Mar 05 2015

The Breakfast Club (FREAK Out)

breakfast beers photo breakfastbeers.jpgWell, I had hoped for a nice quiet discussion of wave/particle duality again because there are new developments that are worthy of note or perhaps a good chuckle at Homer Simpson predicting the GeV of the Higgs Boson to within experimental error because I’m just a sucker for the intricacies of Quantum Physics, BUT…

The big news of the day is on the technology front and particularly NSA v. Encryption.

Now I’ll take it as a given that you know thanks to Ed Snowden and Thomas Drake and subsequent public testimony that the NSA is obsessed as an organization by collecting every communication you have.  What you may not know is how far back that goal goes and why it compromises all of our security.

Way back in the days of the Big Dog when all we had to worry our pretty little heads about was blowjobs and blue dresses the Internet started gaining steam as a place to buy things.  People were rightly concerned about personal information and credit card numbers falling into the hands of thieves (though I’ll tell you quite frankly that you’re in much more danger from your food server if you’re a bad tipper because they have plenty of time alone with your card to write down all your imprint numbers as well as the ones that are just printed which is sufficient for ruining your credit by telephone, let alone computer).

Anyhow the major Internet Retailers and the companies that served them started demanding an encryption scheme to bolster public confidence that it was safe to buy things.  Thus Secure Sockets Layer (SSL).

Even this paltry (and believe me it is, though I recommend the study of The Reichenbach Fall because not everything is complicated and mysterious) level of security was deemed by the NSA “too dangerous for export” so they made an even weaker one with 40 bits of encryption instead of 128 (too hard, my brain hurts) for use overseas.

Well, Moore’s Law and all, and today even 128 bit encryption is somewhat passe and 40 bit can be cracked in 7 hours using Amazon Cloud computers.

The reason this is important is because websites, in order to be compatable globally, are designed to accept ‘export’ keys as valid along with ‘domestic’ keys.  A switch in the site software allows them to be forced into ‘export’ key mode via a third party who is not a valid client and once that is done it’s easy to conduct man-in-the-middle attacks that compromise the connection by appearing as the host site to the client and a valid client to the host.

Now I’ve been very careful to try and make it clear that this is not a bug or a flaw.  The NSA deliberately influenced the design of the standard to make this possible.

Since then there have been new standards adopted that are not subject to this type of spoofing, but adoption inertia being what it is over a third of websites worldwide are vulnerable including the NSA’s.

So what is the solution?  For a user nothing much, browsers are rightly designed to be compatible with as many sites as possible.  If you are paranoid enough you can get software plugins that ‘protect’ you from vulnerable sites, but ‘protect’ in this case means you can’t use them.  Secure browsers like Tor already do this and as I’ve said before what’s notable about them in action is how many things you used to do that you can’t anymore.

For sites there is a minor code fix that won’t allow a third party to force ‘export’ mode and we will see a rush of them implementing it.

What makes it interesting politically is context.  In recent months tech companies have been forced by public demand to implement more secure encryption schemes.  The NSA in turn has been petulantly stamping its feet and holding its breath in a tantrum insisting that these be designed with backdoors that can be accessed by State Spy Services.  They claim that this can be done so that only ‘responsible’ parties acting under the rule of law will have these abilities.

There are at least 2 problems with this.  First, a backdoor is a backdoor and anyone can use it.  It doesn’t care if you’re a White or a Black Hat, it’s just a door.  Second, other governments are demanding the same thing.  Governments like China.  If you’re the NSA it’s pretty hard to make the case that our computer communications should be less secure so that China can spy on them.

In the long run either our Representatives will put a stop to this or Engineers will make it technically impossible.  Mr. Market will be served.  In a positive sign this will happen the NSA was forced to give up crypto restrictions in 2000 because it was ruining the export business of the tech titans.  Given what we are aware of today I don’t think it will be nearly that long before the blowback begins.

