AR15.com update

If you are regular visitor to ARFCOM you probably already know this. But I got some email from someone a little behind the times so I thought I would update everyone here on the story with the GoDaddy deplatforming of AR15.com. Originally I thought GoDaddy was the hosting provider (as they are for this blog) for AR15.com. Hence when I looked up their current, and functional, IP address and found it belonged to Amazon I was concerned they hadn’t take as big a leap as necessary to escape the purge.

I was wrong. GoDaddy was only the domain registrar. It’s a lot easier and cheaper to get your domain registered than it is to change your hosting provider. They quickly changed their domain registrar (to Epik, the same as Gab) and were up and going again quickly.

It is claimed they have backup plans for other possible issues such as losing their hosting provider.

ARFCOM NEWS has all the details:

Quote of the day—Michal Kosinsk

Ubiquitous facial recognition technology can expose individuals’ political orientation, as faces of liberals and conservatives consistently differ. A facial recognition algorithm was applied to naturalistic images of 1,085,795 individuals to predict their political orientation by comparing their similarity to faces of liberal and conservative others. Political orientation was correctly classified in 72% of liberal–conservative face pairs, remarkably better than chance (50%), human accuracy (55%), or one afforded by a 100-item personality questionnaire (66%).

Michal Kosinsk
January 11, 2021
Facial recognition technology can expose political orientation from naturalistic facial images
[Via Stanford Scientist Can Tell If You’re A Liberal Just By Looking At Your Face

I have often thought I could tell the difference between gun people and anti-gun people just by looking pictures of them. Self defense instructor Greg Hamilton believes, and teaches, something similar.

The research paper cited above is saying that such a thing is possible.

Now just imagine what big tech/government could do with this technology.

We live in interesting times.—Joe]

East Germany had to assign real people

Via email from Chet (who worked with me at Microsoft on the location services for Windows Phone 7):

It is Big Tech that knows more about you than your spouse and that if they so choose could make your life miserable. As I discussed many times when we were working on location, carrying a device is like having a private detective assigned to you. Fitbit is just another source.

In East Germany they at least had to assign real people. Now, everyone can be tracked and monitored in real time without lifting a finger.

We have invented the tech that will enslave us.

This was in response to an announcement that Fitbit is now officially a part of Google.

He has a point.

But there is another point to be made as well. Intelligence sources, which your phone is, can be manipulated to your own advantage.

If your cell phone location is proof you were at some location then doesn’t your phone not being at some location prove (or at least represent evidence) you weren’t there?

Quote of the day—Kevin Maxwell

In my legal opinion the Rare Breed Triggers FRT is a perfectly legal, semi-automatic, drop-in trigger. And my opinion is further supported by the opinions of whom I believe to be two of the most significant subject matter experts in the industry.

Rare Breed Triggers FRT – Full Video from RARE BREED TRIGGERS on Vimeo.

Kevin Maxwell
December 2, 2020
[As Greg said in a private post on Facebook:

pretty genius, I doubt it will last long on the market.

If you’re into this type of fun then get them while they last!

FRT is an acronym standing for “Forced Reset Trigger”. And that tells you all you need to know to have your giggle box kicked over.

We live in interesting times.—Joe]

Quote of the day—Brad Smith

As much as we appreciate the commitment and professionalism of so many dedicated public servants, it is apparent to us that the current state of information-sharing across the government is far from where it needs to be. It too often seems that federal agencies currently fail to act in a coordinated way or in accordance with a clearly defined national cybersecurity strategy. While parts of the federal government have been quick to seek input, information sharing with first responders in a position to act has been limited. During a cyber incident of national significance, we need to do more to prioritize the information-sharing and collaboration needed for swift and effective action. In many respects, we risk as a nation losing sight of some of the most important lessons identified by the 9/11 Commission.

One indicator of the current situation is reflected in the federal government’s insistence on restricting through its contracts our ability to let even one part of the federal government know what other part has been attacked. Instead of encouraging a “need to share,” this turns information sharing into a breach of contract. It literally has turned the 9/11 Commission’s recommendations upside down.

Brad Smith
December 17, 2020
A moment of reckoning: the need for a strong and global cybersecurity response
[Free markets have their faults. But if you want something really messed up then have a government do it. Why else do you think they are so good at war? You send your government to some other country and they mess up that country.—Joe]

Quote of the day—Ida Auken

Welcome to the year 2030. Welcome to my city – or should I say, “our city”. I don’t own anything. I don’t own a car. I don’t own a house. I don’t own any appliances or any clothes.

It might seem odd to you, but it makes perfect sense for us in this city. Everything you considered a product, has now become a service. We have access to transportation, accommodation, food and all the things we need in our daily lives. One by one all these things became free, so it ended up not making sense for us to own much.

