Archive for the ‘Internet Insecurity’ Category

The Department of Truth is not taking over the FCC

Wednesday, December 28th, 2016

Alex Jones has no problem just making stuff up. When he doesn’t understand something, he just creates a theory, then starts embellishing and repeating it.

The “Department of Truth” Amendment that Congress just passed and President Obama just signed reorganizes the (Radio) Board of Governors, which has absolutely nothing to do with the FCC.

Radio World Summary

The BBG is a non-military government propoganda agency, very similar in purpose to the World Service of the BBC. It operates the Voice of America, Radio Free Europe, Radio (and TV) Marti to flood Cuba with information. The important part about the BBG is that until recently, it was prohibited from directing its programming at the population inside the United States. The BBG works closely with the CIA.

Carl Bernstein – the CIA and media

As the Internet became a bigger deal, it was pointed out that Americans accessing the VOA website was violating the law, a change was made in 2013 to allow Americans to visit the VOA website.

Background

The language of the just passed law widens the discretion of the BBG to determine who its audience is – could it be domestic? Possibly. Is the CIA going to buy Clear Channel? How do we know they don’t own it already?

The just passed law makes no mention of the FCC

Text

Do Not Track, next chapter

Tuesday, May 31st, 2016

For those who have been here a long time, a major reason for my reducing the website the first time was the threat of government intervention requiring websites to honor “do not track” settings. You have probably noticed many websites now require you to consent to accepting a cookie in your browser on your first visit – this is being driven by privacy laws in Europe. I purposefully block access to this website from Europe, hoping to avoid being subject to European Union laws like hate speech prohibitions. I am not a citizen of the world.

“Do not track” was originally a voluntary thing added to a couple browsers, with the naïve belief that the Internet community could state that “do not track” has no legal significance and the governments would be prevented from engaging in civil or criminal prosecutions for a website owner refusing to honor “do not track”. Did I mention naive?

Politico coverage

The Internet “community” has been fighting for several years over how to incorporate “do not track” into the Internet standards that apply to the entire world, with enough teeth to fend off the aspirations of the Federal Trade Commission (FTC) – but override the decision-making process of the Internet governance, which is no longer under United States control.

The current compromise seems to be that “first party” websites (like this one) could continue to track your activities even if you turn on “do not track”. I do not care what any one person is doing, but most of the value of the website is created by tracking the activity of all visitors – to create most popular shows, stations and the like. There is no profit motive to my tracking. I am not unaware that do not track has popular support, I believe people do not understand that the “free stuff” on the Internet goes away.

The proposed rules would prohibit third-party websites – who I do not control – from tracking you against your will. I have not generally used third-party services – there are significant recent exceptions – the blog post with the Instagram picture of Donald Trump. I am a little surprised nobody objected, yet. Also, the Disqus commenting crossed that line. The total lack of interest means I probably will remove it. Incorporating a YouTube video also enables Google tracking you here, even if you don’t view the video.

If the rules prevent aggregate tracking of my visitors and threaten me with Civil or criminal prosecution, I push the OFF button and that’s the end and leave the Internet to the global mega corporations, which is exactly the outcome that the government wants. Entities like Google and Facebook which willingly supply very detailed psychographic information to the government “intelligence” agencies would be exempt from this rule, of course.

2:20 PM on Wednesday

Monday, February 22nd, 2016

If you want to catch the United States off guard, that would be the time to do something.

You may remember earlier in the Obama years, FEMA and the FCC conducted a mandatory test of the national Emergency Alert System. While the National EAS system is based on the same system that gives you warnings of tornadoes and such things, the National Alert is different in several important ways:

Carrying national alerts is mandatory, immediate and automatic. No matter what is going on, the President has immediate and complete control – not only radio and TV, but SiriusXM, DishTV, DirecTV, your local Cable TV system, and now your mobile phone. Once the Internet of Things is built, It is logical to think that the light bulbs in your home will start flashing in special colors to get your attention.

The non national EAS alerts are generally coordinated by state broadcast associations and state agencies who designate certain stations that can be reliable hubs. The activate signal “beep scratch scratch… Had this been an actual emergency” is relayed from big stations to small stations. While stations at the end points must log local tests, they don’t have to break into live programming to air the test nor are they required to carry actual warnings live or at all.

So Wednesday is a partial national test. The real national EAS message will go out, but only to 22 selected states. The one and only real national test went poorly. Message distribution works differently for the entire country since it is more complicated.