FREAK: Another day, another serious SSL security hole

by Steven J. Vaughan-Nichols, ZDNet

March 3, 2015 — 22:19 GMT

It seemed like such a good idea in the early 90s. Secure-Socket Layer (SSL) encryption was brand new and the National Security Agency (NSA) wanted to make sure that they could read “secured” web traffic by foreign nationals. So, the NSA got Netscape to agree to deploy 40-bit cryptography in its International Edition while saving the more secure 128-bit version for the US version. By 2000, the rules changed and any browser could use higher security SSL. But that old insecure code was still being used and, fifteen years later, it’s come back to bite us.

The Washington Post reported today that cryptographers from IMDEA, a European Union research group; INRIA, a French research company; and Microsoft Research have found out that “They could force browsers to use the old export-grade encryption then crack it over the course of just a few hours. Once cracked, hackers could steal passwords and other personal information and potentially launch a broader attack on the Websites themselves by taking over elements on a page, such as a Facebook ‘Like’ button.”



Nadia Heninger, a University of Pennsylvania cryptographer, told the Post, “This is basically a zombie from the ’90s… I don’t think anybody really realized anybody was still supporting these export suites.”

Heninger, who has been working on cracking the obsolete 40 to 512-bit RSA encryption keys, found that “she could crack the export-grade encryption key in about seven hours, using computers on Amazon Web services.” Once done, this enables hackers to easily make “man-in-the-middle” attacks on the cracked websites.

Guess what? Over a third of “encrypted” websites, according to tests made by University of Michigan researchers J. Alex Halderman and Zakir Durumeric, are open to FREAK attacks. Specifically, OpenSSL and Apple TLS/SSL clients such as the Safari Web browser are vulnerable to FREAK. When using these programs, it’s relatively simple to downgrade their “secure” connections from “strong” RSA to the easy-to-break “export-grade” RSA.

All of this has happened because as Matthew Green, a cryptographer and research professor at Johns Hopkins University, succinctly put it, the NSA made sure that the early “SSL protocol itself was deliberately designed to be broken.”

And, now, it has been. It’s just that it’s now open to being broken by anyone with basic code-breaking smarts and easily available computer resources. The key problem is that OpenSSL and Safari both contain bugs that cause them to accept “RSA export-grade keys even when the client didn’t ask for export-grade RSA.”

Websites, generally speaking only create a single export-grade RSA key per session. They, like Apache with mod_ssl, will then re-use that key until the web server is rebooted. Thus, if you break a site once, chances are you’ve broken into it for days, weeks, even months.

Many of the websites that are “FREAKable” seem to be on Content Delivery Networks (CDN)s such as Akamai. That’s the reason why, for example, the NSA site is vulnerable. Akamai is working on fixing its web servers.

Encryption Backdoors Will Always Turn Around And Bite You In The Ass

by Mike Masnick, Tech Dirt

Wed, Mar 4th 2015 10:50am

As you may have heard, the law enforcement and intelligence communities have been pushing strongly for backdoors in encryption. They talk about ridiculous things like “golden keys,” pretending that it’s somehow possible to create something that only the good guys can use. Many in the security community have been pointing out that this is flat-out impossible. The second you introduce a backdoor, there is no way to say that only “the good guys” can use it.

As if to prove that, an old “golden key” from the 90s came back to bite a whole bunch of the internet this week… including the NSA. Some researchers discovered a problem which is being called FREAK for “Factoring RSA Export Keys.” The background story is fairly involved and complex, but here’s a short version (that leaves out a lot of details): back during the first “cryptowars” when Netscape was creating SSL (mainly to protect the early e-commerce market), the US still considered exporting strong crypto to be a crime. To deal with this, RSA offered “export grade encryption” that was deliberately weak (very, very weak) that could be used abroad. As security researcher Matthew Green explains, in order to deal with the fact that SSL-enabled websites had to deal with both strong crypto and weak “export grade” crypto, — the “golden key” — there was a system that would try to determine which type of encryption to use on each connection. If you were in the US, it should go to strong encryption. Outside the US? Downgrade to “export grade.”



(T)he lesson of the story: backdoors, golden keys, magic surveillance leprechauns, whatever you want to call it create vulnerabilities that will be exploited and not just by the good guys.



