A Geek With Guns

Discount security adviser to the proles.

Archive for the ‘You’re Doing it Wrong’ tag

All E-Mail Providers are Snitches But Some are Bigger Snitches Than Others

with one comment

E-mail should be a dead standard this day and age. By default it offers no confidentiality or anonymity. Even when you use something like GPG to encrypt the contents of your e-mail the metadata, such as who you communicated with, remains unencrypted. But legacy products like to stick around past their welcome and almost all of us have to deal with e-mail on a daily basis.

This dependency on a legacy product has also been a boon for the State. The snoops working for the State such as the National Security Agency (NSA) and the Federal Bureau of Investigations (FBI) love e-mail because it’s easy to surveil. Not only are the messages unencrypted by default but many providers are more than happy to assist federal agencies in their quest to spy on the general population. It was recently revealed that Yahoo has been one of the e-mail providers in the State’s pocket:

Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.

The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events.

Some surveillance experts said this represents the first case to surface of a U.S. Internet company agreeing to an intelligence agency’s request by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.

Stories like this make me happy that Yahoo has been suffering financially. Most technology companies have at least half heartedly pushed back when the State has demanded all-encompassing surveillance powers. But Yahoo was more than willing to roll up its sleeves and provide the State with everything it asked for. Fortunately, there was at least one decent person in Yahoo during this fiasco. Unfortunately, that person was powerless to stop Yahoo from going through with its dastardly deed:

According to two of the former employees, Yahoo Chief Executive Marissa Mayer’s decision to obey the directive roiled some senior executives and led to the June 2015 departure of Chief Information Security Officer Alex Stamos, who now holds the top security job at Facebook Inc.

I’d say he was well rewarded for standing up for what he believed in. Facebook is raking in cash so he’s almost certainly being paid far better. And while Facebook is a major player in the State’s surveillance apparatus the company has at least shown a willingness to provide customers with secure means of communications by allowing WhatsApp, one of its acquisitions, to implement the Signal protocol and even implemented optional end-to-end encryption in its Messenger app.

This is the point where I’d recommend Yahoo’s users to abandon its e-mail service for a more reputable one. But I doubt anybody reading this is actually using Yahoo’s e-mail service. But if you are a statistical anomaly and still using it you should stop. Yahoo has zero interest in protecting your privacy.

Written by Christopher Burg

October 5th, 2016 at 10:30 am

Have an Offsite Backup of Your Data

with one comment

It’s a good idea to have a bug out bag in case there’s an emergency such as a house fire where you have to evacuate immediately. For the same reason it’s a good idea to have an offsite backup of your important data. You don’t want to be the guy who has to run into a burning building to save the only copy of his novel:

A fire inside a blighted house in Broadmoor quickly spread to a nearby multiplex Thursday, sending residents rushing to safety and one — a novelist worried about losing his life’s work — back inside to save his laptop.


Gideon Hodge, 35, describes himself as a playwright, novelist and actor. When his fiancée told him that their apartment was on fire, he left work in Mid-City and rushed to the scene. That’s when he realized that his only copies of two completed novels were on a laptop inside.

Clad in a T-shirt that said #photobomb next to an illustration of the Joker photobombing Batman and Robin, Hodge dashed into the building. He ran past the smoke and the firefighters yelling at him to stop and managed to grab the precious laptop.

I backup my important data to Amazon Glacier with Arq. What I like about Amazon Glacier is the price: $0.007 per gigabyte in the Ireland region. What I like about Arq is that it encrypts the data before uploading it Amazon Glacier.

Amazon Glacier starts costing you real money when you want to retrieve your backups. But that’s a price I’m willing to pay because the chances of me needing those offsite backups is slim so I don’t want to pay a sizable storage fee. In addition to having cheap storage, Amazon Glacier also allows me to select the region I backup to. You probably noticed that I mentioned the Ireland region. Your offsite backups should be geographically separated from you. An earthquake that takes out your home could also take out nearby data centers. If your offsite is stored in a nearby data center you might lose both your local and offsite backups. Few things short of full scale nuclear war are likely to wipe out both my local and offsite backups and if something that bad happens I don’t think my data will be terribly important to me.

