There is a new tool for hacking in to an iOS device (i.e., iPhone or iPad) you should be aware of and why you should change your password NOW…but also make it a strong one.
A Motherboard investigation has found that law enforcement agencies across the country have purchased GrayKey, a relatively cheap tool for bypassing the encryption on iPhones, while the FBI pushes again for encryption backdoors.
According to Matthew Green, assistant professor and cryptographer at John Hopkins Information Security Institute, said on Twitter that GrayKey has an exploit that disables Apple’s passcode-guessing protections (i.e., SEP throttling) AND that a 4-digit passcode can be cracked in as little as 6.5 minutes on average, while a 6-digit passcode can be calculated in roughly 11 hours:
Guide to iOS estimated passcode cracking times (assumes random decimal passcode + an exploit that breaks SEP throttling):
4 digits: ~13min worst (~6.5avg)
6 digits: ~22.2hrs worst (~11.1avg)
8 digits: ~92.5days worst (~46avg)
10 digits: ~9259days worst (~4629avg)
— Matthew Green (@matthew_d_green) April 16, 2018
Another Motherboard article emphasized that you should immediately Stop Using 6-Digit iPhone Passcodes and yes, you should.
Why a Long, Secure Password Now?
Security and convenience are always a trade-off. But I’ve set up a password for my devices that, according to this password checker, will take 44 thousand years to crack BUT it is easy for me to remember, and to use, as my iOS “custom alphanumeric code.” This password has numbers, upper/lower case letters, along with a few special characters (e.g., !@#$%^&*()).
Do I have something to hide? Nope. But the reason I lock my front door, have security cameras and alarm system, and don’t invite random people in to dig through my drawers or important-papers in filing cabinets, IS THAT MY STUFF IS *MY* STUFF AND PRIVATE! I intend to keep it that way so I protect the shit out of things I want to keep private AND SECURE.
If you travel outside the U.S. like my wife or I do and come back in with your device, TURN IT OFF. That is because U.S. Customs is increasingly grabbing traveler’s devices and disappearing with them to a back-room, apparently to hook them up to a device to suck off all the data. While this hasn’t yet directly affected U.S. citizens, there is nothing stopping other countries from doing the same thing.
Plus, once all of your data is captured, there are enough cracking resources available to government agencies to be able to take their time to crack your device data they have previously stored. It might take them a year or, after quantum computing becomes a reality (if it isn’t already real) in the next several years, those times to crack may be reduced to minutes instead of days or years.
Police agencies within the United States may also be less adherent to the U.S. Constitution and Bill of Rights when it comes to the gray area surrounding digital search and seizures, even though in 2014, the U.S. Supreme Court addressed two cases, Riley v. California and United States v. Wurie, dealing with cell phones searches and the search incident to arrest exception to the warrant requirement. During searches incident to arrest, the high court has not required warrants under certain circumstances where protecting officer safety and preventing evidence destruction are at issue. For more, read this at FindLaw.
The U.S. Border Patrol also could be in a position to do whatever they damn well please — within 100 miles of the U.S. border — as you can see from this article at the American Civil Liberties Union (ACLU):
Why Can You Do?
- How to Create a Password You Can Remember
- Four Methods to Create a Secure Password You’ll Actually Remember
- Know Your Rights is a good primer you should read it now at the Electronic Frontier Foundation and download their printable “pocket guide” here.
The Department of Homeland Security (DHS) is doing something unprecedented for a tactical government bureau: they just released a draft request for companies to bid on their “Media Monitoring Services.” This request from DHS seeks a firm that could build them a searchable database that has the ability to monitor up to 290,000 global news sources:
Services shall enable [the DHS’s National Protection and Program’s Directorate] to monitor traditional news sources as well as social media, identify any and all media coverage related to the Department of Homeland Security or a particular event. Services shall provide media comparison tools, design and rebranding tools, communication tools, and the ability to identify top media influencers.
They’re claiming “standard practice” but DHS is NOT an intelligence service and global monitoring is what the National Security Agency performs as does the Central Intelligence Agency. WTF is DHS going to do with this sort of database? Why do they need “media influencers” and “bloggers”? The request specifically requests:
24/7 Access to a password protected, media influencer database, including journalists, editors, correspondents, social media influencers, bloggers etc.
