The Breakfast Club (FREAK Out)

 
breakfast beers photo breakfastbeers.jpgWell, I had hoped for a nice quiet discussion of wave/particle duality again because there are new developments that are worthy of note or perhaps a good chuckle at Homer Simpson predicting the GeV of the Higgs Boson to within experimental error because I'm just a sucker for the intricacies of Quantum Physics, BUT... 

The big news of the day is on the technology front and particularly NSA v. Encryption.

Now I'll take it as a given that you know thanks to Ed Snowden
and Thomas Drake and subsequent public testimony that the NSA is
obsessed as an organization by collecting every communication you have.
 What you may not know is how far back that goal goes and why it
compromises all of our security.

Way back in the days of the Big Dog when all we had to worry our
pretty little heads about was blowjobs and blue dresses the Internet
started gaining steam as a place to buy things.  People were rightly
concerned about personal information and credit card numbers falling
into the hands of thieves (though I'll tell you quite frankly that
you're in much more danger from your food server if you're a bad tipper
because they have plenty of time alone with your card to write down all
your imprint numbers as well as the ones that are just printed which is
sufficient for ruining your credit by telephone, let alone computer).

Anyhow the major Internet Retailers and the companies that served
them started demanding an encryption scheme to bolster public
confidence that it was safe to buy things.  Thus Secure Sockets Layer (SSL).

Even this paltry (and believe me it is, though I recommend the study of The Reichenbach Fall because not everything is complicated and mysterious) level of security
was deemed by the NSA "too dangerous for export" so they made an even
weaker one with 40 bits of encryption instead of 128 (too hard, my brain
hurts) for use overseas.

Well, Moore's Law and all, and today even 128 bit encryption is somewhat passe and 40 bit can be cracked in 7 hours using Amazon Cloud computers.

The reason this is important is because websites, in order to be
compatable globally, are designed to accept 'export' keys as valid along
with 'domestic' keys.  A switch in the site software allows them to be
forced into 'export' key mode via a third party who is not a valid
client and once that is done it's easy to conduct man-in-the-middle attacks that compromise the connection by appearing as the host site to the client and a valid client to the host.

Now I've been very careful to try and make it clear that this is not a bug or a flaw.  The NSA deliberately influenced the design of the standard to make this possible.

Since then there have been new standards adopted that are not
subject to this type of spoofing, but adoption inertia being what it is over a third of websites worldwide are vulnerable including the NSA's.

So what is the solution?  For a user nothing much, browsers are
rightly designed to be compatible with as many sites as possible.  If
you are paranoid enough you can get software plugins that 'protect' you
from vulnerable sites, but 'protect' in this case means you can't use
them.  Secure browsers like Tor already do this and as I've said before
what's notable about them in action is how many things you used to do
that you can't anymore.

For sites there is a minor code fix that won't allow a third
party to force 'export' mode and we will see a rush of them implementing
it.

What makes it interesting politically is context.  In recent
months tech companies have been forced by public demand to implement
more secure encryption schemes.  The NSA in turn has been petulantly
stamping its feet and holding its breath in a tantrum insisting that these be designed with backdoors that can be accessed by State Spy
Services.  They claim that this can be done so that only 'responsible'
parties acting under the rule of law will have these abilities.

There are at least 2 problems with this.  First, a backdoor is a
backdoor and anyone can use it.  It doesn't care if you're a White or a
Black Hat, it's just a door.  Second, other governments are demanding
the same thing.  Governments like China.  If you're the NSA it's pretty
hard to make the case that our computer communications should be less
secure so that China can spy on them.

In the long run either our Representatives will put a stop to
this or Engineers will make it technically impossible.  Mr. Market will
be served.  In a positive sign this will happen the NSA was forced to
give up crypto restrictions in 2000 because it was ruining the export
business of the tech titans.  Given what we are aware of today I don't
think it will be nearly that long before the blowback begins.