If you’re prepared enough to assemble a bug out bag you should also setup an offsite backup plane as part of your disaster preparedness.

Written by Christopher Burg

September 21st, 2016 at 10:00 am

DEA Decides to Generate More Revenue

with one comment

While the government claims the war on drugs is being waged to protect the people, anybody with a brain realizes that it’s about generating revenue. Many of the drugs prohibited by the war, such as cannabis, are far less dangerous than the drugs that remain legal, such as alcohol. However, the war on drugs has opened the door for civil forfeiture, an exponential increase in slave labor, widespread surveillance, and heavily armed revenue generators law enforcers.

New drugs are being added to the prohibited list every year. Each one of those new drugs is another opportunity for the State to steal more wealth and kidnap more slave laborers. This year the Drug Enforcement Agency (DEA) wants to add kratom to Schedule I:

The U.S. Drug Enforcement Administration is moving to place the herbal supplement kratom on its list of Schedule I drugs, effectively banning a naturally occurring psychoactive substance that some say holds promise as a therapy for opioid addiction.

The DEA, in a notice published in the Federal Register this week, said it wants to include two active kratom ingredients in its most restrictive classification of drugs with high potential for abuse and no known medical benefit, signaling that the government considers the plant as dangerous as heroin. The scheduling move would last for two years, with a possible extension of an additional year, and would go into effect at the end of September.

Kratom, like cannabis, is a plant, not some chemical concoction that has to be synthesized. This means that the DEA is effectively waging another war on nature. The advantage of this, to the DEA, is that it can’t win a war against nature so the struggle against the kratom menace would be a perpetual revenue stream for the agency. Also like cannabis, kratom is used medicinally:

Kratom is made from the leaves of Mitragyna speciosa, a Southeast Asian tree related to coffee, and has been consumed in Asia for millennia, typically as a tea or powder. The herb contains alkaloids that appear to activate opioid receptors in the brain and reduce pain. Although most opioids have sedative qualities, low to moderate doses of kratom serve as a mild stimulant.

The advantage of targeting a medicinal plant is that people who use kratom to treat their pain are likely to ignore the prohibition so they can continue living a less painful existence. That means the DEA has a good pool of victims it can exploit for cash and slave labor.

Of course the DEA is citing the usual crap about addiction, health effects, etc. However, all of those things apply to alcohol, tobacco, and other drugs that aren’t prohibited. Furthermore, Asian countries have been using kratom for ages to no widespread negative effect. And even if kratom has serious side-effects they’re far less deadly than law enforcers burning babies with flashbang grenades, shooting family pets, and beating people to within an inch of their lives.

Written by Christopher Burg

September 2nd, 2016 at 10:00 am

Silencing the Opposition

without comments

While the court system is used from time to time to settle legitimate disputes between individuals, it’s becoming more and more common for the court system to be used to silence dissenting voices. That’s what’s happening in Waller Country, Texas:

A Texas county sued a gun-rights activist who has complained that county officials were unlawfully barring firearms from being brought into a public building.


Holcomb has sent letters to more than 75 local governments and other public entities across the state complaining of restrictions placed on license-holders from bringing a firearm into a public arena. Others have filed complaints with the Texas attorney general’s office accusing Austin City Hall, the Dallas Zoo, a nature preserve, a suburban Houston convention center and other places with unlawfully banning firearms. Those complaints are on top of regular fights that rage in Texas over guns, most recently with lawmakers approving the concealed carry of firearms on college campuses.

Texas Carry, the organization Mr. Holcomb is an executive director of, has been notifying a lot of locations that their firearm prohibitions are unlawful. What was the response they received? In the case of Waller County they filed a lawsuit against Mr. Holcomb:

Holcomb argues that the “heavy-handed” decision by Waller County to sue him makes his case much more than a Second Amendment matter.

“We can agree or disagree on the gun issue but this is different than that,” he said, contending that the county’s suit is frivolous and “borderline official oppression.”