Most troubling was their intent to have this database indicate what the coverage “sentiment” is:
[The database shall have the] ability to analyze the media coverage in terms of content, volume, sentiment, geographical spread, top publications, media channels, reach, AVE, top posters, influencers, languages, momentum, circulation.
Why am I concerned and bringing forth a story like this one? Because our Department of Homeland Security potentially has an enormous tactical advantage set forth in the Constitution that could allow them to subvert our protections under that very Constitution and our Bill of Rights. Don’t believe me or think I’m paranoid? Then read this about our Constitution and the 100-mile border zone that DHS could essentially do whatever they damn well please within, like searching our “sentiments” when within a border zone and restricting our movements if we’re deemed a threat to homeland security.
To say the shit-hit-the-fan after this release is an understatement. Here is a Google search that has articles from Forbes, Bloomberg, CBS News, CNN, Chicago Sun-Times, and a host of others. Here is a Twitter search to allow you to read thousands of tweets questioning why in the world DHS needs such a database.
Many of we “bloggers” also leapt on this story as it is clearly easier for DHS to level suspicions at us. It’s also significantly easier to intimidate an individual than it is an institution filled with journalists like CBS News or CNN.
That said, other government agencies, like the FBI, have adopted secret rules to spy on journalists who publish classified information and hunt down their anonymous sources.
While all the articles I read were questioning the ‘why’ behind having this database, DHS’ spokesperson, Tyler Q. Houlton, had this to say in response to their sh*t hitting media’s fan:
Despite what some reporters may suggest, this is nothing more than the standard practice of monitoring current events in the media. Any suggestion otherwise is fit for tin foil hat wearing, black helicopter conspiracy theorists. https://t.co/XGgFFH3Ppl
— Tyler Q. Houlton (@SpoxDHS) April 6, 2018
My gut tells me that the “why” behind this database is that DHS wants to have a searchable one so they can perform quick lookups for those crossing our borders, being stopped at checkpoints, and potentially for those of us who happen to be within 100 miles of any border.
Read the bid yourself below or download it here:RNBO-18-00041_SOW_-_Draft (1)
We are living in a time when the President of the United States calls any news organization whose reporting he doesn’t like “fake news.” When news organizations struggle to remain relevant when the internet enables that news to travel around the planet in milliseconds. With all the options for news, few are willing to spend any money to support them.
This morning I donated $50 to The Guardian, a paper headquartered in London with a major U.S. presence in New York and is one I read almost every day. Their journalism is top-notch and they’ve revealed numerous important stories like the National Security Agency’s PRISM program and the Panama Papers.
My support has also been continual for my local paper, the Minneapolis StarTribune, but also to the phenomenal New York Times and The Washington Post, organizations that have continued to demand truth from the powerful, report on them when they go astray, and help keep us on track as a nation.
I absolutely believe that a free press is vital to our democracy and freedom. The founders of the United States of America knew how important freedom of the press was to democracy, so they made the very first amendment to the Constitution one that would protect it.
Without the press — and I’m including television and internet-based news too — who would hold accountable those who would seize power? The ones in power who seemingly delight in telling us untruths, make up their own facts, and lie to our faces like our current administration does?
It made me realize that I have to vote with my pocketbook. Think about the news organizations you read often and make a donation or subscribe. You don’t want to rely on some blog or, God forbid, what some government mouthpiece wants you to believe. You want the truth. We all need the truth.
Democracy will die without truth. Take a moment right now to choose one or two news organization and donate something to them.
Photo courtesy Electronic Frontier Foundation
Though I’ve been following this story at the Electronic Frontier Foundation’s website (see Geek Squad’s Relationship with FBI Is Cozier Than We Thought) it was today’s Ars Technica article that really got my blood boiling (see Best Buy defends practice of informing FBI about child porn it finds).
“In a statement sent to Ars on Tuesday, Best Buy wrote that it continues to “discover what appears to be child pornography on customers’ computers nearly 100 times a year. Our employees do not search for this material; they inadvertently discover it when attempting to confirm we have recovered lost customer data.”