FREAK: Another day, another serious SSL security hole
by Steven J. Vaughan-Nichols, ZDNet

March 3, 2015 -- 22:19 GMT

It seemed like such a good idea in the early 90s.
Secure-Socket Layer (SSL) encryption was brand new and the National
Security Agency (NSA) wanted to make sure that they could read "secured"
web traffic by foreign nationals. So, the NSA got Netscape to agree to
deploy 40-bit cryptography in its International Edition while saving the
more secure 128-bit version for the US version. By 2000, the rules
changed and any browser could use higher security SSL. But that old insecure code was still being used and, fifteen years later, it's come back to bite us.

The Washington Post reported today that cryptographers from IMDEA, a European Union research group; INRIA, a French research company; and Microsoft Research have found out that "They could force browsers to use the old export-grade encryption then crack it over the course of just a few hours. Once cracked,
hackers could steal passwords and other personal information and
potentially launch a broader attack on the Websites themselves by taking
over elements on a page, such as a Facebook 'Like' button."

...

Nadia Heninger, a University of Pennsylvania cryptographer, told the
Post, "This is basically a zombie from the '90s... I don't think
anybody really realized anybody was still supporting these export
suites."

Heninger, who has been working on cracking the obsolete 40 to
512-bit RSA encryption keys, found that "she could crack the
export-grade encryption key in about seven hours, using computers on
Amazon Web services." Once done, this enables hackers to easily make
"man-in-the-middle" attacks on the cracked websites.

Guess what? Over a third of "encrypted" websites, according to
tests made by University of Michigan researchers J. Alex Halderman and
Zakir Durumeric, are open to FREAK attacks.
Specifically, OpenSSL and Apple TLS/SSL clients such as the Safari Web
browser are vulnerable to FREAK. When using these programs, it's
relatively simple to downgrade their "secure" connections from "strong"
RSA to the easy-to-break "export-grade" RSA.

All of this has happened because as Matthew Green, a
cryptographer and research professor at Johns Hopkins University,
succinctly put it, the NSA made sure that the early "SSL protocol itself was deliberately designed to be broken."

And, now, it has been. It's just that it's now open to being
broken by anyone with basic code-breaking smarts and easily available
computer resources. The key problem is that OpenSSL and Safari both
contain bugs that cause them to accept "RSA export-grade keys even when
the client didn't ask for export-grade RSA."

Websites, generally speaking only create a single export-grade
RSA key per session. They, like Apache with mod_ssl, will then re-use
that key until the web server is rebooted. Thus, if you break a site
once, chances are you've broken into it for days, weeks, even months.

Many of the websites that are "FREAKable" seem to be on Content
Delivery Networks (CDN)s such as Akamai. That's the reason why, for
example, the NSA site is vulnerable. Akamai is working on fixing its web
servers.

Encryption Backdoors Will Always Turn Around And Bite You In The Ass
by Mike Masnick, Tech Dirt

Wed, Mar 4th 2015 10:50am

As you may have heard, the law enforcement and intelligence communities have been pushing strongly for backdoors in encryption. They talk about ridiculous things like "golden keys,"
pretending that it's somehow possible to create something that only the
good guys can use. Many in the security community have been pointing
out that this is flat-out impossible. The second you introduce a
backdoor, there is no way to say that only "the good guys" can use it.

As if to prove that, an old "golden key" from the 90s came back to
bite a whole bunch of the internet this week... including the NSA. Some
researchers discovered a problem which is being called FREAK for "Factoring RSA Export Keys." The background story is fairly
involved and complex, but here's a short version (that leaves out a lot
of details): back during the first "cryptowars" when Netscape was
creating SSL (mainly to protect the early e-commerce market), the US
still considered exporting strong crypto to be a crime. To deal with
this, RSA offered "export grade encryption" that was deliberately weak
(very, very weak) that could be used abroad. As security researcher Matthew Green explains,
in order to deal with the fact that SSL-enabled websites had to deal
with both strong crypto and weak "export grade" crypto, -- the "golden
key" -- there was a system that would try to determine which type of
encryption to use on each connection. If you were in the US, it should
go to strong encryption. Outside the US? Downgrade to "export grade."

...

(T)he lesson of the story: backdoors, golden keys, magic surveillance leprechauns, whatever you want to call it create vulnerabilities that will be exploited and not just by the good guys.

...