There’s nothing borderline about it. Filing a lawsuit against somebody for brining up the fact that your prohibition may be unlawful is outright official oppression. The county, of course, is claiming that Mr. Holcomb misunderstands the intention of the lawsuit and that the fact the lawsuit is seeking $100,000 in damages was a clerical error. But the supposed goals of the county, to received an official court ruling on the matter of whether or not an entire courthouse facility can prohibit firearms, could have been easily accomplished without suing Mr. Holcomb.

What seems more likely is that the lawsuit was filed to punished Mr. Holcomb. Even if he managed to win the lawsuit he would face notable legal expenses that could likely only be recouped by filing a countersuit. Lawsuits send a clear message to the public, which is that anybody causing trouble for the State will be legally harassed at a minimum.

I hope this lawsuit is dismissed for what it is, a thinly veiled attempt to punish Mr. Holcomb for not being a good little slave.

Written by Christopher Burg

August 9th, 2016 at 10:00 am

You Ought to Trust the Government with the Master Key

with one comment

The Federal Bureau of Investigations (FBI) director, James Comey, has been waging a war against effective cryptography. Although he can’t beat math he’s hellbent on trying. To that end, he and his ilk have proposed schemes that would allow the government to break consumer cryptography. One of those schemes is call key escrow, which requires anything encrypted by a consumer device be decipherable with a master key held by the government. It’s a terrible scheme because any actor that obtains the government’s master key will also be able to decrypt anything encrypted on a consumer device. The government promises that such a key wouldn’t be compromised but history shows that there are leaks in every organziation:

A FBI electronics technician pleaded guilty on Monday to having illegally acted as an agent of China, admitting that he on several occasions passed sensitive information to a Chinese official.

Kun Shan Chun, also known as Joey Chun, was employed by the Federal Bureau of Investigation since 1997. He pleaded guilty in federal court in Manhattan to one count of having illegally acted as an agent of a foreign government.

Chun, who was arrested in March on a set of charges made public only on Monday, admitted in court that from 2011 to 2016 he acted at the direction of a Chinese official, to whom he passed the sensitive information.

If the FBI can’t even keep moles out of its organization how are we supposed to trust it to guard a master key that would likely be worth billions of dollars? Hell, the government couldn’t even keep information about the most destructive weapons on Earth from leaking to its opponents. Considering its history, especially where stories like this involving government agents being paid informants to other governments, there is no way to reasonably believe that a master key to all consumer encryption wouldn’t get leaked to unauthorized parties.

Written by Christopher Burg

August 3rd, 2016 at 10:00 am

To the Gulags, Slaves

with 2 comments

The centrally planned paradise of Venezuela is falling apart. People are starving. Animals are starving. And President Maduro keeps making the situation worse by ordering even more central planning. His latest decree, a socialist favorite, is to allow the government to force people to work in the fields:

International human rights activists are complaining that new laws have introduced forced labour in Venezuela.

“A new decree establishing that any employee in Venezuela can be effectively made to work in the country’s fields as a way to fight the current food crisis is unlawful and effectively amounts to forced labor,” Amnesty International said in a statement released on Thursday.

President Nicolás Maduro signed a decree at the end of last week that gives powers to the labor ministry to order “all workers from the public and private sector with enough physical capabilities and technical know-how” to join a government drive aimed at increasing food production.

They can be required to work in the agricultural sector for a 60-day period that can be extended for another 60 days “if the circumstances require it.”

I’m sure mandatory field work can be extended for an infinite number of 60-day periods.

President Maduro is either ignorant of history or a sadistic son of a bitch. The Soviet Union tried collectivizing agriculture and forcing people to work fields and the country never fully recovered from it. Bread lines were the norm until they were replaced by starvation. If you’re a student of history you know that making people slaves does not motivate them to work harder. Instead they work as little as possible to avoid being beaten too severely because they’re not getting anything for their efforts. I guarantee that the poor Venezuelans that are forced to work in the fields will produce very little foodstuff. And why should they? They don’t want to be there, they’re not knowledgable in the skills of agriculture, and they have every right to resist since they’re being coerced.