While I’m the last guy to defend anyone who has child porn they’ve gathered and stored on their computer or device the big issue is this: Best Buy **must be** using forensic tools to actively search the entire hard drive — including cached images — and then Geek Squad humans ARE ACTIVELY VIEWING every .jpg, .png, or raw image on the computer or device and getting paid to do it!
Otherwise, how else could they possibly determine something is “child porn” without looking at it?
On my main computer (and external hard drives) I have nearly 50,000 images I’ve taken, scanned, or my family has taken and I’m storing them in a central location (and, before you ask, there is NO porn…child or otherwise). If you were a Geek Squad worker, there is no way you could be recovering one of my hard drives and have a clue what those images are, unless you looked at them OR had a forensic tool that enabled you to find every image on a computer or device so you could skim through them.
That EFF article had this to say about Geek Squad using forensic tools (my emphasis):
But some evidence in the case appears to show Geek Squad employees did make an affirmative effort to identify illegal material. For example, the image found on Rettenmaier’s hard drive was in an unallocated space, which typically requires forensic software to find. Other evidence showed that Geek Squad employees were financially rewarded for finding child pornography. Such a bounty would likely encourage Geek Squad employees to actively sweep for suspicious content.
Even if a computer owner inadvertently ends up on a website that has such images — by following some link and then takes their computer in for Geek Squad service — those images are in the browser cache so that person could be instantly branded a child porn lover or pedophile and turned over to the FBI. Unless you are smart enough to use FileVault on the Mac or TrueCrypt for Linux or PC and encrypt your drives (like I do), they can see anything-and-everything once recovered.
What if a rogue Geek Squad person looked at your important documents? Maybe copying down account or social security numbers, poking through email text files, or otherwise digging through all your digital files when your computer or device was in there for repair?
Remember: Defending against illegal searches and seizures means forcing law enforcement to abide by the Constitution and get a warrant. Not pay-off or otherwise coerce a company’s employees to do the FBI’s illegal forensic for them.
Especially when everyone knows that if an illegal search and seizure is labeled an investigation in to “child porn” or “terrorism” then the stupid usually rollover and let law enforcement do whatever they want unless you, like I do, find this practice and Best Buy collusion an illegal search and seizure (especially since the FBI paid them to do it) and get mad about it and take some action.
For more see these:
- Washington Post article: If a Best Buy technician is a paid FBI informant, are his computer searches legal?
- If you don’t know what law enforcement can-and-cannot do, take a look at this: Searches and Seizures: The Limitations of the Police
Healthcare costs are out of control and, in particular, negatively impact those of us whose healthcare is individually insured in the United States (the U.S. Census Bureau states that approximately 9% of we 323.1 million Americans are individually insured or uninsured).
There is no pricing transparency and healthcare is not a free market.
Whether it is the wildly differing prices of an MRI to our costs for pharmaceuticals being among the highest in the world, the fact that there is no transparency, near-zero alternatives, little power to drive costs lower as consumers, and that most of the health-insured in America don’t shop around since they are only responsible for a low co-pay amount, this is a market ready for massive disruption.
This massive disruption may start with Amazon inserting itself in to the drug supply chain and disrupting it as you’ll see below.
My post from yesterday about Why Trump and the GOP’s Healthcare Approach is a Barrier to Entrepreneurs compelled me to add something today about healthcare costs, specifically because our current president and Congressional leadership are doing nothing about controlling costs of pharmaceuticals, wildly different prices for procedures, and positioning consumers to shop around for lowest prices in order to create an actual free market.
This Wikipedia article points out why U.S. healthcare costs are so high and that it’s not a free market and outcomes are lacking:
Unlike most markets for consumer services in the United States, the health care market generally lacks transparent market-based pricing. Patients are typically not able to comparison shop for medical services based on price, as medical service providers do not typically disclose prices prior to service. Government mandated critical care and government insurance programs like Medicare also impact market pricing of U.S. health care. According to the New York Times in 2011, “the United States is far and away the world leader in medical spending, even though numerous studies have concluded that Americans do not get better care” and prices are the highest in the world.