Whether it's creating vulnerabilities that come back to undermine security on the internet decades later, or merely giving cover to foreign nations to undermine strong encryption, backdoors are a
terrible idea which should be relegated to the dustbin of history.

The law that entropy always increases holds, I think,
the supreme position among the laws of Nature. If someone points out to
you that your pet theory of the universe is in disagreement with
Maxwell's equations - then so much the worse for Maxwell's equations. If
it is found to be contradicted by observation - well, these
experimentalists do bungle things sometimes. But if your theory is found
to be against the second law of thermodynamics I can give you no hope;
there is nothing for it but to collapse in deepest humiliation.

-Sir Arthur Stanley Eddington, The Nature of the Physical World (1927)

Science News and Blogs

Science Oriented Video

 

 

Obligatories, News and Blogs below.
ek hornbeck :: The Breakfast Club (FREAK Out)
Obligatories 

Welcome to The Breakfast Club! We're a disorganized group of rebel lefties who hang out and chat if and when we're not too hungover we've been bailed out we're not too exhausted from last night's (CENSORED) the caffeine kicks in. Join us every weekday morning at 9am (ET) and
weekend morning at 10:30am (ET) to talk about current news and our
boring lives and to make fun of LaEscapee! If we are ever running late, it's PhilJD's fault.

I would never make fun of LaEscapee or blame PhilJD.  And I am highly organized.

This Day in History

 

 

News

Snowden Says US Not Offering Fair Trial If He Returns
Reuters

March 04 2015 7:59 PM EST

"I would love to go back and face a fair trial,
but unfortunately ... there is no fair trial available, on offer right
now," he said from Russia in a live question and answer discussion
organized by Canadian Journalists for Free Expression, Toronto's Ryerson
University and the Canadian Broadcasting Corp.

"I've been working exhaustively with the government now since I left to try to find terms of a trial," he said.

...

During Wednesday's discussion, in which he took questions via
Twitter and from a Toronto audience, Snowden said Canada falls well
below other Western nations in the level of oversight it puts on its spy
agencies.

"Canadian intelligence has one of the weakest oversight
frameworks out of any Western intelligence agency in the world," he
said.

New Zealand spying on Pacific allies for 'Five Eyes' and NSA, Snowden files show
by Toby Manhire, The Guardian

Thursday 5 March 2015 00.43 EST

The secret papers, published by the New Zealand Herald,
show that the New Zealand Government Communications Security Bureau
(GCSB) collects phone calls and internet communications in bulk in the
region at its Waihopai Station intercept facility in the South Island.

Since a 2009 upgrade, Waihopai has been capable of "full take"
collection of both content and metadata intercepted by satellite, the
documents showed. The data is then channelled into the XKeyscore
database run by the US National Security Agency, where it also becomes
available to agencies in each of the "Five Eyes" countries: the US,
Britain, Canada, Australia and New Zealand.

...

The papers - published by the Herald as part of a joint reporting
operation with New Zealand investigative journalist Nicky Hager and the
Intercept website co-edited by Glenn Greenwald - echo similar
revelations from the earlier Snowden documents showing that Britain and
the US had been spying on friendly neighbours in countries in the
European Union and Latin America.

The regional surveillance conducted from the base covers Tuvalu,
Nauru, Kiribati, Vanuatu and the Solomon Islands. New Caledonia and
French Polynesia, both French overseas territories, are also among the
listed countries. Although Samoa, Fiji, Tonga and Vanuatu are named,
much of their data is now transmitted via undersea cable links that are
not susceptible to Waihopai's intercept satellites.

...

Andrew Little, the leader of the NZ opposition Labour party, said
that while he accepted the need for security agencies to protect
national interests, he was "stunned at the breadth of the information
that's been collected".

In an interview with Radio New Zealand, Little said: "It doesn't
seem to be targeted around particular threats, whether there just seems
to be a hoovering of all this information and supplying it to the United
States. I can't see that that's within the security mandate of the
GCSB."

US General In Afghanistan Calls For Slower Troop Withdrawal Between Now And 2016
By  Tyler McCarthy, International Business Times

March 04 2015 7:56 PM EST

U.S. Gen. John F. Campbell has thrown his hat
into the ring of military and government leaders calling for President
Barack Obama to reconsider his path to withdraw most troops from
Afghanistan by 2016. Speaking recently to the House Armed Services
Committee, the general said the U.S. may require troops removed from the
country at a slower pace to allow them to complete their mission to
train Afghan security personnel.