Whether it’s creating vulnerabilities that come back to undermine security on the internet decades later, or merely giving cover to foreign nations to undermine strong encryption, backdoors are a terrible idea which should be relegated to the dustbin of history.

The law that entropy always increases holds, I think, the supreme position among the laws of Nature. If someone points out to you that your pet theory of the universe is in disagreement with Maxwell’s equations – then so much the worse for Maxwell’s equations. If it is found to be contradicted by observation – well, these experimentalists do bungle things sometimes. But if your theory is found to be against the second law of thermodynamics I can give you no hope; there is nothing for it but to collapse in deepest humiliation.

Sir Arthur Stanley Eddington, The Nature of the Physical World (1927)

Science News and Blogs

Science Oriented Video

Obligatories, News and Blogs below.

Obligatories

Welcome to The Breakfast Club! We’re a disorganized group of rebel lefties who hang out and chat if and when we’re not too hungover we’ve been bailed out we’re not too exhausted from last night’s (CENSORED) the caffeine kicks in. Join us every weekday morning at 9am (ET) and weekend morning at 10:30am (ET) to talk about current news and our boring lives and to make fun of LaEscapee! If we are ever running late, it’s PhilJD’s fault.

I would never make fun of LaEscapee or blame PhilJD.  And I am highly organized.

This Day in History

News

Snowden Says US Not Offering Fair Trial If He Returns

Reuters

March 04 2015 7:59 PM EST

“I would love to go back and face a fair trial, but unfortunately … there is no fair trial available, on offer right now,” he said from Russia in a live question and answer discussion organized by Canadian Journalists for Free Expression, Toronto’s Ryerson University and the Canadian Broadcasting Corp.

“I’ve been working exhaustively with the government now since I left to try to find terms of a trial,” he said.



During Wednesday’s discussion, in which he took questions via Twitter and from a Toronto audience, Snowden said Canada falls well below other Western nations in the level of oversight it puts on its spy agencies.

“Canadian intelligence has one of the weakest oversight frameworks out of any Western intelligence agency in the world,” he said.

New Zealand spying on Pacific allies for ‘Five Eyes’ and NSA, Snowden files show

by Toby Manhire, The Guardian

Thursday 5 March 2015 00.43 EST

The secret papers, published by the New Zealand Herald, show that the New Zealand Government Communications Security Bureau (GCSB) collects phone calls and internet communications in bulk in the region at its Waihopai Station intercept facility in the South Island.

Since a 2009 upgrade, Waihopai has been capable of “full take” collection of both content and metadata intercepted by satellite, the documents showed. The data is then channelled into the XKeyscore database run by the US National Security Agency, where it also becomes available to agencies in each of the “Five Eyes” countries: the US, Britain, Canada, Australia and New Zealand.



The papers – published by the Herald as part of a joint reporting operation with New Zealand investigative journalist Nicky Hager and the Intercept website co-edited by Glenn Greenwald – echo similar revelations from the earlier Snowden documents showing that Britain and the US had been spying on friendly neighbours in countries in the European Union and Latin America.

The regional surveillance conducted from the base covers Tuvalu, Nauru, Kiribati, Vanuatu and the Solomon Islands. New Caledonia and French Polynesia, both French overseas territories, are also among the listed countries. Although Samoa, Fiji, Tonga and Vanuatu are named, much of their data is now transmitted via undersea cable links that are not susceptible to Waihopai’s intercept satellites.



Andrew Little, the leader of the NZ opposition Labour party, said that while he accepted the need for security agencies to protect national interests, he was “stunned at the breadth of the information that’s been collected”.

In an interview with Radio New Zealand, Little said: “It doesn’t seem to be targeted around particular threats, whether there just seems to be a hoovering of all this information and supplying it to the United States. I can’t see that that’s within the security mandate of the GCSB.”

US General In Afghanistan Calls For Slower Troop Withdrawal Between Now And 2016

By  Tyler McCarthy, International Business Times

March 04 2015 7:56 PM EST

U.S. Gen. John F. Campbell has thrown his hat into the ring of military and government leaders calling for President Barack Obama to reconsider his path to withdraw most troops from Afghanistan by 2016. Speaking recently to the House Armed Services Committee, the general said the U.S. may require troops removed from the country at a slower pace to allow them to complete their mission to train Afghan security personnel.

