Friday, January 24, 2014

The Growing Consensus That
NSA Mass Surveillance
Is Unconstitutional And Destructive

--

I've been avidly following the disregard for the US Constitution by #MyStupidGovernment. I keep a folder for collecting articles covering the history of this travesty of personal privacy demolition. I avoid pushing my collection into other people's faces. We all have important and joyful things to do in our lives other than watching the nasty people among humanity ruining everything within reach due to what I call their Self-Destructiion Imperative. There's only so much of Other People's Problems any one person can tolerate.

However, this week I've noticed a useful and positive trend in response to President Obama's lame, rhetoric and baloney filled speech about reforming NSA mass surveillance. The response has been almost universal condemnation from a variety of perspectives. I'm happy to see that anyone judging otherwise is being shoved aside and left in a small minority. I'm hoping this means that my country is not going to go fascist any time soon, that actual/factual freedom and liberty still ring in the USA, despite political pressure and ignorance attempting to force otherwise.

Here is a string of three posts on the Internet which I like very much. One leads into another. The place to start is an article at TechDirt.com, a terrific website for keeping up with the relationship between technology and the world around us.

Open Letter From Security Researchers Explains How NSA Has Weakened Our Communications Infrastructure
Among the many problems with President Obama's weak statement concerning NSA surveillance was the fact that he didn't even address the serious issue of the NSA undermining cryptography with backdoors. The White House's task force had included a recommendation to end this practice, and the President appeared to ignore it entirely. Now, a large group of US computer security and cryptography researchers have sent a strongly worded open letter to the President condemning these efforts (and his failure to stop the program)….
An Open Letter from US Researchers in Cryptography and Information Security
- January 24, 2014
…The value of society-wide surveillance in preventing terrorism is unclear, but the threat that such surveillance poses to privacy, democracy, and the US technology sector is readily apparent. Because transparency and public consent are at the core of our democracy, we call upon the US government to subject all mass-surveillance activities to public scrutiny and to resist the deployment of mass-surveillance programs in advance of sound technical and social controls. In finding a way forward, the five principles promulgated at http://reformgovernmentsurveillance.com/ provide a good starting point….
Reform Government Surveillance
The undersigned companies believe that it is time for the world’s governments to address the practices and laws regulating government surveillance of individuals and access to their information.

While the undersigned companies understand that governments need to take action to protect their citizens’ safety and security, we strongly believe that current laws and practices need to be reformed.

Consistent with established global norms of free expression and privacy and with the goals of ensuring that government law enforcement and intelligence efforts are rule-bound, narrowly tailored, transparent, and subject to oversight, we hereby call on governments to endorse the following principles and enact reforms that would put these principles into action.
The companies signing these reform principles are:

AOL
Apple
Facebook
Google
LinkedIn
Microsoft
Twitter
Yahoo!

Their five principles are:

1) Limiting Governments' Authority to Collect Users' Information

2) Oversight and Accountability


3) Transparency About Government Demands


4) Respecting the Free Flow of Information


5) Avoiding Conflicts Among Governments



~ ~ ~


Here are a few quotes on the subject that I keep readily at hand to help people understand what's at stake regarding privacy and free speech rights:

The First Amendment to the US Constitution
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

The Fourth Amendment to the US Constitution
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety. 
- Benjamin Franklin, Historical Review of Pennsylvania, 1759

To announce that there must be no criticism of the president, or that we are to stand by the president, right or wrong, is not only unpatriotic and servile, but is morally treasonable to the American public. 
- Theodore Roosevelt - Kansas City Star (7 May 1918)


~ ~ ~


I became aware that #MyStupidGovernment was ignoring the Fourth Amendment to the US Constitution during the President George W. Bush administration. I recall hearing President Bush directly and knowingly lie to an audience in Buffalo, New York that the US government would never surveil US citizens on US soil without a warrant. We now know that he had already ordered warrantless wire tapping of US citizens on US soil. I have a recording of his Buffalo statement in my archives.