According to the Washington Post,
Campbell testified that he would like to see how well the new "train,
advise, assist commands" (TAACs) succeed in allowing senior Afghan
military officials to stand on their own before reducing troop numbers
to 5,500 by 2016, as currently planned.

"What I really want to make sure we can do is get through what we
call a full fight season - April through the late-September time frame -
focused on train, advise and assist, plus with our [counterterrorism]
mission," he said in the video posted below. "If we look at a downsize
of 5,500, that potentially could take our eye off the focus of train,
advise and assist when we really need it."

...

U.S. Defense Secretary Ashton Carter already began managing people's
expectations about the withdrawal of troops from Afghanistan last month
at a joint appearance in Kabul with Afghan President Ashraf Ghani.

"Our priority now is to make sure this progress sticks. That is
why President Obama is considering a number of options to reinforce our
support for President Ghani's security strategy, including possible
changes to the timeline for our drawdown of U.S. troops," Carter said.
"That could mean taking another look at the timing and sequencing of
base closures to ensure we have the right array of coalition
capabilities to support our Afghan partners."

'Cynical' Obamacare Challenge Exposes Persistent Flaw of For-Profit System
by Deirdre Fulton, Common Dreams

Wednesday, March 04, 2015

The case hinges on just a handful of words in the
massive bill-"through an exchange established by the state"-a phrase
the plaintiffs claim is evidence that Congress intended to permit
subsidies only for people who buy insurance through state-run exchanges.

But that argument is "fiction," charged author and journalist Steven Brill at Reuters this week. "Provable fiction."

...

At the New Yorker, legal analyst Jeffrey Toobin wrote, "the King case is notable mostly for the cynicism at its heart."

Through extensive committee hearings and debates, as well as 25
consecutive days under consideration in the full Senate, "no member of
Congress ever suggested that the subsidies were available only on the
state exchanges," he pointed out. "This lawsuit is not an attempt to
enforce the terms of the law; it's an attempt to use what is at most a
semantic infelicity to kill the law altogether."

Indeed, that is "the outcome that the plaintiffs in King vs. Burwell lawsuit are hoping for," Suzy Khimm explained for MSNBC.

"Without the subsidies available on the federal exchanges,
analysts believe that only the sickest patients will be willing to buy
coverage and healthier patients will exit the insurance pool," she
wrote. "As a result, insurance premiums could skyrocket for everyone
else who remains on the federal exchanges-what's known in policy circles
as an insurance 'death spiral'."

Experts say such a "death spiral" could jeopardize the entire law by driving up costs and making the marketplace unstable.

According to critics of the legal challenge, including The Nation magazine's Katrina vanden Heuvel, that's what Obamacare opponents like the Koch Brothers have been aiming for all along.

"The Kochs and their affiliated groups spent vast sums to try to
stop the Affordable Care Act from passing in the first place; to unseat
those that backed the law over the course of several election cycles;
and more recently, to stymie the law's implementation," vanden Heuven wrote on Monday. "And the influence of the Koch network pervades nearly every part of the challengers' case in King v. Burwell."

In fact, "much of the financial and legal muscle behind King v.
Burwell directly traces back to Koch Industries," vanden Heuvel
continued. "The petitioner might be 'King' in body, but it's Koch in
heart, mind, spirit-and bank account."

According to Physicians for a National Health Program (PNHP), which advocates for
an expanded Medicare-for-All or single-payer health insurance system,
all of this legal complexity could have been avoided if the ACA was not
written to accomodate the private health insurance industry and other
corporate, profit-oriented interests. PNHP argues that Obamacare's
complexity results in legal weakness, but that a single payer system
would be simple: everyone in the U.S. would be covered for all medically
necessary care in a single program financed by equitable taxes.