According to the Washington Post, Campbell testified that he would like to see how well the new “train, advise, assist commands” (TAACs) succeed in allowing senior Afghan military officials to stand on their own before reducing troop numbers to 5,500 by 2016, as currently planned.

“What I really want to make sure we can do is get through what we call a full fight season – April through the late-September time frame – focused on train, advise and assist, plus with our [counterterrorism] mission,” he said in the video posted below. “If we look at a downsize of 5,500, that potentially could take our eye off the focus of train, advise and assist when we really need it.”



U.S. Defense Secretary Ashton Carter already began managing people’s expectations about the withdrawal of troops from Afghanistan last month at a joint appearance in Kabul with Afghan President Ashraf Ghani.

“Our priority now is to make sure this progress sticks. That is why President Obama is considering a number of options to reinforce our support for President Ghani’s security strategy, including possible changes to the timeline for our drawdown of U.S. troops,” Carter said. “That could mean taking another look at the timing and sequencing of base closures to ensure we have the right array of coalition capabilities to support our Afghan partners.”

‘Cynical’ Obamacare Challenge Exposes Persistent Flaw of For-Profit System

by Deirdre Fulton, Common Dreams

Wednesday, March 04, 2015

The case hinges on just a handful of words in the massive bill-“through an exchange established by the state”-a phrase the plaintiffs claim is evidence that Congress intended to permit subsidies only for people who buy insurance through state-run exchanges.

But that argument is “fiction,” charged author and journalist Steven Brill at Reuters this week. “Provable fiction.”



At the New Yorker, legal analyst Jeffrey Toobin wrote, “the King case is notable mostly for the cynicism at its heart.”

Through extensive committee hearings and debates, as well as 25 consecutive days under consideration in the full Senate, “no member of Congress ever suggested that the subsidies were available only on the state exchanges,” he pointed out. “This lawsuit is not an attempt to enforce the terms of the law; it’s an attempt to use what is at most a semantic infelicity to kill the law altogether.”

Indeed, that is “the outcome that the plaintiffs in King vs. Burwell lawsuit are hoping for,” Suzy Khimm explained for MSNBC.

“Without the subsidies available on the federal exchanges, analysts believe that only the sickest patients will be willing to buy coverage and healthier patients will exit the insurance pool,” she wrote. “As a result, insurance premiums could skyrocket for everyone else who remains on the federal exchanges-what’s known in policy circles as an insurance ‘death spiral’.”

Experts say such a “death spiral” could jeopardize the entire law by driving up costs and making the marketplace unstable.

According to critics of the legal challenge, including The Nation magazine’s Katrina vanden Heuvel, that’s what Obamacare opponents like the Koch Brothers have been aiming for all along.

“The Kochs and their affiliated groups spent vast sums to try to stop the Affordable Care Act from passing in the first place; to unseat those that backed the law over the course of several election cycles; and more recently, to stymie the law’s implementation,” vanden Heuven wrote on Monday. “And the influence of the Koch network pervades nearly every part of the challengers’ case in King v. Burwell.”

In fact, “much of the financial and legal muscle behind King v. Burwell directly traces back to Koch Industries,” vanden Heuvel continued. “The petitioner might be ‘King’ in body, but it’s Koch in heart, mind, spirit-and bank account.”

According to Physicians for a National Health Program (PNHP), which advocates for an expanded Medicare-for-All or single-payer health insurance system, all of this legal complexity could have been avoided if the ACA was not written to accomodate the private health insurance industry and other corporate, profit-oriented interests. PNHP argues that Obamacare’s complexity results in legal weakness, but that a single payer system would be simple: everyone in the U.S. would be covered for all medically necessary care in a single program financed by equitable taxes.

