The Market Ticker
Commentary on The Capital Markets- Category [Technology]

I was wondering when law enforcement was going to start doing its damn job.

A legal storm is building after a D.C. judge ordered a web hosting company to give the government a broad swath of data about individuals connected to an anti-Trump website despite arguments that doing so would impinge on their First Amendment rights and stifle online political discourse.

At a hearing Thursday morning in D.C. Superior Court, Chief Judge Robert E. Morin insisted he would put restrictions on how the government reviews the material in order to protect those rights. The government must disclose to the court who will search the material and what process they will use. They must also develop a plan to minimize the search of material unrelated to criminal activity.

You have a First Amendment right to speak.

You do not have a First Amendment right to riot, engage in vandalism or otherwise conduct criminal activity and coordinating, bragging, or announcing intent to do so on the Internet is direct and admissible evidence of intent and thus not only can be used to evidence guilt in an instant case it can also be used to support a charge of conspiracy, mob action, racketeering or similar crimes which involve the coordination of actions by multiple people.

When I ran MCSNet we quite routinely got subpoenaed for various information; there was not one instance in which I considered the subpoena to be worthy of fighting.  That's not to say there couldn't have been one during that time, just that it never happened in my experience.

This particular issue, in my opinion, falls into the "give it to them" category.  It's clear that the people in question coordinated and communicated using this system and then went on to commit criminal activity; there are 200-odd said people who are currently charged and in the dock. 

As such this is not a fishing expedition (which I would oppose); it's aimed directly at the prosecution of said people.

So yeah, folks, if you're going to do illegal things it's a bad idea to do it online where there is virtually always a record kept.  In fact on the blog here said records are kept for routine business and operational reasons (e.g. interdicting spam, etc) and if subpoenaed such a demand certainly looks both reasonable and lawful to me.

What I find even more-amusing are the claims that encrypted communications or acts (e.g. Bitcoin) make one secure.  The exact opposite is in fact true; an encrypted communication is by definition admissible evidence because it is mathematically impossible for it to be emitted by anyone other than the keyholder; ergo, unless your key is stolen the fact that such a transmission exists and verifies against your public key means you sent it, period.  When it comes to things like Bitcoin it's even more-amusing because the conclusive, admissible evidence is intentionally published to the world on an irrevocable basis and thus it is absolutely able to be tied to whoever holds that private key half forever into the future.  If whatever that transaction evidences is illegal and that key have can be tied to you at any point in the future you're done.

The contents of an encrypted conversation may well be secret but who emitted it and that it has not been altered is knowable as an absolute, mathematically-provable fact.

You're not anonymous on the Internet, especially when you use encrypted protocols.

Ever.

Period.

View this entry with comments (opens new window)
 

2017-09-12 07:00 by Karl Denninger
in Technology , 473 references
[Comments enabled]  

It was a nice idea; unfortunately it's crippled in its effectiveness by the lax polices and zero accountability of the cell carriers.

Hackers have discovered that one of the most central elements of online security — the mobile phone number — is also one of the easiest to steal.

In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile U.S., Sprint and AT&T and asking them to transfer control of a victim’s phone number to a device under the control of the hackers.

Once they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup — as services like Google, Twitter and Facebook suggest.

What do the carriers think about this?  Nothing.

See, it typically doesn't take one such attempt, because most of their agents will follow protocol and refuse without you in some way verifying who you actually are -- such as by using a PIN number you put on the account, and which the thief doesn't know.

So why is it that these guys get dozens or even hundreds of bites at the apple?

See, that's the problem, and it's an intentional problem.  In other words the cell companies could trivially log the number of bad attempts -- when you call into the company asking them to do something and don't know the password their call management software could increment a counter and after some reasonable number of failed tries in some period of time, say three, it would then require you to go to a physical store and present positive identification.

But nope, as is shown here:

Adam Pokornicky, a managing partner at Cryptochain Capital, asked Verizon to put extra security measures on his account after he learned that an attacker had called in 13 times trying to move his number to a new phone.

Verizon should be put out of business for this, and so should the rest of the cellular carriers.

One or two wrong responses is one thing -- yes, people forget, or they use a couple of different PINs and they get the wrong one the first or second time.

Thirteen times?  No, that's quite-obviously attempted fraud and not only did Verizon not lock his account against those repeated attempts after a rational number of failures to authenticate they didn't call him either nor did they follow their own rules despite being warned in advance that his account was under attack!