"The King v. Burwell case is yet another reason to swiftly move
beyond the failing ACA to a simpler, publicly financed,
improved-Medicare-for-All system," said Dr. Robert Zarr, a Washington,
D.C.-based pediatrician and president of PNHP. "Such a system would
cover everyone, make care affordable, and control costs. Based on our
experience with the Medicare program and the experience of other
nations, we know it will work. It's the only moral and fiscally
responsible thing to do."

Keystone Pipeline Veto Override Fails In Senate
By  Morgan Winsor, International Business Times

March 04 2015 4:40 PM EST

The Senate fell five votes short of the 67 votes or two-thirds majority needed to overrule a presidential veto. According to the Hill,
eight Democratic senators broke with Obama and voted with their GOP
colleagues: Heidi Heitkamp of North Dakota, Mark Warner of Virginia,
Claire McCaskill of Missouri, Bob Casey of Pennsylvania, Michael Bennet
of Colorado, Tom Carper of Delaware, Jon Tester of Montana and Joe
Manchin of West Virginia.

Manchin reportedly said the United States eventually will have to
find a way to bring the oil to the country. "This is going to come
back," he told the Washington Times Wednesday.

The same eight Democrats also voted to approve the $8 billion project in January, when the measure passed in the Senate with 62 votes and in the House with 270 votes before meeting Obama's veto in the Oval
Office. It's the third veto of his presidency but the most significant
so far, the New York Times reported.

US ambassador to South Korea slashed with razor by political extremist
by Justin McCurry, The Guardian

Thursday 5 March 2015 02.35 EST

Lippert, who became Washington's envoy in the
South Korean capital in October 2014, was taken to hospital with cuts to
his hand and face after the attack on Thursday morning. Officials said
his injuries were not life-threatening.

His assailant, identified by police as 55-year-old Kim Ki-jong,
carried out the attack while Lippert, 42, was attending a breakfast
function at the Sejong Cultural Institute in the city centre of the
South Korean capital.

...

Kim reportedly condemned joint military exercises being held by
South Korea and the US, and called for the immediate reunification of
the Korean peninsula. Social media pictures showed a blood-spattered
tablecloth in front of the chair where Lippert had been seated.

As Darren Wilson Walks Free, DOJ Reveals Blatant Racism at Ferguson Police Department
by Lauren McCauley, Common Dreams

Wednesday, March 04, 2015

The federal investigation of Ferguson's records from 2012 to 2014, the results of which were leaked to the press ahead of the formal announcement, found that although
African Americans make up only 67 percent of the population, they
constituted a highly disproportionate number of arrests. According to
the probe, black citizens accounted for 93 percent of total arrests, 96
percent of people arrested in traffic stops solely for an outstanding
warrant, 95 percent of jaywalking charges, 94 percent of
failure-to-comply charges, and 92 percent of all disturbing-the-peace
charges.

Further, the probe found that in 88 percent of the cases in which
Ferguson police used force, it was against African Americans, while all
14 instances of police dog bites also involved black citizens.

The report also uncovered at least three internal emails that
displayed blatant racism. According to the documents, in one instance a
personnel member suggested that an increase in abortions by African
American women would lower crime, while another email contained a
cartoon depicting African Americans as monkeys.

Police killed more than twice as many people as reported by US government
by Tom McCarthy, The Guardian

Wednesday 4 March 2015 11.28 EST

The first-ever attempt by US record-keepers to
estimate the number of uncounted "law enforcement homicides" exposed
previous official tallies as capturing less than half of the real
picture. The new estimate - an average of 928 people killed by police
annually over eight recent years, compared to 383 in published FBI data -
amounted to a more glaring admission than ever before of the
government's failure to track how many people police kill.

The revelation called into particular question the FBI practice of publishing annual totals of "justifiable homicides by law enforcement" - tallies that are widely cited in the media and elsewhere as the most accurate official count of police homicides.

The new estimates added crucial framing to a criminal justice
crisis in the US that was coming into sharp focus this week. A Justice
Department report expected to be published on Wednesday exposed serial civil rights abuses by police in Ferguson, Missouri. On Monday, the president's taskforce on policing issued recommendations for better data collection as part of a call for top-to-bottom criminal justice reform.

...