“The King v. Burwell case is yet another reason to swiftly move beyond the failing ACA to a simpler, publicly financed, improved-Medicare-for-All system,” said Dr. Robert Zarr, a Washington, D.C.-based pediatrician and president of PNHP. “Such a system would cover everyone, make care affordable, and control costs. Based on our experience with the Medicare program and the experience of other nations, we know it will work. It’s the only moral and fiscally responsible thing to do.”

Keystone Pipeline Veto Override Fails In Senate

By  Morgan Winsor, International Business Times

March 04 2015 4:40 PM EST

The Senate fell five votes short of the 67 votes or two-thirds majority needed to overrule a presidential veto. According to the Hill, eight Democratic senators broke with Obama and voted with their GOP colleagues: Heidi Heitkamp of North Dakota, Mark Warner of Virginia, Claire McCaskill of Missouri, Bob Casey of Pennsylvania, Michael Bennet of Colorado, Tom Carper of Delaware, Jon Tester of Montana and Joe Manchin of West Virginia.

Manchin reportedly said the United States eventually will have to find a way to bring the oil to the country. “This is going to come back,” he told the Washington Times Wednesday.

The same eight Democrats also voted to approve the $8 billion project in January, when the measure passed in the Senate with 62 votes and in the House with 270 votes before meeting Obama’s veto in the Oval Office. It’s the third veto of his presidency but the most significant so far, the New York Times reported.

US ambassador to South Korea slashed with razor by political extremist

by Justin McCurry, The Guardian

Thursday 5 March 2015 02.35 EST

Lippert, who became Washington’s envoy in the South Korean capital in October 2014, was taken to hospital with cuts to his hand and face after the attack on Thursday morning. Officials said his injuries were not life-threatening.

His assailant, identified by police as 55-year-old Kim Ki-jong, carried out the attack while Lippert, 42, was attending a breakfast function at the Sejong Cultural Institute in the city centre of the South Korean capital.



Kim reportedly condemned joint military exercises being held by South Korea and the US, and called for the immediate reunification of the Korean peninsula. Social media pictures showed a blood-spattered tablecloth in front of the chair where Lippert had been seated.

As Darren Wilson Walks Free, DOJ Reveals Blatant Racism at Ferguson Police Department

by Lauren McCauley, Common Dreams

Wednesday, March 04, 2015

The federal investigation of Ferguson’s records from 2012 to 2014, the results of which were leaked to the press ahead of the formal announcement, found that although African Americans make up only 67 percent of the population, they constituted a highly disproportionate number of arrests. According to the probe, black citizens accounted for 93 percent of total arrests, 96 percent of people arrested in traffic stops solely for an outstanding warrant, 95 percent of jaywalking charges, 94 percent of failure-to-comply charges, and 92 percent of all disturbing-the-peace charges.

Further, the probe found that in 88 percent of the cases in which Ferguson police used force, it was against African Americans, while all 14 instances of police dog bites also involved black citizens.

The report also uncovered at least three internal emails that displayed blatant racism. According to the documents, in one instance a personnel member suggested that an increase in abortions by African American women would lower crime, while another email contained a cartoon depicting African Americans as monkeys.

Police killed more than twice as many people as reported by US government

by Tom McCarthy, The Guardian

Wednesday 4 March 2015 11.28 EST

The first-ever attempt by US record-keepers to estimate the number of uncounted “law enforcement homicides” exposed previous official tallies as capturing less than half of the real picture. The new estimate – an average of 928 people killed by police annually over eight recent years, compared to 383 in published FBI data – amounted to a more glaring admission than ever before of the government’s failure to track how many people police kill.

The revelation called into particular question the FBI practice of publishing annual totals of “justifiable homicides by law enforcement” – tallies that are widely cited in the media and elsewhere as the most accurate official count of police homicides.

The new estimates added crucial framing to a criminal justice crisis in the US that was coming into sharp focus this week. A Justice Department report expected to be published on Wednesday exposed serial civil rights abuses by police in Ferguson, Missouri. On Monday, the president’s taskforce on policing issued recommendations for better data collection as part of a call for top-to-bottom criminal justice reform.