Venezuela is fucked. It should go down in the history books as yet another demonstration of the futility of central planning.

Written by Christopher Burg

August 2nd, 2016 at 10:00 am

Garbage In, Garbage Out

with one comment

In computer science the term garbage in, garbage out is used frequently to note that if you have garbage data as an input you will get garbage data as an output. This is applicable in any research. A new study has been released that claims there is no racial bias in polices’ use of lethal force in the United States. Quite a few people have jumped on this because it supports their bias that there isn’t a problem with policing in this country. However, Radley Balko points out a serious flaw in the study. It uses reports written by police officers:

For the purpose of the discussion, let’s break shootings and killings by police into three categories: incidents that were illegal and unnecessary, incidents that were legal and necessary, and incidents that were legal but unnecessary. If you’re asking whether current laws and policies allow for too many police shootings, looking at how many shootings are justified under current law and policy is just question begging. It’s that last category — legal but unnecessary — that we want to explore. Unfortunately, it’s also a category that is plagued by subjectivity and the simple fact noted above: Most of the data we have comes from police reports themselves.

If we were to compile statistics on, say, medical mistakes in an effort to make policies that would improve the state of medicine, we wouldn’t get all of our data from written statements by the accused doctors or hospitals. If we wanted to compile data on conflicts of interest in politics, we wouldn’t rely on members of politicians to self-report and adjudicate when their vote may have been influenced by a campaign donation. But this is essentially what we do with shootings by police officers.

The study is simply an extension of the phrase, we investigated ourselves and found that we did nothing wrong. Studying police use of force in the United States is difficult because most of the data is created by the police themselves. There is very little third-party oversight and what little exists is usually tied to the law enforcement community in some manner.

I’m sure Jeronimo Yanez, the officer who killed Philandro Castile, wrote a report that exonerated him of wrongdoing. This isn’t just because he wants to avoid punishment but also because he probably wants to justify his actions to himself. We humans are great at twisting logic to justify our actions to ourselves. Thieves will tell themselves that since the person they were stealing from was wealthy no real harm occurred to him and therefore the theft was justified. Domestic abusers will tell themselves that they have to hit their partner in order to teach them important lessons. Police, likewise, will tell themselves that lethal force was necessary to preserve their lives. We cannot rely on the reports thieves, domestic abusers, and police write about their own actions because they are necessarily biased. So long as rely on such data as our input we’re going to get garbage as our output.

Written by Christopher Burg

July 15th, 2016 at 10:30 am

Incentives Matter

with one comment

I’ve been focusing a lot on the law enforcers as of late but I think it’s important to also take a look at the people who create the laws. Specifically, what incentives they put forward for enforcing different laws.

What does a law enforcement department receive when they solve a murder, robbery, or rape? Perhaps some respect from the community and the gratitude of the victims.

What does a law enforcement department receive when they go after a suspected drug user or seller? A percentage of the proceeds from the property taken under civil forfeiture.

What does a law enforcement department receive when they write a traffic citation? Here in Minnesota, as I’m sure is true with most other states, a percentage goes to the cities, which usually give that money back to their law enforcement department.

The law enforcers are focusing on the crimes that the politicians have incentivized them to focus on. The fact that the politicians are incentivizing crimes such as drug manufacturing, selling, and use over murder, robbery, and rape should be damning.

Written by Christopher Burg

July 12th, 2016 at 10:00 am

All Full-Disk Encryption isn’t Created Equal

without comments

For a while I’ve been guarded when recommending Android devices to friends. The only devices I’ve been willing to recommend are those like the Google Nexus line that receive regular security updates in a timely manner. However, after this little fiasco I don’t know if I’m willing to recommend any Android device anymore:

Privacy advocates take note: Android’s full-disk encryption just got dramatically easier to defeat on devices that use chips from semiconductor maker Qualcomm, thanks to new research that reveals several methods to extract crypto keys off of a locked handset. Those methods include publicly available attack code that works against an estimated 37 percent of enterprise users.