The president's warning of a national blind spot on police killings
significantly amplified growing calls for policing reforms and for a
revolution in crime statistics. Yet Obama did not, perhaps, capture just
how bad the information was that the country has been working with. Independent tallies had previously indicated that the FBI's "justifiable homicide" counts
were flawed. But until recently, the FBI discouraged challenges to its
numbers, insisting that they were carefully audited - and pointing out
that the bureau, in any case, was required by law to publish them.

Tuesday's bureau of justice statistics (BJS) report, produced in collaboration with RTI International,
the research institute, explodes the notion - if its findings are
accurate - that the figures the FBI publishes annually are anything
other than hugely misleading.

New report shows widespread police discrimination against LGBT communities
Reuters

04 Mar 2015 at 17:30 ET

LGBT people of color and members of the
transgender community were most targeted by police officers, according
to a report produced by the Williams Institute at the UCLA School of
Law. The study drew data from various recent national surveys, court
cases and anecdotal evidence.

Forty-eight percent of LGBT victims of violence polled in a 2013
survey reported experiencing police misconduct, the UCLA report said.
Nearly half of transgender respondents in another national survey said
they felt uncomfortable seeking police assistance.

...

Law enforcement in the United States has a history of mistreating
the LGBT community and discrimination and harassment continue to be
pervasive, the report said.

Survey data, as well as individual testimonies and anecdotes,
analyzed in the UCLA survey indicated how discrimination and abuse by
police officers led to a weakening trust in law enforcement within the
LGBT community and resulted in fewer crimes being reported to the
authorities.

Major unions expected to stay neutral in tight Chicago mayoral run-off election
Reuters

04 Mar 2015 at 17:58 ET

Garcia's surprisingly strong showing in a first
round of voting on Feb. 24 prompted some big unions to see him as a
viable challenger to the well-funded Emanuel and to rethink their
neutral stance in the race for mayor of the country's financially
troubled No. 3 city.

...

The American Federation of State, County and Municipal Employees, or
AFSCME, has decided to remain neutral in the April 7 runoff election,
while a raucous disagreement over the mayor's race between two large
locals of the Service Employees International Union, or SEIU, may also
end in a non-endorsement.

...

Garcia has raised only about $1.5 million, mostly from SEIU
Healthcare and from the Chicago Teachers Union. The teachers clashed
with Emanuel over school closures and briefly struck early in Emanuel's
first term over retirement benefits.

Newly Unveiled Texas School 'Reform' Proposals In Step With Right-Wing Agenda
by Deirdre Fulton, Common Dreams

Wednesday, March 04, 2015

Following a national trend, Texas Senate leaders
this week announced an ambitious and ideologically driven
education-reform agenda, which critics say is aimed at undermining
public schools and advancing privatization.

...

The package garnered high praise from the wealthy Texans for Education Reform, an advocacy group accused of wanting to "drain money from public schools for more privately
operated charter schools and online virtual learning, which offer
opportunities for more enrichment in the entrepreneurial community, not
opportunities for enriching the learning opportunities of thousands of
Texas school children."

The deep-pocketed organization grew out of the influential Texans for
Lawsuit Reform, a conservative, ALEC-linked business group responsible
for laws that have effectively prevented consumers from seeking damages
from corporations.

"The Taylor-Patrick agenda is a grab-bag of failed ideas cribbed from the ALEC playbook," Diane Ravitch declared in an op-ed Wednesday. "None of them has been beneficial to students or successful anywhere."

The Texas State Teachers Association (TSTA), affiliated with the
National Education Association, the state chapter of the American
Federation of Teachers, and the Association of Texas Professional
Educators all came out against the package of bills.

"None of the proposals offered by Senator Taylor and the
Lieutenant Governor would give teachers and students the time and
resources they need to improve teaching and learning," said TSTA
president Noel Candelaria. "The Taylor-Patrick agenda fails to meet the
needs of 5 million public school students whose schools have been
inadequately funded by the very legislators who are eager to declare
schools a failure based on standardized test scores. Educators want
legislators to demonstrate a genuine commitment to strengthening
neighborhood public schools instead of handing them over to outsiders
who have no direct stake in our students' success."

Blogs

Bonus Video

 

 

Topic: 

Rating: 

0
No votes yet