As patients we generally do not have access to pricing information until after medical services have been rendered which is fundamentally flawed and goes against everything I believe in when it comes to the free market.
Would you buy ANYTHING if the manufacturer or retailer didn’t tell you until AFTER the purchase how much it would cost? Of course you wouldn’t. But that is EXACTLY what happens when you have a co-pay and figure that you’ll let the insurance company and provider fight it out over price since you only have to pay some nominal amount.
Here’s one example which, if you had to buy it yourself (like I would since our family is individually insured), is a reason I’m so up-in-arms about healthcare costs: A chest MRI in Minneapolis (where I’m from) is available from standalone MRI businesses for $460. One hospital here charges $2,026 for the same MRI! (from this article).
It gets worse with pharmaceuticals but maybe Amazon will come to the rescue.
As small business owners, my wife and I are one of the 18 million individually insured families in the United States. In addition, since I’ve been in the tech community in Minnesota for my entire career (and also published Minnov8.com for over a decade), I know all too well the only way most startups can happen is if a spouse has healthcare insurance. You’ll see why in a moment.
This morning I received an email from our Minnesota healthcare insurance exchange called MNSure about a ‘sneak peak’ at 2018 health care plans. I immediately went there and discovered that the plan we’ve been on for 2017 has our family monthly premium rising by $200 a month to *over* $2,000.
The ‘range’ for our out-of-pocket medical expenditures go from a yearly “low at $25,115” (for which there is a 17% chance we’d actually be on the low side) to a “bad at $37,815” (and a 12% chance at that). The average is $31,155.
When you add up all the out-of-pocket prescriptions and little “nits” we pay, I’m gonna guess we’ll shell out $35,000 or so like we did the last couple of years.
WHO THE HELL CAN AFFORD THAT KIND OF AFTER-TAX MONEY!?! More to the point, even with a Health Savings Account (HSA) — which can’t be used for the $24,514.80 in premiums we’ll pay for 2018 — the total amount we will pay out for medical stuff is 73% of the U.S. mean household income (that mean is $72,641 and I’m assuming a conservative and low 35% paid in taxes).
Yes, Affordable Care Act subsidies still exist, but don’t Trump and his GOP minions truly understand that the #1 roadblock to startups in the U.S. is the enormity of individually insuring one’s family?
There is no f__ing way I’d start up a tech company today if my family was still young and take the risk of no insurance — or having a wildly expensive plan that would virtually guarantee we’d fail without significant VC backing — since there were many times in our past small business owning lives when we didn’t take a salary, sometimes for a couple of months at a time.
Hope they think about this as they stumble their way forward trying to hide the fact they don’t give a shit about the lower, middle or upper middle classes in America.
By now you should have heard at least something about the WannaCry ransomware attack that’s been going on over the last few days. When I ask people about it and what they know, most have vague responses like, “those computers must be old or not updated” or “people were stupid and did something wrong.”
While both have some truth in it, this analysis by Richard Clarke* about an ABC News story on WannaCry had one of the best paragraphs that describe the #1 problem I’ve been mad about for years which was the root cause of this cyberattack, namely that the NSA is not disclosing so-called zero-day vulnerabilities (zero-days are ones that aren’t yet known so companies can fix them):
First, America’s own National Security Agency (NSA) found the vulnerability in Microsoft Windows that would permit a hacker to gain control of a device. When the agency found that vulnerability, it should have told Microsoft right away, so that the error could have been fixed as part of the regular monthly “patching” program without calling attention to it.
Yep. The NSA should have told Microsoft right away so they could patch the vulnerability but then the NSA couldn’t use it themselves. The NSA has a long history of not disclosing vulnerabilities though the NSA chief claims they do disclose 91% of them (which means they likely keep the good stuff, the other 9% that are devastating like WannaCry has been when leaked, to themselves).
Clearly there needs to be a balance, as this Georgetown Security Studies article suggests, between national security and actions that cause national weakness, which I would argue the NSA is doing by keeping vulnerabilities to themselves. The NSA could go a long way toward protecting the American people by disclosing vulnerabilities that are obvious to them and potentially crippling to our nation, as well as not being breached and having their tools stolen.
