A Geek With Guns

Discount security adviser to the proles.

Archive for the ‘You’re Doing it Wrong’ tag

Airport Security Isn’t The Only Security The TSA Sucks At

without comments

The Transportation Security Administration (TSA) sucks at providing airport security. But the agency isn’t a one trick pony. Demonstrating its commitment to excellence — at sucking — the TSA is working hard to make its computer security just as good as its airport security:

The report centers on the the way TSA (mis)handles security around the data management system which connects airport screening equipment to centralized servers. It’s called the Security Technology Integrated Program (STIP), and TSA has been screwing it up security-wise since at least 2012.

In essence, TSA employees haven’t been implementing STIP properly — that is, when they’ve been implementing it at all.

STIP manages data from devices we see while going through security lines at airports, namely explosive detection systems, x-ray and imaging machines, and credential authentication.

[…]

In addition to unpatched software and a lack of physical security that allowed non-TSA airport employees access to IT systems, the auditors found overheated server rooms and computers using unsupported systems — and much more.

The observed “lack of an established disaster recovery capability” noted by the OIG is particularly scary. If a data center was taken out by natural disaster, passenger screening and baggage info would be rendered inaccessible.

Not only that, but there was no security incident report process in place, and there was “little employee oversight in maintaining IT systems.” And, auditors were not pleased at all that non-TSA IT contractors maintained full admin control over STIP servers at airports.

At what point do we write the TSA off as a failed experiment? I know, it’s a government agency, it’ll never go away. But the fact that the TSA continues to fail at everything and is allowed to continue existing really demonstrates why the market is superior to the State. Were the TSA forced to compete in a market environment it would have been bankrupted and its assets would have been sold to entrepreneurs who might be able to put them to use.

It’s time to ask the million dollar question. What will happen now? One of the reason government agencies fail to improve their practices is because there’s no motivation to do so. A government agency can’t go bankrupt and very rarely do failures lead to disciplinary action. In the very few cases where disciplinary action does happen it’s usually something trivial such as asking the current head of the agency to retire will full benefits.

Meanwhile air travelers will still be required to submit to the TSA, which not only means going through security theater but now potentially means having their personal information, such as images from the slave scanners, leaked to unauthorized parties.

Why Does The TSA Suck? It’s Your Fault You Stupid Slave!

without comments

The Transportation Security Administration (TSA) has been receiving a lot of well deserved flak in recent months. Security theater lines have been growing and now the TSA recommends air travelers show up two hours early to ensure they get through. It reminds me of the Department of Motor Vehicles (DMV). When wait times increase the agency doesn’t hire more staff or make its processes more efficient, it demands people take more time out of their day. This shouldn’t surprise anybody though. Nobody has the option of using a competitor to the TSA, DMV, or any other government agency so the agencies have no motivation to improve their service.

But the public is pissed, which means boring congressional hearings could be in the TSA’s future. Probably hoping to avoid going to yet another meeting where they have to pretend to pay attention while congress members pretend to provide oversight, the heads of the TSA are trying to find some reason for its failure that will satiate the public. I doubt the reason it’s giving will work though since it’s resorted to blaming everybody besides itself:

The comments reflect a statement released earlier this week after long lines were reported at Newark, JFK and LaGuardia airport security checkpoints. When asked about those long lines, the TSA essentially blamed you in a press release, specifically passengers who bring too many carry-on items:

There are several factors that have caused checkpoint lines to take longer to screen passengers… including more people traveling with carry-on bags, in many cases bringing more than the airline industry standard of one carry-on bag and one personal item per traveler;

Passenger preparedness can have a significant impact on wait times at security checkpoints nationwide…Individuals who come to the TSA checkpoint unprepared for a trip can have a negative impact on the time it takes to complete the screening process.”

Not surprisingly, it’s also blaming air passengers for not paying the agency its desired extortion fee:

In the past three years, the TSA and Congress cut the number of front-line screeners by 4,622 — or about 10 percent — on expectations that an expedited screening program called PreCheck would speed up the lines. However, not enough people enrolled for TSA to realize the anticipated efficiencies.