Some people have insisted that US government mass surveillance started during the President Clinton administration, but no references supporting that statement have been offered to me.

I've read that mass surveillance during the Obama administration has increased exponentially. Understanding this to be the case, I see no reason to respect either the Democrat or Republican parties, both of which have been guilty of pushing this treasonous calamity upon us.

Regarding NSA surveillance of people outside of the USA, that's a matter of international law, of which I am no expert. Keep an eye on The Guardian website for relevant details as they emerge.



--

Final note: I consider Edward Snowden to be a US patriot whistleblower. I'm not at all impressed with his turning to Hong Kong, then Russia for sanctuary when Iceland repeatedly offered him asylum. No doubt his story is more complicated than I comprehend. Nonetheless, as a US citizen I have to appreciate his bringing the surveillance crimes of the US government into the light of citizen scrutiny. I wish him well and wish he could simply return to the USA without prosecution. It's difficult for me to comprehend the point of view of those who disagree. What is human freedom and liberty worth? I'd say everything.

:-Derek
--

Sunday, January 19, 2014

Hacking The Internet Of Things, Or
Superenigmatix: When Your Home Appliances Turn Against You

--


This is an alert to a new phenomenon of hacking: Botting your home appliances, aka "The Internet of Things." This revelation is both hilarious AND scary.

Before I jump into the articles: 
What is 'The Internet of Things?' (IoT) 
This article at Wikipedia will get you started:

https://en.wikipedia.org/wiki/Internet_of_Things

Here are a couple prescient articles about the inherent security problems of 'The Internet of Things'. The first is from the Tips4Tech Blog from May 28, 2013:

Internet of Things? More Like the Internet of Attack Vectors
…And so now, we add the “Internet of Things” to the equation which will also be using Internet protocols. Companies and organizations that never had to deal with security issues will now have to think about ways to keep inbound and outbound data safe for all devices. Those of us who are security professionals have the tools and know the rules to keep most of the bad stuff out. But what happens when there is no oversight? Anybody will be able to get into the game of the “Internet of Things.” Most network devices have the ability to be secured, but who says that the vendors of this new world will know what to do?
The second was written for the MIT Technology Review last August:

More Connected Homes, More Problems
They might offer convenience or potential cost savings, but Internet-connected home appliances may also create security risks.
- By Rachel Metz on August 13, 2013
…As we connect more and more devices to the Internet, everything from the thermostat to the toilet to the front door itself may create a potential new opening for electronic intruders. As with computers, there are ways to protect these devices from outsiders, but Crowley and Bryan’s experiences indicate that, for now at least, this isn’t always a primary concern for companies in a rush to sell this equipment. Making devices more secure can add time to product development....
Security researchers fear that the risks presented by these new types of gadgets are especially concerning. If hackers can exploit a weakness in a single type of Internet-connected home appliance or system—such as an Internet-connected door lock—they may be able to harm thousands of people at once. “It might be some effort to get this kind of scenario, but if breaking into one server means you get to ransack 100, 1,000, 10,000 people’s homes, that’s definitely worth it, and that’s where the real danger lies,” Crowley says. 
Then 2014 hits, and the freaky fun news begins! 

Your home has been botted.


- Julianne Pepitone NBC News
Security firm Proofpoint has uncovered a cyberattack that involved the hacking of “smart” home appliances connected to the Internet. Hackers broke into more than 100,000 gadgets -- including TVs, multimedia centers, routers, and at least one fridge – and used the appliances to send out more than 750,000 malicious emails between December 23 and January 6....
Perhaps worse: In “many cases,” the smart devices weren’t difficult to hack, according to Proofpoint. Instead, the appliances either were not set up correctly, or they used default passwords that were easy to find on public networks.
Incorrectly setup home devices? That's nothing new! I believe I've written here previously about my hacking into a neighbor's router to change their radio band setting to my leaching benefit! Once, I even had an IT professional argue with me that password encryption protecting of his home router was 'not important'. He learned otherwise.