That Georgetown article had these words to say about the United States’ Vulnerabilities Equities Process (VEP) that should compel the NSA to be more forthcoming, but it contains a loophole that anything before 2014 doesn’t have to be disclosed (which is millions upon millions of computers and servers running older versions of operating systems and software):
Established under President Barack Obama in 2014, the Vulnerabilities Equities Process (VEP) is an interagency framework used to determine whether the US government and its contractors should disclose software and hardware vulnerabilities to the public and private sector or foreign allies.
The public and private sector have increasingly called for full transparency of the VEP and disclosure of all known exploits. According to the National Security Agency (NSA) Director Admiral Michael Rogers, the NSA shares more than 90% of the vulnerabilities it discovers. However, the VEP currently provides a loophole that exempts any vulnerabilities discovered before 2014 from the vetting process. This is problematic for transparency given the long shelf life of a zero-day.
Sadly, I don’t think the current White House administration will do anything to thwart the NSA’s runaway, do-anything-they-want agenda. Transparency is certainly not their forté so my expectations are low.
Let’s hope Congress steps-in and helps drive national cyber security a little harder when it comes to the NSA actually caring about national internet security vs. just performing signals intelligence while the nation’s I.T. infrastructure is hacked.
This WannaCry ransomware attack is a wakeup call to this nation (and the world) that all of the intelligence agencies (we’re looking at you too, CIA) had better start helping the world instead of acting like a bunch of high school hackers exploiting whatever weakness they can before they are found out and get caught.
Several people I know have asked me for guidance on how to secure their communications prior to Trump taking office. The reason they are concerned is the same reason I am: The Trump administration could very well accelerate (or use extensively) the vacuum mass surveillance apparatus in place by the National Security Agency.
Electronic Frontier Foundation Guide
Here is the guide you should use for staying safe with email, chat, voice calls, if you’re at a protest, and so on.
Modern technology has given those in power new abilities to eavesdrop and collect data on innocent people. Surveillance Self-Defense is EFF’s guide to defending yourself and your friends from surveillance by using secure technology and developing careful practices.
The guide has an Overview if you’ve not yet secured your computer, tablet or smartphone, to Tutorials that include step-by-step guides on how to install software and tools, and finally with Briefings which are detailed guides for specific situations.
Bonus link from The Intercept: Surveillance Self-Defense Against the Trump Administration
Could Trump Accelerate the Use of NSA’s “Google for Private Communications?”
Yes, possibly and perhaps even likely. I would say it is likely since the Trump administration people—especially those like the highly controversial pick of advisor to the president, Steve Bannon—won’t be able to help themselves with the power of the office and the tools at their disposal…so I am going to assume the answer is yes, they will.
One of those tools is XKEYSCORE, the name of the NSA’s Google-like search engine and one of the agency’s “…most powerful tools of mass surveillance (which) makes tracking someone’s Internet usage as easy as entering an email address, and provides no built-in technology to prevent abuse.“
The NSA’s XKEYSCORE program, first revealed by The Guardian, sweeps up countless people’s Internet searches, emails, documents, usernames and passwords, and other private communications. XKEYSCORE is fed a constant flow of Internet traffic from fiber optic cables that make up the backbone of the world’s communication network, among other sources, for processing. As of 2008, the surveillance system boasted approximately 150 field sites in the United States, Mexico, Brazil, United Kingdom, Spain, Russia, Nigeria, Somalia, Pakistan, Japan, Australia, as well as many other countries, consisting of over 700 servers.
NOTE: All we actually know of XKEYSCORE is from 2013 and no one knows what advances have been made in the last three years. The deep concern is that the tool has become more powerful, and access could be as simple as logging in with a White House web browser. Imagine that someone’s full communications portfolio is instantly laid out for review by anyone wanting to know what you’re texting, browsing, who you’re calling and more, all at the click of a mouse.
Unless, of course, your communications are secure.
I hope I’m wrong and President-elect Trump becomes a centrist and moves away from his childish, vindictive behaviors. That hope extends to Trump stopping his being tone-deaf on what more than half this country needs from a president. But I don’t believe in fairy tales, magic, or that “God will make it OK” like many people I know believe.