All in all, it is a good life. Much better than the path we were on, where it became so clear that we could not continue with the same model of growth. We had all these terrible things happening: lifestyle diseases, climate change, the refugee crisis, environmental degradation, completely congested cities, water pollution, air pollution, social unrest and unemployment. We lost way too many people before we realised that we could do things differently.

Ida Auken
November 11, 2016
Here’s how life could change in my city by the year 2030
[Auken also says:

Author’s note: Some people have read this blog as my utopia or dream of the future. It is not. It is a scenario showing where we could be heading – for better and for worse. I wrote this piece to start a discussion about some of the pros and cons of the current technological development. When we are dealing with the future, it is not enough to work with reports. We should start discussions in many new ways. This is the intention with this piece.

The “devil’s in the details” as they say. If you think about it just a little bit you realize it isn’t even possible. A few examples:

  • Auken’s statements are self contradictory. Everything is free? Then what is “employment” about then? They claim, “It is more like thinking-time, creation-time and development-time.” Do they get paid for this or not? If yes, then who are the consumers and do they pay for the products and/or services? If they don’t get paid, then what is their motivation to product a product and/or service someone is interesting in using?
  • They don’t explicitly say this but it’s implied that all the services are supplied by artificial-intelligence/robots. So what of crime control? Even if one were to concede there was no physical need for sustenance, shelter, entertainment, etc. there will be still be crimes of violence. Conflicts over relationships, insults, broken agreements, etc. Who pays for the cops, lawyers, judges, and prisons? Keep in mind that in a place where everything is free fines are meaningless.
  • Accommodations are not all equal. Who gets the penthouse overlooking the ocean and who gets the street view of the recycling center? They’re both free you know.
  • They don’t own anything, really? Not even clothes they say. Yet, I just demonstrated that a claim on quality of accommodations is going to occur. What about the dress they were married in? Or the food they ordered which just arrived from the robot pizza joint down the street? And what of the food they made themselves? Or the photographs they took, the art object they made, the diary they kept, or the book they wrote?

There will always be markets with sellers and buyers of property. They may be black markets in a time and place where thugs attempt to create a utopian world of free everything and equality for all, but markets will always exist.

Auken vision is not one of “for better or worse”. It’s one of reality or delusion.—Joe]

Dystopian plot point is reality

On a recent trip to Idaho I listened to the book Alongside Night (and from Audible):

It’s the near future and America is in trouble. Hyperinflation and disorder reign in the towns and cities of the nation.

Alongside Night tells the story of Elliot Vreeland, son of Nobel Prize-winning economist Dr. Martin Vreeland. When his family goes missing and while being shadowed by federal agents, Elliot, with the help of his mysterious companion Lorimer, explore the underground world of the Revolutionary Agorist Cadre to rescue them. It’s a story of romance, intrigue, action, adventure, and exhilarating science fiction thrills.

The original copyright is 1979. This explains the existence of phone booths in the book. One of the novel and interesting (to me) plot points was the existence of a special code certain government people could use to make phone calls even though communication services for the average person were shut down by the tyrannical government.

I didn’t realize it was created by President Kennedy by a Presidential Memorandum on August 21, 1963, was extended to wireless services, and still exists.

A security story

My job is computer security. My job, among other things, is to think like a bad guy and then prevent security breaches and/or catch them soon after they have begun executing their “kill chain”. Most people, even many very smart people, do not have the capacity to think like a bad guy. I have a real life story to illustrate.

Just because this is computer security don’t think this isn’t relevant to current events of a vital importance to the entire nation. I’ll tie all together before the end.

Please do not assume this happened at the company I work for. I have contacts with many other people in the security industry. We often share stories. Sometimes this story sharing is to warn others of how clever the bad guys are and how they succeeded or almost succeeded. Other times stories are shared about how mind bogglingly stupid and numerous some of the mistakes were in the implementation of a computer network system.

This story is about how stupid and numerous the mistakes were.

The type of business and other potentially identifying aspects of the story have been changed to protect the guilty. But the critical aspects of the story are true.

The company penetration testers were asked to test a tool used by customer facing employees. This tool allowed employees to assist the customers with their business with the company. It gave the employees access to personal information about the customer. The personal information access was required for the employee to do their job. The tool had been “released to production” months before the penetration testers (and apparently or other security professionals) took a look at things.

A simplified view of the tool architecture looked something like this:image

Database Servers A & B are the only servers applicable to the Customer Assist Tool. The other Database Servers are for other web applications unrelated to the Customer Assist Tool.

Everything from the Load Balancer up were Internet facing. It wasn’t originally designed that way. Originally everything seen in this diagram was inside the corporate network. But because of COVID they had “reasons” and they changed the design so employees working from home could easily access the Customer Assist Tool.