Perhaps the TSA should look inward. One of the biggest contributing factors to the length of security theater lines is likely the agency’s inconsistency. If you know what you have to do when you reach the checkpoint you can prepare ahead of time. For example, you might untie or entirely remove your shoes and take off your belt. You might also remove your liquids and laptop from your bags. When you arrive at the actual checkpoint you can efficiently put everything through the x-ray machine, opt out of the slave scanner, and be through as quickly as possible. But you can’t prepare yourself ahead of the checkpoint because you have no idea what you’ll be expected to do until some idiot with a badge is barking order at you.

If PreCheck is supposed to help reduce wait times and the TSA is actually committed to reducing wait times the agency should make the program free. That would encourage more people to sign up for it. You can tell that the program is more about extorting the public than making wait times shorter but the simple fact that PreCheck isn’t free (and since the TSA is a government agency it doesn’t have to concern itself with making a profit so making the program free isn’t a big deal).

Businesses know that the customer is usually right. A private security provider knows that absurdly long wait times in line will reflect negatively on the venue that hired them, which may hinder their chances of getting another contract in the future. Because of that they are more motivated to make the screening process as efficient as possible. They don’t tell an angry venue owner that the wait times are due to the incompetence of the customers because that excuse isn’t going to fly. But the government doesn’t have customers, it citizens (which is a fancy term for people being preyed on by the State). That being the case, it has no problem blaming its own failures on its citizens.

Written by Christopher Burg

May 18th, 2016 at 11:00 am

I Guess Oracle Will Sue MariaDB Next

without comments

Oracle is still butthurt over the fact that it snapped up Java when it purchased Sun Microsystems and still hasn’t figured out how to make it profitable. Google on the other hand, managed to take the Java application programming interface (API) and use it for Android, which is turning the company a tidy profit. After getting its ass handed to it in court only to have a dimwitted judge reverse the decision, Oracle is pushing forward with its desperate attempt to get its hands on some of the wealth Google created. Oracle is now claiming that Google owes damages. Why? Apparently because it’s offering Android for free:

Catz also testified that Oracle’s Java licensing business was hurt by Android. Customers that used to buy licenses for Java, including Samsung, ZTE, Motorola, and others, don’t buy licenses from Oracle anymore. “They don’t take a license from us anymore, because they use Android, which is free,” she said.

Licensing contracts that used to be $40 million deals are now $1 million deals, Catz said. She gave the example of Amazon, which was formerly a customer but chose to go with Android for the Kindle Fire. When Amazon came out with its popular mid-range Kindle, the Paperwhite, the e-reader company chose to license Java only after Oracle offered a massive discount.

“In order to compete, we ended up giving a 97.5 percent discount for the Paperwhite,” she said, “because our competition was free.”

As for the mobile licensing business, since the launch of Android, it has performed “very, very poorly,” Catz said.

What’s next? Will Oracle sue the people behind MariaDB? For those who don’t know, MariaDB is a fork of MySQL, which is another product that Oracle acquired when it purchased Sun Microsystems. MariaDB, like the Android API, is a free product based on software Oracle acquired through its purchase of Sun Microsofts that could be taking market share from its expensive software!

Should manufacturers and developers of a product that’s sold directly for money be able to sue competitors who offer a free alternative? If you ask some antitrust supporters the answer is yes. But if you ask anybody with a brain the answer is no.

Consider Oracle’s situation. Android basically ate its lunch because nobody is buying its mobile Java software. Does that indicate that Google is somehow at fault because it made Android free? No. Such an assumption would imply that free products always win in the market when that isn’t the case. Sometimes a free product is so shitty that an expensive alternative still wins out. Consider Microsoft Windows. It’s still the most popular desktop operating system out there even though Linux, FreeBSD, OpenBSD, and a number of other free alternatives exist. Why? Because Windows offers features that consumers want and alternative don’t offer. Software compatibility, driver support, etc. are desirable features to many people. So desirable in fact that they’re willing to pay for them even though a free alternative exists. Without those features consumers see the free alternatives as so shitty that the savings associated with using them aren’t worth it. In spite of what the famous saying says, you actually can compete with free.

