I’m so proud of her

My two year-old grandniece has struck back against the surveillance state.

A family story was relayed this morning: Daddy put two year-old down for her nap. He then went out to the den. Two year-old then entered the room with the baby monitor she’d unplugged and threw it at him.

I’m not the only freedomista in the extended family.

Discovering the “Oh, shit! The [Other] Party gets to use those powers now” argument

At least she recognized some degree of importance even during the Barrycade administration.

Protecting the Republic: Securing Communications is More Important than Ever
Protecting the privacy of speech is crucial for preserving our democracy. We live at a time when tracking an individual—a journalist, a member of the political opposition, a citizen engaged in peaceful protest—or listening to their communications is far easier than at any time in human history. Political leaders on both sides now have a responsibility to work for securing communications and devices. This means supporting not only the laws protecting free speech and the accompanying communications, but also the technologies to do so: end-to-end encryption and secured devices; it also means soundly rejecting all proposals for front-door exceptional access. Prior to the election there were strong, sound security arguments for rejecting such proposals. The privacy arguments have now, suddenly, become critically important as well. Threatened authoritarianism means that we need technological protections for our private communications every bit as much as we need the legal ones we presently have. (emphasis added- cb)

Let me give you a few brief reminders. Some of us warned about this with CALEA, PATRIOT, Patriot II, NDAA, CISPA, SOPA, HIPAA…

And pretty much every other extra-constitutional power that control freaks have handed the government over the last few decades. Oh, hell; centuries. And you never learn, except very temporarily when the opposition takes possession of the ball.

Glad I’m not that guy

So how did the FBI/Apple kerfluffle really start?

San Bernardino Shooter’s iCloud Password Changed While iPhone was in Government Possession
The filing states, “the owner [San Bernardino County Department of Public Health], in an attempt to gain access to some information in the hours after the attack, was able to reset the password remotely, but that had the effect of eliminating the possibility of an auto-backup.”
The auto reset was executed by a county information technology employee, according to a federal official. Federal investigators only found out about the reset after it had occurred and that the county employee acted on his own, not on the orders of federal authorities, the source said.


Questions, questions.

  • If he changed the password to access information, why isn’t the FBI rubber-hosing the password out of him?
  • What information did this guy suddenly need when the Feds took the phone?
    • Was he merely curious?
    • Did he not realize the Feds would notice?
    • Was he looking for incriminating information?
    • If so, why not leave it to LE?
  • If there was incriminating data he knew about, what kind? Was he an accomplice in the attacks, or merely lower level county corruption?

Seriously. At the very least, he had to realize resetting the password on evidence in a federal investigation would be felony “impeding an investigation.” At a minimum, he had to know he’d be suspected as an accomplice in a terrorist attack. What did he need to see so badly to make it worth the obviously inevitable consequences?

If he was deliberately hiding something, what could be worse than a definite felony, and being a terrorist suspect for the rest of his life? At best.

Maybe he really is just a curious dumbass with an IQ lower than whale shit. He is (was?) a government employee, after all.

Look, either the guy knew the new password, or he deliberately randomized it to keep investigators out. If the first, the Feds shouldn’t be making demands of Apple.

In related news:

DOJ would allow Apple to keep or destroy software to help FBI hack iPhone
The Obama administration told a magistrate judge Friday it would be willing to allow Apple to retain possession of and later destroy specialized software it was ordered to create to help federal authorities hack into the encrypted iPhone belong to Syed Rizwan Farook.


Looks like someone finally took cognizance of the point I’ve been making: Letting the Feds get that FBiOS is dangerous. I’ve said all along that the correct way to do this would have been to turn the phone over to Apple for forensic extraction. They unlock it, then return the unlocked phone without the security breaking code installed to the Feds.

The FBI absolutely should never get their dirty paws on the countdown bypassing and remote access code. They can’t be trusted.

The wrong question

Update: My first analysis was based on excerpts from the judges order published in the media. I’ve now read the whole order. And it’s worse than I thought. See edits below.

In response to the federal judge’s order that Apple create code to disable the countdown timer on iPhone’s password input routine (thus, allowing the FBI to mount a brute force attack without fear of the security routine wiping everything), people have asked — in a properly sarcastic manner — “What could possibly go wrong?”

They should be asking, “What could possibly go right?”

In case you haven’t kept up, if one enters the wrong password into an iPhone too many times, it assumes the phone is in the wrong hands and self-wipes. The FBI has a phone that belong to one of the shall-not-be-named San Bernardino terrorists, but the password is set.

Enter an idiot judge. The Honorable Dumber N. Boxofrox ordered Apple to develop new code to disable the countdown feature, and to tailor it to work only on the single terrorist’s phone by hard coding it to only work with a couple of identification strings associated with that phone, and install it there. Sounds nice, right? Limited scope.