A blog post published Thursday revealed that in stark contrast to the iPhone’s iOS, Qualcomm-powered Android devices store the disk encryption keys in software. That leaves the keys vulnerable to a variety of attacks that can pull a key off a device. From there, the key can be loaded onto a server cluster, field-programmable gate array, or supercomputer that has been optimized for super-fast password cracking.


Beniamini’s research highlights several other previously overlooked disk-encryption weaknesses in Qualcomm-based Android devices. Since the key resides in software, it likely can be extracted using other vulnerabilities that have yet to be made public. Beyond hacks, Beniamini said the design makes it possible for phone manufacturers to assist law enforcement agencies in unlocking an encrypted device. Since the key is available to TrustZone, the hardware makers can simply create and sign a TrustZone image that extracts what are known as the keymaster keys. Those keys can then be flashed to the target device. (Beniamini’s post originally speculated QualComm also had the ability to create and sign such an image, but the Qualcomm spokeswoman disputed this claim and said only manufacturers have this capability.)

Apple designed its full-disk encryption on iOS very well. Each iOS device has a unique key referred to as the device’s UID that is mixed with whatever password you enter. In order to brute force the encryption key you need both the password and the device’s UID, which is difficult to extract. Qualcomm-based devices rely on a less secure scheme.

But this problem has two parts. The first part is the vulnerability itself. Full-disk encryption isn’t a novel idea. Scheme for properly implementing full-disk encryption have been around for a while now. Qualcomm not following those schemes puts into question the security of any of their devices. Now recommending a device involves both ensuring the handset manufacturers releases updates in a timely manner and isn’t using a Qualcomm chipset. The second part is the usual Android problem of security patch availability being hit or miss:

But researchers from two-factor authentication service Duo Security told Ars that an estimated 37 percent of all the Android phones that use the Duo app remain susceptible to the attack because they have yet to receive the patches. The lack of updates is the result of restrictions imposed by manufacturers or carriers that prevent end users from installing updates released by Google.

Apple was smart when it refused to allow the carriers to be involved in the firmware of iOS devices. Since Apple controls iOS with an iron fist it also prevents hardware manufacturers from interfering with the availability of iOS updates. Google wanted a more open platform, which is commendable. However, Google failed to maintain any real control over Android, which has left uses at the mercy of the handset manufacturers. Google would have been smart to restrict the availability of its proprietary applications to manufacturers who make their handsets to pull Android updates directly from Google.

Written by Christopher Burg

July 5th, 2016 at 10:30 am

The B-Team

with one comment

In 2016 a wannabe commando unit was sent to a holding cell by a civilian judge to stand trial for a crime they did commit. These men promptly escaped from jail to the New York City underground by posting bail. Today, still wanted by the police, they survive as soldiers of fortune. If you have a problem, if no one else can help, and if you can’t afford anybody better, maybe you can hire the B-Team.

John Cramsey’s 20-year-old daughter died from a heroin overdose four months earlier in Allentown, Pennsylvania.

He and two friends Dean Smith and Kimberly Arendt were stopped by police for driving with a cracked windscreen.

They told the arresting police officers that they were a group of vigilantes on their way to rescue a teenage girl.

I know this story is going to raise a lot of question. For starters, how did the police identify this crack commando team? Obviously they went to great lengths to be as inconspicuous as possible…


Nothing says inconspicuous like a truck with neon green tastelessly plastered all over a truck. The target reticle painted on the side is a nice touch as well. I’m sure you’re wondering what the B-Team’s load out was.

A camouflage helmet, seven guns including rifles, and knives were recovered from the car, as well as cannabis, body armour and 2,000 rounds of ammunition.

2,000 rounds of ammunition? I bet they were planning on using discount Mini-14s (Is there a discount Mini-14? Maybe, like, a Hi-Point carbine or something?) and didn’t plan to hit anything they shot at.

Written by Christopher Burg

June 24th, 2016 at 10:30 am