Android isn’t winning over mobile Java simply because it’s free. It’s winning because it offers features that consumers want. There is a massive software library available for Android that isn’t available for mobile Java. Google includes many desirable applications including clients for its popular Maps and Gmail services. Hardware developers want consumers to buy their phones so they tend to favor software that consumers want, which is part of the reason so many Android mobile devices exist while so few Windows ones do.

Google isn’t responsible for Oracle’s dwindling mobile Java profits, Oracle is for not making it a compelling product.

Written by Christopher Burg

May 18th, 2016 at 10:00 am

Performing Denial Of Service Attacks Against Airliners Is Ridiculously Simple

without comments

How can you shutdown an airline service? By setting your Wi-Fi hotspot’s Service Set Identifier (SSID) to something quippy:

According to The West Australian, a passenger on QF481 spotted a Wi-Fi hotspot titled “Mobile Detonation Device” and advised a crew member. It wasn’t clear what mobile device it was linked to or where the device was located.

The crew member informed the captain, who then broadcast a message to passengers. Passenger John Vidler told the publication the pilot said the device needed to be located before the flight could depart.

If somebody put a bomb on board would they use Wi-Fi to detonate it? Probably not. That would require being in close proximity to the device whereas a cellular device, which are commonly used as remote detonators, allow the perpetrator to be somewhere else in the world. If a bomber did use a Wi-Fi detonator would they set it to broadcast an SSID that indicated it was a detonator? Most likely not. That would increase the chances of the device being discovered before it could be detonated. Holding the flight until the device was located was an overreaction.

In addition to being an overreaction it also gives individuals interested in interfering with airline service a cheap and effective means of accomplishing their goals. With little more than a Wi-Fi access point you can perform a denial of service attack against an airplane.

Written by Christopher Burg

May 10th, 2016 at 10:00 am

The War Against Privacy

with one comment

If you read the erroneously named Bill of Rights (which is really a list of privileges, most of which have been revoked) you might be left with the mistaken impression that you have a right to privacy against the State. From the National Security Administration’s (NSA) dragnet surveillance to local police departments using cell phone interceptors, the State has been very busy proving this wrong. Not to be outdone by the law enforcement branches, the courts have been working hard to erode your privacy as well. The most recent instance of this is a proposed procedural change:

The Federal Rules of Criminal Procedure set the ground rules for federal criminal prosecutions. The rules cover everything from correcting clerical errors in a judgment to which holidays a court will be closed on—all the day-to-day procedural details that come with running a judicial system.

The key word here is “procedural.” By law, the rules and proposals are supposed to be procedural and must not change substantive rights.

[…]

But the amendment to Rule 41 isn’t procedural at all. It creates new avenues for government hacking that were never approved by Congress.

The proposal would grant a judge the ability to issue a warrant to remotely access, search, seize, or copy data when “the district where the media or information is located has been concealed through technological means” or when the media are on protected computers that have been “damaged without authorization and are located in five or more districts.” It would grant this authority to any judge in any district where activities related to the crime may have occurred.

In layman’s terms the change will grant judges the ability to authorize law enforcers to hack into any computer using Tor, I2P, a virtual private network (VPN), or any other method of protecting one’s privacy (the wording is quite vague and a good lawyer could probably stretch it to include individuals using a public Wi-Fi access point in a restaurant). The point being made with this rule proposal is clear, the State doesn’t believe you have any right to protect your privacy.

This should come as no surprise to anybody though. The State has long held that your right to privacy stops where its nosiness begins. You’re not allowed to legally possess funds the State isn’t aware of (financial reporting laws exist to enforce this), manufacture and sell firearms the State isn’t aware of, or be a human being the State isn’t aware of (registering newborn children for Social Security and requiring anybody entering or leaving the country to provide notice and receive approval from the State).