Correction: The ordered change to disable countdown (and eliminate delays in entering password attempts) is not limited to the terrorist’s iPhone. In addition to the new “FBiOS,” Apple is required to provide a separate data recovery/backup/”Software Image File” application to copy everything in flash memory. That application is the only thing required to work only on the single instrument.

Now let me explain what would really happen. Apple would basically be writing a new variant of the operating system. They would install it (as an update) to the phone in the FBI’s custody. FBI eventually unlocks phone, images everything on the phone.


That is inevitably going to include the operating system, which means the FBI would now be in possession of the security-bypassing OS. They could turn it over to hackers to decompile the code, then scan for the two hard-coded ID strings. At this point, they could either type in two new strings for whatever other iPhone they might have laying around in an unrelated case, or change the code to not require the IDs at all. A brand new electronic forensic tool, provided free of charge by Apple.

Correction: No need to reverse engineer anything. Plus, the FBiOS must allow the Feds to enter passwords via WiFi or Bluetooth; i.e.- remotely, just as the FBiOS would be uploaded remotely. Once they have the OS in hand, the FBI can do it to anyone without even the need to reverse engineer the FBiOS. They’re demanding a turnkey mass covert surveillance tool from Apple.

But the Feds would never steal some company’s code, would they? Or go sneaking around spying without a warrant. And it would never occur to them to use a variant of a Stingray to generally access other phones and surreptitiously upload their little bit of malware.

Hell, you know they would. Personally, I suspect that’s exactly what they want. Since the terrorists were savvy enough to kill their data trail by disappearing their computer hard drive, I doubt they left anything useful on the iPhone. At most contacts, which the FBI can already get by subpoenaing their billing records from the phone company.

So let’s assume for the sake of discussion that they do this. We’ll even give the Feebs enough credit to say they don’t get hacked by another 16yo kid who steals data from them… you know, like new OS code.

But in this hypothetical scenario, they’ve released the code into the wild. Into iPhones whose security has been crippled by definition. Don’t lose your phone or get it stolen Correction: With remote access, no one has to physically steal your iPhone; whoever ends up with it can get any data…just as easily as the Feds. Or install malware (keystroke loggers, audiovisual bugs, GPS tracking, etc.) on it and return the iPhone they “found.”

I suspect jealous spouses and significant others would be a ready market, as well.

And recall that Apple programmers say that what the Feds are demanding would work on newer iPhones, too; not just the older generation terrorist’s smartphone, of which there are probably millions in use anyway.

What with people jailbreaking phones anyway, it would only be a matter of time before some hacker generated his own malOS. For that matter, maybe the FBI should hire that 16yo to hack that phone for them.

Oh. Wait. Then they’d have to pay him. When they can force Apple to do it free.

And if you believe that

I’ve got a slightly used bridge for sale on eBay.

Recently Bought a Windows Computer? Microsoft Probably Has Your Encryption Key
ONE OF THE EXCELLENT FEATURES of new Windows devices is that disk encryption is built-in and turned on by default, protecting your data in case your device is lost or stolen. But what is less well-known is that, if you are like most users and login to Windows 10 using your Microsoft account, your computer automatically uploaded a copy of your recovery key — which can be used to unlock your encrypted disk — to Microsoft’s servers, probably without your knowledge and without an option to opt out.
Users can choose to delete recovery keys from their Microsoft accounts…

Everyone who believes that will completely delete the key from MacroSnoop’s servers, raise your hand.

Seriously, folks. I’ve heard of some alleged freedom lovers who claim to love Win10. Why?

PSA: A Holiday Privacy Reminder


If you happened to receive a new computer, and are tossing out an old machine, please remember to permanently erase any personal data. Otherwise, someone like me* just might find your discrete photos, bank account numbers, SSAN, and so forth.

In Windows, merely “deleting” the files doesn’t do it; deleted files sit in your recycle bin until you actively empty it…

Which also doesn’t do it. A deleted file isn’t truly deleted until the portions of the hard drive on which it sat is overwritten. “Deleting” just changes the file header to “this space available”. Until it’s overwritten, someone like me — or worse, someone not as honest as me — can recover the data.

So delete all your data using a file shredder like this one before that computer goes out to the curb.

* The last three computers I acquired by scrounging — including one last night — all had extensive files left completely undeleted: pictures of kids, vacation shots, financial data, personal letters, and more. I’m nice; I just wiped it all.


TL;DR: Do not use the allegedly forthcoming “OpenBazaar” unless you like security and privacy vulnerabilities.

So there’s an outfit backed by some venture capitalists supposedly creating an open source P2P client for private, secure online purchases (think “distributed version of Silk Road). Interesting idea.

Until you hit their web site. It absolutely requires lots of javascript and Flash to work.