A few regional broadcasters have a special responsibility called being a Primary Entry Point. Upon receiving the header for a national alert, the PEP connects to a central communications bridge controlled by the White House and broadcasts the alert outward until (hopefully) every broadcast outlet in the country is standing by to hear the White House announce something really really important. This capability was not used on 9/11, but the pretense that EAS is useful carries on. Realistically, there is no national event that would be less severe by warning the public. If Russian ICBMs are incoming, 8 million people trying to flee New York City will just kill a lot of panicked people and prevent actual emergency responders from doing useful things.

Sit back and enjoy. Remember – bright flash, duck and cover.

Encryption wars

Monday, November 23rd, 2015

Yesterday, I was listening to a replay of John Gibson as he was talking to Judge Nepalitano about terrorism and whether Apple and Google should be forced to put a back door into its phones and tablets. This was done in part because of the NSA revelations and partly because police started routinely demanding cell phones on traffic stops to search their contents on a fishing expedition or to gather a contact list – without a search warrant.

Of course, every terrorist incident that kills rich white Europeans will reopen the debate of “well, hypothetically the terrorists might have used a phone – you aren’t a terrorist supporter, are you? Why don’t you trust the police? If you have nothing to hide…”

The Judge is sticking to the 4th amendment. You don’t need physical possession of the device and the ability to open the apps to develop probable cause. People making phone calls and using SMS are logged by the phone company, which can be subpoenaed by presenting evidence you have developed independently – photos, witness statements, DNA, undercover surveillance – you know… “Police work”

Here is a random example I just bumped into
http://www.kjluradio.com/#!30-Columbia-Schools-iPads-confiscated-by-police/c24gc/564f46120cf26ffe7c1f3f75

In this story, police in Columbia Missouri confiscated 30 iPads owned by the School District on the suspicion that students might be having sexually explicit conversations and sending naked pictures to each other. The article doesn’t mention a judge signing a warrant. The 4th amendment requires probable cause and the specific items to be searched. Random fishing expeditions of every iPad is not allowed. The kidz use snapchat for sexting specifically because it leaves no evidence.

Because the iPads are owned by the school district and used at least part of the time on the school system internet connection, that might make the investigation easier. But if the iPads are running iOS 7+, the contents cannot be viewed without knowing the pass codes.

What do you think the rules should be?

More fruit from the Snowden tree

Saturday, June 27th, 2015

CISCO warns of back door built into equipment

CISCO makes much of the equipment that runs and secures the Internet. Snowden’s leaks already disclosed that the NSA has complete access to CISCO gear, including the ability to install software modifications.

Now we know how for at least some devices. A little boring technical stuff. SSH is the main tool used to connect remotely to devices on the Internet. There are several ways to prove to the remote device that it should let you in. The simple method is sending a userid and password. For many situations, that is impractical. For example, I frequently connect the test machine to the production machine in Texas. If I was using passwords, I would have to constantly type the password (risking someone watching my keyboard) or “hard code” the password somewhere.

A better alternative is a public/private key exchange. Both computers have a secret private key and a public key. You can’t derive my private key if I give you my public key. But if you take my public key and combine it with your private key, the resulting key establishes beyond any reasonable doubt that both ends know who the other end is. Someone recording the exchange of keys still cannot derive a private key or be able to masquerade as a real device.

What CISCO just admitted is every device in their advisory has a hard coded key for its support responsibilities. This allows anyone with knowledge of that private SSH key for CISCO support to connect to the device as an authenticated user. All if takes is for CISCO to provide that key to government agencies, or a hacker or ex-employee to find and leak the private key, and every internet connected CISCO device affected is vulnerable to complete remote control by unknown remote persons.

If Snowden doesn’t get a Nobel Peace Prize, the award has no meaning

Charlotte to get Google Fiber

Wednesday, January 28th, 2015

If you had 1000 Mb/Second Internet access, how would you use it?

I don’t download copies of an entire human genome in my spare time, don’t need a copy of every YouTube video featuring a cat. The current top of the line 4k video requires 15 Mb/Second and realistically needs 50 Mb/Sec. I guess we’re laying the foundation for 100k TV or perhaps direct brain implants.

Now that the web server is not in my bedroom, I don’t begin to need even the 20 Mb/second I have. In Connecticut I was so disgusted with the Cable TV company that I was thrilled to replace it with reliable AT&T 1.5 Mb/sec DSL.