There's utterly no reason to allow this sort of horse**** to go on, but just like all the other scams of the day utterly nobody at the telcos will be held accountable for what amounts to being an accessory before the fact to grand theft.  The CEO of the jackwad firm deserves to have the entire loss taken out of his ass -- sideways.

Firms that intentionally ignore repeated hack attacks on a customer's account and not only fail to stop them they also fail to notify the customer that they're under attack need to be held financially and criminally responsible for the harm that ensues.

View this entry with comments (opens new window)
 

Folks, let's make this easy.

Everyone wants to talk about how Podesta's email was penetrated, or the rest of the DNC, or that the RNC, allegedly, was not.

All the screamers are (still) out about  "Russia" and similar.

Let me restate -- while Podesta's email was apparently broken into via a "spearfishing" email (one with a reset password link embedded in it that didn't go to the real site, but rather to the person who was trying to steal) and which he was dumb enough to click and then provide his current password the real issue here isn't about this sort of attack at all.

The real issue is about the idiocy of such "email" systems or the use of any other sort of cloud provider for anything secure in the first place.

Let me explain.

I run my own email here.  It would be trivial for me to lock it down so that even if you stole my password it would be worthless.

How?

Simple, really.  You see on the same network I have a VPN gateway that does not accept passwords at all.  It only accepts a certificate.  Such a SSL certificate is (nominally) intended to sign and encrypt private emails, and can also be used as a secure identifier for a VPN.  It is, effectively, the same thing a server uses to secure web communications but with a different set of "intended use" flags set (client authentication and digital signature rather than SSL server authentication.)

All I'd have to do is change the configuration on the email system slightly so that only accesses that came from connected VPN clients could connect at all.

Now you'd have to steal a device and if you did, it would only work until I knew it was stolen (and revoked the key.)  No other means of getting in would work even with the password.

It is literally a 15 second configuration change on my Dovecot and Exchange servers to do this, and it would not impact my ability to exchange email with others one bit.

Modern smartphones (including Android, IOS and BlackBerry 10 handsets) can all use these certificates for an IPSEC/IKEv2 connection.  Such a connection can be "nailed" open as well, active even on cellular, or activated "on demand" by the user.  Modern commercial and freely available operating systems (Windows 7/8/10, MacOS, Linux and FreeBSD) can also use same.  Doing so positively encrypts all traffic coming into or leaving said device.

Such a system is extremely secure because only authorized devices, secured with a cryptographic key loaded on them, can see the service in question.  An unknown key is refused by the VPN gateway as is one that has been revoked. Only trusted certificates (which are loaded on the host in a certificate store) can connect.  I use this facility with other services here at Ticker Central so I can have my laptop with me and use it "as if I was at home" even from half the world away on an insecure, or even known to be monitored data link.

The only way to get packets onto the "private" network from the outside and thus be able to "see" the email store is to connect to the VPN and establish a tunnel and the only way to do that is to have a trusted certificate on the device in question.  No certificate, no connection, no access, password or no password -- period.

This sort of facility is essential if you intend to allow remote access to services that are themselves of questionable security (or worse) such as, for example, Windows file shares.

So why didn't the DNC do this?

Because it takes more than 30 seconds of thought to do it and in addition it means not using email providers like Google -- you have to do it yourself, in-house, or all these security steps are worthless since your certificates and such have to be where someone else, who is unvetted, can get at them.

In other words they were stupid, and so have been the others.  They chose the equivalent of an unlocked front door for their house, and then are surprised when someone walks in and takes all the beer out of the fridge.

Oh, and all the guns and money in the house too, along with the nice widescreen TV!

Just remember folks that these are the very same people who claim to be smart enough to run the country.

PS: All the cloud providers are unlocked houses.  Always. They have to be in order for a cloud service to work; it's not a choice, it's an inherent part of any public "cloud" architecture. Claims otherwise are like putting a 25 cent TSA lock on your suitcase and calling it "secure."  The reason you have not and will not see this discussed in the media, especially the "business media", is that the minute this fact reaches the level of general knowledge all of said "cloud providers" have their stock prices collapse.

View this entry with comments (opens new window)
 

2016-10-31 07:00 by Karl Denninger
in Technology , 298 references
 

Give me a break.