I can tolerate some javascript. Depends on where it’s coming from. But any site that requires Flash is an instant no-go. It doesn’t instill a great deal of confidence in the privacy and security of the OB client. Sure, being open source will let people look for vulnerabilities. But the demonstrated preference for web hazards doesn’t bode well for them minimizing vulnerabilities in the first place, or fixing them in a timely matter in the second place.

Great Ghu…

I sent OpenBazaar.com an email explaining those objections to all those vulnerabilities. I just received a reply from “Brian Hoffman”:

“Ok peace. You can go get the client from GitHub directly and avoid the marketing site. Your style of browsing the web isn’t the only one so we’ll continue to do things the way we see fit, but thanks for the heads up. Everyone is free to do what they like and so are you.”

Apparently he doesn’t get “But the demonstrated preference for web hazards doesn’t bode well for them minimizing vulnerabilities in the first place, or fixing them in a timely matter in the second place.”. My problem isn’t the marketing site. It’s what the marketing site tells me about the nonchalant security attitude of people professing to build a private, secure product.

So I replied to Hoffman:

My “style of browsing” (i.e.- Linux, Pale Moon, NoScript, Flash blocking, etc) is exactly what is used by tech-savvy people, who would want a secure, private OpenBazaar client, use. Except the ones who go even farther with dedicated machines running through multiple proxies, and so on and so forth.

The Internet Exploder users who don’t care about Flash and scripting (and security and privacy) aren’t looking for an OB product. They’ll just use Etsy, eBay, Craigslist, and Cousin Charlie’s girlfriend’s best friend’s contact. You should probably take another look at your targeted demographic.

Hoffman’s answer:

Our product is not just targeted at the niche audience that is anarchic, libertarian, highly technical users.* Sorry to disappoint you. Probably want to look elsewhere.

Well, yeah. That I won’t be looking at his little security violation was my point.

I gather that Hoffman is a programming type. Maybe those VCs should provide somemone with a better grasp of public relations to screen email. Not to mention someone with a clue regarding demographic targeting. And while I might be a little sensitive to rudeness and cluelessnes, Claire Wolfe was also… impressed by Hoffman’s shortfalls.

OB might turn out to be a decent product, despite some incredibly questionable security decisions by the developers. But I doubt it. If it does, it will only be after months to years of vetting by the anarchic, libertarian, highly technical open source community; most of whom just might look at this and decide its simply to risky to even bother vetting.

* OB is based on Bitcoin. Pretty much by definition that severely limits OB to highly technical users interested in privacy and security.

Just because something can be done…

…doesn’t mean it should be done.

Disney researchers use passive UHF RFID tags to detect how people interact with objects
The researchers found that with their system, called IDSense, they could simultaneously track 20 objects in a room and infer four classes of movements with 93 percent accuracy. They will present their findings at CHI 2015, the Association for Computing Machinery’s annual Conference on Human Factors in Computing Systems, April 18-23 in Seoul, South Korea.

“An effective means of identifying people’s activities in their homes, schools and workplaces has the potential to enable a wide number of human-computer interaction applications,” Sample said. “Whether it’s reading a book to a child, cooking a meal or fixing a bicycle, the objects that we use both define and reflect the activities we do in our daily lives.”

Extensive research has also shown that by sloshing gasoline around a home’s interior and igniting it, one can observe how occupants interact with doors and windows.

You thought Internet-enabled refrigerators were bad? Now imagine that everything in the refrigerator is live-streaming that data. Now imagine your insurance company upping your premium based on your beer intake rate. Or that your beer bottle spends too much time in close proximity to your car keys.

Any bets on how soon we hear about the deployment in Disney hotel rooms?

-knock knock- “Maid service! Here’s your extra towels.”

“I didn’t ask for more towels.”

“That’s OK, ma’am. Our system detected unusually heavy and extended mattress use followed by a long shower, and all your towels used. So the computer automatically dispatched replacements.


“And you’ll pleased to know that the computer noticed your husband’s room key lingering by the pool, so it text messaged him not to disturb you while the bed was in use.”

When Microsoft* has to fix your security [f@@k]up…

…you… should know that you have well and truly [f@@k]ed up on a scale that boggles the mind of anyone with an IQ over 53.

Microsoft Steps In To Clean Up Lenovo’s Superfish Mess — While Lenovo Stumbles And Superfish Remains Silent
Microsoft just took a major step towards rooting out the Superfish bug, which exposed Lenovo users to man-in-the-middle attacks. Researchers are reporting that Windows Defender, Microsoft’s onboard anti-virus software, is now actively removing the Superfish software that came pre-installed on many Lenovo computers. Additionally, Windows Defender will reset any SSL certificates that were circumvented by Superfish, restoring the system to proper working order.

Sadly for users, Lenovo and Superfish execs are not in the class of people-smart-enough-to-chew-gum-and-maintain-breathing-reflex-at-the-same-time.


* Yep. That Microsoft. Really.