I’m confident the city will find the bandwidth useful to install TV cameras every 50 feet, more license plate readers, red light cameras, mandatory smart light bulbs and gunshot triangulators. You can’t be too safe.

It’s official – change your Healthcare.gov password

Saturday, April 19th, 2014

If the point of Heartbleed is actually payback to the Linux hacker community by Microsoft, it’s working. The speed with which a highly sensitive chunk of code written by a volunteer and rushed to implementation without adequate peer review is now out in plain sight, regardless of whether it was intentional or not.

The Obama folks are big Linux fans

https://www.healthcare.gov/heartbleed/

Note this routine page is itself encrypted. Apparently, healthcare.gov doesn’t want the NSA counting how many people really signed up for Obamacare

The good news on the web site is that even though Open enrollment is over, Medicaid and Chip will insure you any time of the year if you qualify. So get busy quitting your job and hiding your assets.

FCC wants Internet fairness

Saturday, February 22nd, 2014

http://www.nationaljournal.com/tech/fcc-plans-to-allow-online-discrimination-20140219

The Federal courts have repeatedly told the FCC it has no legal authority to create “net neutrality”, but the new FCC chairman is at it again.

With the courts pretty solidly in the hands of progressives, a pretty successful tactic of making legal precedent is to create a conflict – knowing it then can become an issue before the courts. Marriage used to be a state issue and the Federal courts kept hands off. Pass a Defense Of Marriage Act creating a federal definition of marriage (one man + one woman) and now the courts can assert Federal jurisdiction and essentially have the Federal Courts make up thir own laws.

Tom Wheeler wants to create regulations to allow Comcast to be able to sell better access to Netflix if they’ll pay extra to Comcast (anti net neutrality). It’s not actually what he wants. He wants Netflix to run to a Federal Court and demand Net Neutrality with the FCC as the one to determine “fairness”. He wants power that can then be leveraged into post FCC employment rewards and campaign contributions.

It’s worth pointing out the FCC is not part of the Federal Government. It is an independent commission empowered by specific federal regulations to perform limited functions like issue licenses for spectrum, test electronic devices for interference. It is not part of the Executive branch or any Department largely to keep its decisions free from Congressional micromanagement. It is self funded through fees so there are no strings to yank them around.

Is it time to buy a VPN connection?

Thursday, December 12th, 2013

Someone wrote to me today who is outside of North America and realized (correctly) that Streamingradioguide.com can’t be used from Asia and Europe.

I suggested he look into getting a VPN connection that is very secure and allows you to “look” like you’re in the United States when you’re actually anywhere in the world.

Here is one such service
https://www.privateinternetaccess.com/pages/how-it-works/

I don’t even have a passport, so I have no first hand experience with a service like this. I do have experience in the past year using a VPN – it was okay, but it does have drawbacks. The main one is latency – everything you do has to be relayed by the gateway. For instance, if you’re connecting to a work network, and you have “network drives”, if you were actually on the company WAN, those drives are as fast as if they were local drives. With a VPN, each operation to those disks requires end to end acknowledgmnts on multiple layers. One internal software package to the company that would take a minute or two to upgrade took close to an hour over the VPN. Bandwidth was not the bottleneck, it was the constant “did you get it?” hand shakes

Anyone have experience with these?

Time to turn off your computer

Friday, October 18th, 2013

Adobe Flash and Adobe Reader are everywhere. Because they’re on most PCs and are trusted software, they are a very valuable entry point to take over computers.

Adobe was hacked. Big time. Massively.

http://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/

The hackers have both user data if you were foolish enough to register your software, and they have the source code to *everything*

Having the source code makes it 97.62x easier to develop tools to break into Iran’s uranium centrifuges – and your PC, too.

PR Newswire has just found out their Customer data was stolen by the same folks, however nobody had used that data since March. That suggests to me the attack is being done by a government agency that has an insatiable appetite to know everything about everyone.

http://krebsonsecurity.com/2013/10/breach-at-pr-newswire-tied-to-adobe-hack/

Expect months of “zero day” exploits – attacks that will succeed because nobody knows they exist or how they work yet.

Oh, and if you ever told the FBI you were hacked, the hackers know that too

http://krebsonsecurity.com/2013/10/data-broker-hackers-also-compromised-nw3c/