Proofpoint Uncovers Internet of Things (IoT) Cyberattack

More than 750,000 Phishing and SPAM emails Launched from "Thingbots" Including Televisions, Fridge 
As the number of such connected devices is expected to grow to more than four times the number of connected computers in the next few years according to media reports, proof of an IoT-based attack has significant security implications for device owners and Enterprise targets....
What astounds me is that the operating systems, memory and CPUs on these devices are powerful enough to even BE botted! Is this embedded system OVERKILL? I think so.
Cyber criminals intent on stealing individual identities and infiltrating enterprise IT systems have found a target-rich environment in these poorly protected internet connected devices that may be more attractive and easier to infect and control than PC, laptops, or tablets.
This is SERIOUS 'Version 1.0 Syndrome'. Oh dear!
The attack that Proofpoint observed and profiled occurred between December 23, 2013 and January 6, 2014, and featured waves of malicious email, typically sent in bursts of 100,000, three times per day, targeting Enterprises and individuals worldwide. More than 25 percent of the volume was sent by things that were not conventional laptops, desktop computers or mobile devices; instead, the emails were sent by everyday consumer gadgets such as compromised home-networking routers, connected multi-media centers, televisions and at least one refrigerator....
"Many of these devices are poorly protected at best and consumers have virtually no way to detect or fix infections when they do occur. Enterprises may find distributed attacks increasing as more and more of these devices come on-line and attackers find additional ways to exploit them." . . . .
"The 'Internet of Things' holds great promise for enabling control of all of the gadgets that we use on a daily basis. It also holds great promise for cybercriminals who can use our homes' routers, televisions, refrigerators and other Internet-connected devices to launch large and distributed attacks", said Michael Osterman, principal analyst at Osterman Research. "Internet-enabled devices represent an enormous threat because they are easy to penetrate, consumers have little incentive to make them more secure, the rapidly growing number of devices can send malicious content almost undetected, few vendors are taking steps to protect against this threat, and the existing security model simply won't work to solve the problem."
Oh great! No user incentive to make their 'Internet of Things' more secure. Bot wranglers must be in ecstasy!

My first question when a friend (Hi Nick!) pointed out this news was 'What manufacturers make these insecure refrigerators?!' 

I have yet to find a decent list of  'smart' (or perhaps 'stupid' is more descriptive) appliance manufacturers. But it turns out that companies involved in the technology end of 'The Internet of Things' are vast! Here is one ongoing list:

Internet of Things – Big List of Companies, Products, Devices and Software by Sector

Obviously, this is going to be an enormous subject in 2014, if not for years. Keep an eye out as the botnet of 'The Internet of Things' develops.



~ ~ ~

This PWNed home appliance phenomenon reminds me of two things. The first is a philosophy and the second is a song:

The Philosophy
Ludditism
n.
1. Any of a group of British workers who between 1811 and 1816 rioted and destroyed laborsaving textile machinery in the belief that such machinery would diminish employment.
2. One who opposes technical or technological change.
I know there is some argument about the actual facts of the Luddite movement and its meaning. But 'Luddite' has nonetheless become the single most popular term for anyone motivated to turn their back on technological progress. I also know that using this term is a great way to raise the hair of any tyrannical technologist.

There are a number of sci-fi books using the theme of Ludditism. One I recently read was 'The Difference Engine' by none other than William Gibson and Bruce Sterling.

With the catastrophe of one's router, oven, refrigerator, door lock, home entertainment, lighting and alarm systems all conspiring against you, can you imagine the lash-back from certain users who'd rather just go back to 'the old ways'? I certainly can!

The Song

From back when I was a kid, one of my favorite music mavens is Bill Nelson, formerly of the group 'BeBop Deluxe'. In 1978 he wrote the first of his hyperactive future-paranoia albums entitled 'Drastic Plastic'. My favorite song from the album, the one that best summarized his artistic theme at the time, was 'Superenigmatix (Lethal Appliances for the Home with Everything)'. Here, for your reading pleasure, are the lyrics. Note their significance to the current plight of 'The Internet of Things':
Superenigmatix, there's one hiding in the attic,
And it's getting all ecstatic cause it goes on automatic,
When the lights go out.