The president’s warning of a national blind spot on police killings significantly amplified growing calls for policing reforms and for a revolution in crime statistics. Yet Obama did not, perhaps, capture just how bad the information was that the country has been working with. Independent tallies had previously indicated that the FBI’s “justifiable homicide” counts were flawed. But until recently, the FBI discouraged challenges to its numbers, insisting that they were carefully audited – and pointing out that the bureau, in any case, was required by law to publish them.

Tuesday’s bureau of justice statistics (BJS) report, produced in collaboration with RTI International, the research institute, explodes the notion – if its findings are accurate – that the figures the FBI publishes annually are anything other than hugely misleading.

New report shows widespread police discrimination against LGBT communities

Reuters

04 Mar 2015 at 17:30 ET

LGBT people of color and members of the transgender community were most targeted by police officers, according to a report produced by the Williams Institute at the UCLA School of Law. The study drew data from various recent national surveys, court cases and anecdotal evidence.

Forty-eight percent of LGBT victims of violence polled in a 2013 survey reported experiencing police misconduct, the UCLA report said. Nearly half of transgender respondents in another national survey said they felt uncomfortable seeking police assistance.



Law enforcement in the United States has a history of mistreating the LGBT community and discrimination and harassment continue to be pervasive, the report said.

Survey data, as well as individual testimonies and anecdotes, analyzed in the UCLA survey indicated how discrimination and abuse by police officers led to a weakening trust in law enforcement within the LGBT community and resulted in fewer crimes being reported to the authorities.

Major unions expected to stay neutral in tight Chicago mayoral run-off election

Reuters

04 Mar 2015 at 17:58 ET

Garcia’s surprisingly strong showing in a first round of voting on Feb. 24 prompted some big unions to see him as a viable challenger to the well-funded Emanuel and to rethink their neutral stance in the race for mayor of the country’s financially troubled No. 3 city.



The American Federation of State, County and Municipal Employees, or AFSCME, has decided to remain neutral in the April 7 runoff election, while a raucous disagreement over the mayor’s race between two large locals of the Service Employees International Union, or SEIU, may also end in a non-endorsement.



Garcia has raised only about $1.5 million, mostly from SEIU Healthcare and from the Chicago Teachers Union. The teachers clashed with Emanuel over school closures and briefly struck early in Emanuel’s first term over retirement benefits.

Newly Unveiled Texas School ‘Reform’ Proposals In Step With Right-Wing Agenda

by Deirdre Fulton, Common Dreams

Wednesday, March 04, 2015

Following a national trend, Texas Senate leaders this week announced an ambitious and ideologically driven education-reform agenda, which critics say is aimed at undermining public schools and advancing privatization.



The package garnered high praise from the wealthy Texans for Education Reform, an advocacy group accused of wanting to “drain money from public schools for more privately operated charter schools and online virtual learning, which offer opportunities for more enrichment in the entrepreneurial community, not opportunities for enriching the learning opportunities of thousands of Texas school children.”

The deep-pocketed organization grew out of the influential Texans for Lawsuit Reform, a conservative, ALEC-linked business group responsible for laws that have effectively prevented consumers from seeking damages from corporations.

“The Taylor-Patrick agenda is a grab-bag of failed ideas cribbed from the ALEC playbook,” Diane Ravitch declared in an op-ed Wednesday. “None of them has been beneficial to students or successful anywhere.”

The Texas State Teachers Association (TSTA), affiliated with the National Education Association, the state chapter of the American Federation of Teachers, and the Association of Texas Professional Educators all came out against the package of bills.

“None of the proposals offered by Senator Taylor and the Lieutenant Governor would give teachers and students the time and resources they need to improve teaching and learning,” said TSTA president Noel Candelaria. “The Taylor-Patrick agenda fails to meet the needs of 5 million public school students whose schools have been inadequately funded by the very legislators who are eager to declare schools a failure based on standardized test scores. Educators want legislators to demonstrate a genuine commitment to strengthening neighborhood public schools instead of handing them over to outsiders who have no direct stake in our students’ success.”

Blogs

Bonus Video

1 comment

Comments have been disabled.