The Internet facing Customer Assist Tool required a company network username and password. The Load Balancer did not. The Load Balancer accepted connections from anyone on the Internet. The Database Servers did not require any security tokens or login. Anything coming from the Load Balancer was considered valid.

The penetration testers didn’t bother trying to do a brute force attack on the login to the Customer Assist tool. They connected directly to the Internet facing Load Balancer and sent queries to the Database Servers. If they knew just a tiny bit of unique public information about the customers, say an email address, phone number, street address, or Social Security Number, they could then get access to extremely personal information from the database.

The penetration testers sounded the ALL HANDS ON DECK alarm. The incident response people (IR) showed up.

The software developers (SDs) of the system were brought into the virtual room and told this is a really big problem. Except for biologically required breaks you’re not leaving the room until this is fixed.

SDs: “We don’t see why this is such a big deal. Someone would have to know the URL for the load balancer. And the only people that might know it are the users of the tool. And we don’t think very many, if any of them are smart enough to figure it out.”

IRs: <blink><blink> “The penetration testers figured it out. And the bad guys out there do this sort of stuff all the time. It’s how they make their money. I’m not going to waste our time explaining this to you. Fix the problem. NOW!”

The IRs then asked how far the logs go back, “You do have logs, right?” The software developers assured the IRs they had logs. The logs went back 90 days. There probably were a few days of missing traffic between when the system was released to production and the oldest log files but most of it was there.

IRs: “Okay, good. We can find out if there was actually any customer information lost.”
SDs: “Oh. You want logs for that? We just log activity at the Customer Assist Tool Web Application. The penetration testers, and any bad guy activity, won’t be in those logs.”
IRs: “Okay…. are there ANY log on the database servers?”

The SDs go looking and find there are generic web logs available that go back to the beginning of the release to production. The IRs looked at the logs for a few seconds and realized the IP addresses of all the requests are of the Load Balancer. There is no indication of the origin of the request. Requests from the Customer Assist Tool are indistinguishable from a request from anywhere else on the Internet.

What about load balancer logs? Maybe. But they don’t go back very far. And if they do exist, all the data is intermixed with the other web applications and other Database Servers.

Within a few hours the SDs have a fix.

IRs: “Tell me about your fix.”

SDs: “The login credentials of the employee used to login to the Customer Assist Tool are passed to the Database Server which validates the credentials before responding.”

IRs: “Okay, we should improve upon that, but maybe that will be good enough that we don’t have to shut down the application until a permanent fix is in place. But that’s a question for our VPs to discuss. Oh, by the way, how many employees do you have authorized to use this tool?”

SDs: “Uhhh… all company employees can use this tool.”

IRs: <blink><blink> “Everyone in the company? Really?” <IRs go to the tool and verify they have access>

SDs: “Yes. If someone improperly used the tool to gain access to customer information when they weren’t supposed to they could be caught and could lose their job. Therefore the customer information is safe from misuse.

IRs: <some facepalm><others bang their heads against the wall> “This is a large company. There are thousands of employees. Anyone on the Internet can find valid company credentials in five minutes or less. We disable hundreds of accounts per week as we find credentials on the web ourselves.”

SDs: <blink><blink>

The story goes on but the important part is that the SDs, not stupid people, made a ton of errors. These errors started with not getting a security professional in the room when they changed the design. The errors compounded dramatically from there.

They had a world view much different than the bad guys and the security professionals.Things which could not even be imagined by the SDs were child’s play to the penetration testers and the IRs.

Now to tie this to current events. Our recent election.

Several courts reviewing the lawsuits claiming foul play have concluded the election was fair and honest.or, at least, there was insufficient evidence of widespread fraud to change the results.

As seen in the story above there are failures modes which not only allow unauthorized access/fraud but make it impossible to determine if such access/fraud occurred. Furthermore, unless someone is experienced in thinking like a bad guy they can honestly believe everything is “fair and honest” and be completely, totally, catastrophically, wrong.

I trust the courts to know their profession. I don’t trust them with security issues. I trust them to accurately asses the integrity of our election far less than the SDs could accurately asses the security of their system. The system they designed and built.

The legal professionals of the court did not design or build the election system. They did not evaluate the security after the (supposedly) COVID inspired changes were made from the viewpoint of a security professional. The original election security features had evolved over hundreds of years and thousands of people poking at it, finding faults, and attempting to prevent future fraud and errors. In the span of a few months a few people made changes which did not go through nearly as rigorous review as the pre COVID system.

I don’t know with a 100% guarantee that sufficient fraud occurred to change the election results. I do know, with 100% certainty, that many people were highly motivated to commit fraud. I do know, with 100% certainly, that some fraud occurred. I’m nearly certain the system in use has issues which make it impossible to detect fraud after the fact.