I’m Satoshi Nakamoto! No, I’m Satoshi Nakamoto!

without comments

The price of Bitcoin was getting a little wonky again, which meant that the media must be covering some story about it. This time around the media has learned the real identify of Satoshi Nakamoto!

Australian entrepreneur Craig Wright has publicly identified himself as Bitcoin creator Satoshi Nakamoto.

His admission follows years of speculation about who came up with the original ideas underlying the digital cash system.

Mr Wright has provided technical proof to back up his claim using coins known to be owned by Bitcoin’s creator.

Prominent members of the Bitcoin community and its core development team say they have confirmed his claims.

Mystery sovled, everybody go home! What’s that? Wright provided a technical proof? It’s based on a cryptographic signature? In that case I’m sure the experts are looking into his claim:

SUMMARY:

  1. Yes, this is a scam. Not maybe. Not possibly.
  2. Wright is pretending he has Satoshi’s signature on Sartre’s writing. That would mean he has the private key, and is likely to be Satoshi. What he actually has is Satoshi’s signature on parts of the public Blockchain, which of course means he doesn’t need the private key and he doesn’t need to be Satoshi. He just needs to make you think Satoshi signed something else besides the Blockchain — like Sartre. He doesn’t publish Sartre. He publishes 14% of one document. He then shows you a hash that’s supposed to summarize the entire document. This is a lie. It’s a hash extracted from the Blockchain itself. Ryan Castellucci (my engineer at White Ops and master of Bitcoin Fu) put an extractor here. Of course the Blockchain is totally public and of course has signatures from Satoshi, so Wright being able to lift a signature from here isn’t surprising at all.
  3. He probably would have gotten away with it if the signature itself wasn’t googlable by Redditors.
  4. I think Gavin et al are victims of another scam, and Wright’s done classic misdirection by generating different scams for different audiences.

Some congratulations should go to Wright — who will almost certainly claim this was a clever attempt to troll people so he doesn’t feel luck a schmuck for being too stupid to properly pull off a scam — for trolling so many people. Not only did the media get suckered but even members of the Bitcoin community fell for his scam hook, line, and sinker.

Written by Christopher Burg

May 3rd, 2016 at 10:00 am

Sending The Wrong Messages

without comments

Any decent self-defense instructor will point out that the most important aspect in self-defense is situational awareness. If you are aware of your surrounds you have a far better chance of avoiding a fight entirely, which is the best form of self-defense.

The rise of mobile phones has seemingly hampered a great many people’s situational awareness. It’s not uncommon to see people walking around entirely unaware of their surroundings because their faces are looking down at their phones. This phenomenon has become so prevalent that one city is experimenting with crosswalk signals embedded in the ground:

Foreign visitors frequently wonder why crowds of Germans wait for traffic lights to turn green when there are no cars in sight.

That is why officials in the city of Augsburg became concerned when they noticed a new phenomenon: Pedestrians were so busy looking at their smartphones that they were ignoring traffic lights.

The city has attempted to solve that problem by installing new traffic lights embedded in the pavement — so that pedestrians constantly looking down at their phones won’t miss them.

Part of me thinks this sends the wrong message. When people are walking around they should be paying attention to their surroundings. Not only is it important from a self-defense aspect but it’s important for not running into other pedestrians.

I’m not stupid enough to assume you can convince people to stop looking at their phones when they’re walking around but there may be some middle ground that encourages people to not be looking down. A better solution may be be a focus on developing heads-up displays for people to wear so they can somewhat keep their eye on the sidewalk as they read through their messages.

Written by Christopher Burg

April 30th, 2016 at 10:00 am

Berning The Middle East Down

without comments

One thing that marks this presidential election is the complete absence of a mainstream anti-war candidate. In 2008 and 2012 Ron Paul was the predominant anti-war candidate for the Republicans and Obama pretended to be anti-war in his 2008 campaign. But this year not a single major candidate is even pretending to be anti-war. When I point this out somebody inevitably brings up Bernie Sanders but even he isn’t hiding his murderous desires:

QUESTION: Senator Sanders, you said that you think that the U.S. airstrikes are authorized under current law, but does that mean that the U.S. military can lawfully strike ISIS-affiliated groups in any country around the world?