A task force of more than 30 major technology and communication companies said they have made progress but have not found a solution to eliminate "robocalls" or automated, prerecorded phone calls, but a top U.S. regulator urged faster action.

Throw some people in prison and you'll get their attention.  Yes, right here in the US, and yes, I'm talking about carrier executives.  Why?  We'll get to that:

Wheeler wrote major companies in July urging them to take new action to block robocalls, saying it was the top source of consumer complaints at the FCC. Scam artists often times based abroad try to appear to call from a bank or a government phone to trick consumers into disclosing confidential financial or account information.

How do they "appear" to call from a bank or government phone when they're not in the United States?

Ah, now see, there's the fraud and the US carriers are complicit in it.

Along with a call setup request (from one carrier to another) comes some information, which includes the "originating" number.  The carriers do exactly nothing to validate that for other than 800 (free to calling party) numbers.

But they could very trivially prevent, for example, foreign calls from appearing with US numbers.

How?  Refuse to route a call that comes from the UK unless the "originating" number is in the correct format including the country code prefixfor example.

That would stop instantly any of these calls that are originating outside of the United States.

As for those within the United States the FCC has jurisdiction, and can require that one of two things be the case:

1. The "originating" number be the actual originating number.  This will be the appropriate setting for all individual lines; simply do not allow an overridden number from a consumer account -- period.

2. For those that are overridden require, under penalty of law, that the party overriding accept both civil and criminal legal responsibility for the authenticity of their override under existing criminal fraud statutes.

There are very good reasons to allow such an override on outbound calls.  For example, at MCSNet we had outbound trunks that were all "rolled up" into high-capacity circuits (at the time DS1s); each of those trunks had a "real" phone number, but it was unpublished.  We then had DID mapping for certain people who needed "private lines" and in addition we had our "main" number (312) - 803-MCS1 that would ring into the PBX on the next available trunk in the group.  If you dialed out from our PBX those trunks (set up for bidirectional signalling) were configured to show 312-803-MCS1 as the "originating" number even though technically it was not.  That's fine, because we owned the originating number, it was "real", and it really was our number.

It would not be difficult at all to require that all such entities that purchase service from a telco provider in the United States and wish to provide "originating number" overrides do so under a contractual requirement, carrying criminal criminal penalties for lying, that any such number they put through be truthful and belong to the actual originating party of the call.

If you were to do this and at the same time hold carriers criminally responsible for accepting "foreign" calls that have originating numbers that violate the country code format of the originating nation, a software check they could easily implement, this problem would disappear instantly.

Of course there are "telco providers" (such as the SIP folks) that would scream about such a requirement -- but let's face reality here.  Enabling fraud as a business model makes you an accessory before the fact and recognizing that along with appropriate criminal sanction would go a long way to draining this swamp -- quickly and permanently.

Instead we "accept" a bunch of handwaving nonsense that comes from the FCC and various telcos.

View this entry with comments (opens new window)
 

Public cloud computing, that is, computers at a remote location you do not own but lease space on, which have a hypervisor and clients running under it where you do not have complete, 100% control of said hypervisor are not secure.

If you have allegedly "encrypted" data there that is accessed, modified and used on said machine then the key to decrypt said data must also be on the machine and unprotected so it can be used.  If that is the case it can be trivially stolen since the hypervisor has complete access to all of the memory and disk resources of the client process and once stolen any pretense of security vanishes like a fart in the wind.

This is the lesson of the Wikileaks "Podesta" and related hacks.  It is not that Russia was involved (or not), it is not whether the "hack" was criminal, it is nothing of the sort.  It is that many of these people had their data (email in this case) on a public cloud environment and said environment was trivially broken into and the data stolen within minutes of being targeted.

The media and "business channels" have not and will not talk about this underlying fact for the simple reason that a huge percentage of the current market bubble is being driven and sustained by these so-called "innovations" and what they've done to market valuation.

This is continually claimed to be the "future" of corporate computing, but if you follow this road, embrace this path, and do so with data that needs to be secure then this is what's coming to you the moment your data is specifically targeted, whether you like it or not.

View this entry with comments (opens new window)
 

Main Navigation
MUST-READ Selection:
A One-Sentence Bill To Force The Health-Care Issue

Full-Text Search & Archives
Archive Access
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.