The bottom line to this is that anyone who says the election was fair and honest because the courts say it was is either lying or placing their trust in a body of people that don’t know anywhere enough about security to make that call.

Facebook banishment

Last night I received a message from Barron:

Janelle and I just got permanently banned on FB. No possible appeal, no idea why.

And I mean at the same time. It was working for both of us this morning and then the traffic of me being gone started on the side channel. Janelle went to look and she was logged out and they said her account was disabled.

This is weird. It’s not like Barron and Janelle had followings which could change election outcomes. Nor were they advocating terrorist activities (although they do have three small boys which might be considered terrorists if you were sleep deprived and they were being particularly active).

So, what could be the motivation for their simultaneous banishment? I have to think it was some sort of political issue. But without additional data it’s tough to test that hypothesis.

It’s happening to others too.

Common Barrel Thread References

From Silencer Shop:

One question that has always been a mainstay in our most-questions-asked category is whether a specific silencer will fit a specific gun. With threading looking similar, and acronyms being thrown around like hot tamales, we understand your plight. As the suppressor industry grows, it seems thread pitch options have too.

While some thread pitches are more popular than others due to military use or it being made common by specific firearm manufacturers, the last thing you want to happen is to finally get your suppressor in and realize that it doesn’t match up with your host firearm’s threading.

The list that we are providing you is to serve as a reference for quickly locating how your barrel may be threaded. Remember that factory barrel threadings and after market threadings aren’t always the same.

Details, which are kept up to date, are here.

Google invasion of privacy lawsuit

This will be interesting to see how it plays out:

Google was sued on Tuesday in a proposed class action accusing the internet search company of illegally invading the privacy of millions of users by pervasively tracking their internet use through browsers set in “private” mode.

The lawsuit seeks at least $5 billion, accusing the Alphabet Inc unit of collecting information about what people view online and where they do their browsing, despite using what Google calls Incognito mode.

It’s really, really tough to be anything close to truly anonymous on the Internet these days. You can get close enough for all practice purposes but it takes a lot of effort and a certain amount of skill.

I think it should be much easier and that Google is a huge part of the problem in achieving anonymity just further confirms my opinion that they are evil (also here and here).

I hope the lawsuit is widely successful and is applied, as needed, to other Internet privacy violators.

Truth

I was nearly finished with a 20 page paper (of sorts) on searching for bots in computer networks when I took a break and scanned the contents of my RSS feeds. This struck me as particularly timely and funny:

garbage_math_2x

As I told my boss last week I was disappointed in the algorithms used in what is considered “state of the art” tools. I actually found a strong inverse correlation in the “scoring” of network traffic of highly suspicious traffic compared to clearly normal traffic. The higher scoring traffic should indicate high probability of the traffic being communication with a Command and Control Server (C2 Server) and lower scores with normal traffic. I easily found instances where just the opposite was true.

When I used synthesized data I could get the expected scoring results but real world data demands new detection algorithms. It looks to me like bot builders also do research. Existing algorithms appear to be essentially garbage.

Quote of the day—Lee Enfield

The FGC-9 enables everyday people all around the world to build a 9mm semi-automatic firearm, from start to finish, using a 3D printer and commonly available, unregulated materials. It’s specifically designed to be accessible to folks with minimal gun building experience, and avoids using parts commonly or easily restricted by law in the US and Europe. Anyone can build it, and no one can stop it.

In case there was any doubt about the political ideology here, you should know that the ‘FGC’ in the ‘FGC-9’ stands for “fuck gun control”.

Lee Enfield
March 31, 2020
The FGC-9 Fulfills the Promise of 3D Printed Guns
[Things have come a long way:

It’s not going to make the anti-gun people give up the fight and become normal humans. They will, as is always the case, continue to lie and double down on their failing objectives.—Joe]

Quote of the day—Lisa Vaas

We would be remiss were we to not point out what has been demonstrated time and time again: that Big Data can be dissected, compared and contrasted to look for patterns from which to draw inferences about individuals. In other words, it’s not hard to re-identify people from anonymized records, be they records pertaining to location tracking, faceprints or, one imagines, anuses.

Lisa Vaas
April 8, 2020
As if the world couldn’t get any weirder, this AI toilet scans your anus to identify you
[It’s a lot like most encryption*. Data is only “anonymized” in the minds of those doing the anonymizing. The right people, with a big enough dataset, and enough CPU cycles can deanonymize/decrypt it.

So, other than the obvious embarrassment of having pictures of your anus being featured in the next big data security breach, what is the worst way this technology be abused?

It turns out that just like fingerprints and irises you can be uniquely identified by your anus. If all toilets were equipped with cameras and the data obtained by a totalitarian government it would becoming far more difficult to keep your location private. It would violate my Jews in the Attic Test.—Joe]


* There are exceptions. One-time-pads come to mind.