SANDERS: No, it does not mean that. I hope, by the way, that we will have an authorization passed by the Congress, and I am prepared to support that authorization if it is tight enough so I am satisfied that we do not get into a never-ending perpetual war in the Middle East. That I will do everything I can to avoid.

(APPLAUSE)

But the President, no President, has the ability willy-nilly to be dropping bombs or using drones any place he wants.

HAYES: The current authorization which you cite in what Miguel just quoted which is the authorization to use military force after 9/11. That has led to the kill list. This President — literally, there is a kill list. There is a list of people that the U.S. government wants to kill, and it goes about doing it. Would you keep the kill list as President of the United States?

SANDERS: Look. Terrorism is a very serious issue. There are people out there who want to kill Americans, who want to attack this country, and I think we have a lot of right to defend ourselves. I think as Miguel said, though, it has to be done in a constitutional, legal way.

HAYES: Do you think what’s being done now is constitutional and legal?

SANDERS: In general I do, yes.

So he’s hoping, as president, he’ll receive authorization to continue doing what Bush and Obama have already been doing. But even more concerning is his support of the kill list.

I’ve discussed the kill list several times but I’ll summarize the problem with it for the benefit of newer readers. The names that appear on the kill list aren’t people who have been found guilty through due process. In fact we only know a little bit about the secret criteria used to justify adding names to the list and that information only came from an unauthorized leak. Sanders believes murdering foreigners without due process is both constitutional and legal.

To put this as diplomatically as I can, fuck Sanders. Anybody who claims he’s an anti-war candidate is either a liar or ignorant.

Written by Christopher Burg

April 28th, 2016 at 10:00 am

Yet Another Reason Why Democracy Sucks

without comments

Democracy has been deified in our society and any dissent is treated as high treason. But I’m here to tell you that democracy sucks.

Democracy is built on the idea that whatever a majority of a voting body decides is somehow just. But what happens when the majority of a voting body decides your so-called rights are mere privileges and furthermore have deemed you no longer need those privileges?

A survey commissioned by the BBC suggests that 63 per cent of UK university students believe the National Union of Students (NUS) is right to have a “no-platform” policy, whereby individuals or groups with opinions deemed to be offensive can be banned from speaking on student union premises.

More than half (54 per cent) of students surveyed also thought the policy should be actively enforced against people who could be found intimidating.

The National Union of Students (NUS) is a democratic organization and a majority of the designated voting body decided to allow censorship on campus student unions. With that simple majority vote, which is also backed up by a majority of surveyed university students, anybody deemed to be supporting an offensive platform is barred from speaking at a location that their tax dollars may very well have funded.

Freedom of speech is a concept used to protect the minority from government censorship. But democracy is a concept that relies on the idea that the will of the majority is correct. The two concepts are opposed to one another because a democracy is oppositional to the minority.

Written by Christopher Burg

April 27th, 2016 at 10:00 am

Dropping 10 Megabyte Cyberwarheads

without comments

I’ve been busy finishing up and editing my short story for the Agorist Writers Workshop so I don’t have much for you today… except stupidity.

The idiots that command the State have tried once again to use war as an analogy for hacking and it sounds just as stupid this time as it has every time before:

Defense Secretary Ashton B. Carter is among those who have publicly discussed the new mission, but only in broad terms, and this month the deputy secretary of defense, Robert O. Work, was more colorful in describing the effort.

“We are dropping cyberbombs,” Mr. Work said. “We have never done that before.”

Cyberbombs? Why not cyberclusterbombs? Isn’t the United States government dedicated to wiping out CyberISIS? How many megabytes are these cyberwarheads anyways? I hope we’re not using too little data to get the jobs done!

It’s hard to come up with new jokes at the State’s expense. The people working within it end up taking all of my good material by actually doing what I planned to joke about them doing.

Written by Christopher Burg

April 26th, 2016 at 10:00 am