There's one in the TV and it's waiting there to please me,
And I've got to take it easy cause I know that it can see me,
When the lights go out.

Inside, outside, watching me both night and day.
Sometimes I wish I could make it go away.

Sometimes when I'm dreaming, I awake to find I'm screaming,
Cause they've taken all the meaning from the book that I was reading,
When the lights went out.

I know it seems outspoken but I'd love to see them broken,
No more orders, no more slogans, no more keeping my eyes open,
When the lights go out.

Inside, outside, watching me both night and day.
Sometimes I wish I could make them go away.

Superenigmatix, always amateur dramatic,
And they're trying to get me at it,
But I think I'm going to kick them in!
Here is a link to the song itself, as uploaded to YouTube. I can't guaranteed that such things are allowed to last at YouTube. But for the moment:

http://www.youtube.com/watch?v=kXHGPbRb7NU

Enjoy (!) And Share,

:-Derek




--

ADDENDUM

Here is Dan Goodin's take on hacking The Internet of Things:

Ars unravels the report that hackers have commandeered 100,000 smart devices.
by Dan Goodin - Jan 17 2014, 3:25pm EST

No doubt, there's a lot more about hacking The Internet of Things yet to come.

--



Monday, January 13, 2014

Over 110 MILLION Customer Accounts Hacked and Stolen:

TARGET Et Al. Are To Blame,
Not the magnetic strip credit card system!

• Why RFID chip credit cards are crap
• SQRL promises to be the safest alternative

--

Recently the US retail company Target, famous for obnoxious LGBT discriminatory statements in public, discovered that they had been so thoroughly lax in their credit card security system scrutiny that over 40 MILLION customer accounts were HACKED and STOLEN.

40 million credit card numbers stolen from Target

No, sorry, counting error! Make that 70 MILLION:

Target doubles hack attack victim estimate to 70 million, personal info stolen too

Oops, sorry. Try again! That's 110 MILLION:

Target: Hacking hit up to 110 million customers

Need I point out, this is outrageous.

Other biznizziz are now chiming in that they too, boohoo, have had all their customer data thoroughly hacked and stolen.

At least THREE other stores had credit card numbers hacked over holidays, reveal experts amid signs Target and Nieman Marcus are tip of the iceberg

And I personally expect that even LAZIER companies are going to be chiming in as well as they discover that their incredible lack of security consciousness has paid off the hackers by historical proportions. 

What a glorious time to be a crook! $s, £s, s, Yeah!

And customers are really, seriously, viscously ticked off:

Customers seeing red over Target’s hacking response

Therefore:

It's time for some public relations work! 

Eh? All you security oblivious, cheap, lazy, stupid bastard, disrespectful Corporations?!


Now What?

The rubbish-news for today, aka the Corporate Oligarchy propaganda spin-of-the-day, is:

We poor, sad, victimized biznizziz (Target ad nauseam) who are getting hacked-to-oblivion are not to blame. Sobbity sob. Boohoo. (;_;)

YES YOU ARE.

Instead, it's those horrible magnetic stripes on your credit cards that are to blame!

NO THEY'RE NOT.

So let's all save the biznizz world and spare us all (and oh yeah, you customers too) this terrible embarrassment by moving over to RFID chip embedded credit cards, aka 'Smart Cards'.

WORST IDEA EVER.


Why? Because the RFID standard leaves user's (victim's) credit cards wide open to casual scanning by anyone nearby, thus rendering them even more dangerous and insecure than magnetic stripe credit cards.


Therefore: Go frack yourselves Target, et al! Go-Frack-Yourselves.