Instead, my communications are already secure so I highly recommend you make your communications secure and do so right now…while you still can.
Apple’s 1984 ad introducing the Macintosh in January of 1984 with Donald Trump in
the role of overlord, about to be overturned by a disruptor with a sledgehammer
Yeah…he’s scary and I’m disappointed he won too. But it was a close election with Clinton winning the popular vote with 59,943,009 votes (47.7%) and Trump with 59,705,048 votes (47.5%). We all now know that Trump won the should-now-be-abolished electoral college with 279 votes vs. Clinton’s 228 and he’s our (shudder) president-elect.
Turns out that the 47.7% who did NOT support Trump are quite unhappy about getting a clown as president and there are protests in the streets, uncertainty everywhere, and the circus will soon arrive in our nation’s capital.
Fortunately the 47.5% who DID vote for Trump are incredibly excited because “it was God’s will” (which they influenced ’cause they prayed a lot), they now have a shot to delete the Affordable Care Act, overturn Roe v. Wade, revert to marriage as “one man, one woman“, get rid of Muslims, Mexicans, Somalis, and anyone who doesn’t look like them, invest in the military so we can crush all global militaries 10 times over instead of just 7 times over, and make sure that “political correctness” dies like Trump would speaking to a group of millennials.
But hey…we’ve got nearly two months left before we have to go nuts against a Trump administration and fight what will certainly be the attempted execution of an old man’s vision for the United States of America.
Until then it’s time for a chuckle. Here are a few videos that will hopefully help you overcome your stunned disbelief:
If I was 25 years old right now I’d probably be feeling pretty hopeless. Is it any wonder everyone, including young people, are furious and feeling hopeless? But this post will focus on our children and the world they have already inherited and how they still have optimism about the future.
Right after September 11, 2001 I remember peeking in to each of my kid’s bedrooms before going to bed myself. Our daughter was 13 years old and son was about to turn 7 years old. After that devastating day I stood there saddened when considering the world they were going to inherit and I felt a twinge of hopelessness.
That feeling turned in to irritation and then anger as the months unfolded. I saw the 9/11 tragedy turned in to a justification for war, one where the slimmest amount of intelligence possible was used as justification for invading Iraq and Afghanistan.
From 2002 through 2008 I grew increasingly concerned as the Bush administration seemed to be bending the rules of intelligence with CIA ‘enhanced interrogation‘ and rendition, along with initiatives like Total Information Awareness (TIA). TIA was killed off but as we now know thanks to Edward Snowden’s revelations, any paranoia and concern I had at the time paled in comparison to what was really going on as the goals and objectives of TIA lived on.
Next came the global economic meltdown, inadvertently created by the financial services industry whose greed overshadowed their fiduciary responsibilities and destroyed the economy. A greed, I might add, that was fueled by the laissez faire attitude toward oversight and regulation by the GOP and Bush administration. The same administration that squandered a surplus while cutting taxes and going to war. According to The Center on Budget and Policy Priorities:
“If not for the Bush tax cuts, the deficit-financed wars in Iraq and Afghanistan, and the effects of the worst recession since the Great Depression (including the cost of policymakers’ actions to combat it), we would not be facing these huge deficits in the near term. By themselves, in fact, the Bush tax cuts and the wars in Iraq and Afghanistan will account for almost half of the $20 trillion in debt that, under current policies, the nation will owe by 2019. The stimulus law and financial rescues will account for less than 10 percent of the debt at that time.”
Add to all of this the student debt crisis. The Economist reported in June 2014 that U.S. student loan debt exceeded $1.2 trillion, with over 7 million debtors in default. Today, there is approximately $1.3 trillion of outstanding student loan debt in the U.S. that affects 43 million borrowers who have an average outstanding loan balance of $30,000.
Lastly we have the Wells Fargo controversies which have shown that even one of the most profitable, respected banks in the world is no better than a plaid-sports-coat wearing salesman hawking non-running used cars on some inner city lot.
How can we not all be FURIOUS and filled with RAGE? If I was 25 years old I’d be marching in the street, campaigning for Bernie Sanders, and doing whatever I could to change the system and make a wholesale change in Congress.