspect but it’s important for not running into other pedestrians.

I’m not stupid enough to assume you can convince people to stop looking at their phones when they’re walking around but there may be some middle ground that encourages people to not be looking down. A better solution may be be a focus on developing heads-up displays for people to wear so they can somewhat keep their eye on the sidewalk as they read through their messages.

Written by Christopher Burg

April 30th, 2016 at 10:00 am

Don’t Make Vague Threatening Statements When You Carry A Gun

without comments

Sometimes I become complacent in my assumption that gun owners as a whole are a pretty cool group. This is probably because most of my friends who own guns are really awesome people. But then a social issue hits the headlines and I’m reminded that a lot of gun owners are just as big of assholes as a lot of anti-gunners. This post is about one of those gun owners.

Target reiterated its bathroom policy, which is a sensible policy that allows transgender individuals to use the facilities of their gender, and now a bunch of social conservatives are announcing their plan to boycott the store. I have no issues as far as that goes since everybody should be free to associate or disassociate with anybody they choose for whatever reason they choose. But a handful of these social conservatives seem to be having a competition over who can be the biggest asshole about it.

The current winner of this competition may be Anita Staver. Staver felt the need to make a special announcement to alert the world that she will be carrying her firearm into a very specific place:

After Target announced its transgender customers and employees can use store bathrooms that correspond with their gender identity, Orlando-based Liberty Counsel president Anita Staver said she would be taking her Glock .45 into Target’s restrooms, saying the gun “identifies as my bodyguard.”

Most of us who carry a firearm don’t feel the need to specifically announce every single place we’re going to carry it. In fact when one go out of their way to make a special announcement that they’re going to carry a gun into a place that is currently being featured in heated debates — especially when that announcement contains language that belittles one side of the debate — it might come off as a bit threatening. Just maybe.

If you want to carry a gun, just carry the damn thing. Don’t be an asshole about it. And especially don’t make statements about the fact you carry that could very easily be perceived as threatening to a group of people you openly hold distain for. In other words, don’t be this asshole.

Written by Christopher Burg

April 28th, 2016 at 10:30 am