Rather than give you a long boring research dump about how incredibly AWFUL RFID chip technology remains to this day, I'm going to give you a very simple, straight forward example:

The New York State RFID Driver's License

Background: 

I live in New York State. I have cousins who live in Canada. I often travel to Canada to visit them. Because of the scared-of-foreigners frame of mind of my country in the current era, it is no longer allowed for me to travel back and forth to Canada with a mere US driver's license. Instead, I have to have a passport. This has never, ever been required before. US passports are slow and expensive to obtain.

Thankfully, New York State offers the ability to embed all the passport required data into an RFID chip implanted driver's license. Therefore, I saved a lot of money and time and obtained a NYS passport data enabled driver's license. Now it is easy again to drive back and forth to Canada without having to carry around an expensive, oops I lost it, passport. I can still just use my driver's license. Excellent.

The Problem:

RFID chip technology is primitive. This is entirely typical of our current era: Extremely few people pay attention to security. Still, even today. Shocking. Unacceptable. Terrible for business, as security-ignorant Target stores have discovered.

The ramification is that the current standard state of RFID chip technology does NOT use ANY form of personal security. Zero. None. You scan the RFID chip, it tells you EVERYTHING. It's that simple. It's that idiotic. Done. You're screwed.

Some people dare say that the RFID chip has to be within a teeny/tiny distance from the scanner in order for the chip to be downloaded. And of course the response is: SO WHAT?! Anyone can walk up to you, bump into your wallet/handbag, and SCAN YOUR RFID CHIP. You've been pwned. Hacking mission accomplished. This has been consistently proven. RFID chip technology has been blasted out of the water. This is EXACTLY why the USA HAS NEVER and WILL NEVER allow RFID chips to be embedded into credit cards.

Meanwhile In New York State:

So I have this nifty driver's license that acts as a passport thanks to its RFID chip. Except, darn! I value my privacy! And so does every other New York State citizen! And we're stuck with these CRAP TECHNOLOGY RFID chips in our wallets! What to do???

New York State's solution is to wrap our driver's licenses in AFDBs: Aluminum Foil Deflector Beanies. You can read about such things here:


The source name for such a thing is the Faraday Cage. It was invented by 19th century British scientist Michael Faraday as a method of protecting an enclosed object from electromagnetic energy. Faraday is one of my heroes:



In other words: I have to keep my NYS driver's license inside an aluminum envelope, kindly provided by NYS, at all times until needed. If I don't, anyone can casually walk by me with an RFID scanner, trigger my driver's license to dump all my passport data, and walk away with my private information.


So thank you NYS for:

1) Protecting my personal information with a freely provided AFDB, and

2) Proving my point that current RFID chip technology has NO security and is TOTAL CRAP.

~ ~ ~
Therefore, a special message to Target and the rest of the security oblivious Corporate Oligarchy:

STFU and PROTECT YOUR CUSTOMERS, you cheap, lazy, stupid bastards! Crap RFID chip technology is, as you well know, just a red herring to deflect customers from the fact that you are cheap, lazy, stupid bastards!
~ ~ ~

What's better than crap RFID chip technology?



SQRL:

It turns out that there are A LOT of things better than crap RFID chip technology. One of my security heroes, Steve Gibson, has invented what promises to be the single best method of secure information exchange possible in our current era. It's called SQRL ('squirrel'), aka Secure Quick Reliable Login. No chips are required. Steve is offering it as open source technology. It works. In fact, it works so well that a flock of other inventors and companies have jumped on board to elaborate upon the standard and make it as usable and ubiquitous as possible, ASAP.

You can read about SQRL here:


~ ~ ~
Stay safe out there kids!
Our Corporate Oligarchy doesn't give a crap about our data security. 
Customer BEWARE!
We only have our personal identity and privacy at stake!
~ ~ ~
:-Derek

***Please note that the word 'biznizz' is my sarcastic term for any business that is blatantly self-destructive and customer-disrespectful. I consider it a thoroughly descriptive, useful and important term, as well as cynically humorous. I never refer to responsible, respectful, customer-driven, creative, positive capitalist businesses, such as Apple, with this sarcastic term. :-Derek




--