Category Archives: computers

Not a “Hack”

Last week, Apple publicly announced it would oppose a US court’s order to help the FBI hack into an encrypted iPhone. The details are complicated, and are covered elsewhere. In short, good on Apple.

But there is this great, bizarre statement in a subsequent motion where the government urges the court to force Apple to comply (p. 20):

Not a "hack"

Basically, they take exception when Apple claims:  “The government is asking Apple to hack our own users.” Really, says the government, this is no different than a software update. It’s no big deal. What the FBI requests is not a “hack.”

So now, the technical details of the court’s order: The FBI wants Apple to create a fake version of iOS. That fake operating system should disable the auto-erase security feature the user had enabled, and it should circumvent the phone’s hardware which enforces that security. The fake iOS should also disable the login attempt rate-limiting (another security feature). And the fake iOS should drop the requirement that passwords be entered manually, so the FBI can do some high-speed, automated password cracking. The software should then be cryptographically signed by Apple so the fake iOS won’t get blocked by a security chip designed to block fake upgrades. The fake iOS should then be loaded into RAM, and the phone should be tricked into running that instead of the legitimate iOS on disk (I’m not actually sure how to do that, but it probably involves tampering with a tamper-resistant bootloader).

This, says the government, is not “hacking” an iPhone.

For comparison, here are some things the government has claimed to be “hacking”:

  • Downloading too many files. link
  • Visiting publicly accessible web pages by guessing the URL. link
  • Downloading files by typing commands instead of using a mouse. link
  • Pressing the touch screen buttons on a buggy video poker machine. link
  • Sharing a username and password. link

I don’t even

I encrypt everything with PGPgpPpgpGnuPG, I think.

Poking around my computer this morning, trying to set up gpg in some software. Or is is pgp? Wait, it’s GnuPG, which must be the same as gpg, which implements pgp, but no, cause I’ve got this other software that lets me pick if I want to use GnuPG or gpg, so they must be different, right? Or no…, that’s just confusing UI…, or… something….

And then I found that I can also install this Debian package called pgpgpg, which is a “Wrapper for using GnuPG in programs designed for PGP.” Don’t say it like “pgp – gpg.” It’s more fun to say like “pgPgpg,” or “pg-pg-pg.”

And it occurs to me how much I hate using pgp, or gpg, or pgpgpg, or whatever I’m using, and I don’t know what I’m using, and maybe I’m just not going to sign my bug reports to Debian.

But there’s a fix! I’m going to start using PGPgpPpgpGnuPG, which is really more straightforward. The “pgp” stands for “PGP,” while the “P” stands for “Pretty-good-privacy.” The “g” (no, not that “g”, the other “g”) stands for “GNU,” which is a recursive acronym. The “Gnu” (the one in “PGPgpPpgpGnuPG”, that is), that “Gnu” also stands for “GNU,” but that “GNU” doesn’t stand for “GNU’s not Unix.” It’s just “GNU,” kinda like “KFC.” The “G,” the “P,” and the “g” near-ish the front are there for backwards compatibility. The “O” stands for “Open” which, of course, stands for nothing.

And most important is the final “PG,” which stands for “secure.”

I encourage all my friends to use it.

Scary Reading Material – Courtesy of Wget

I want to show you how I use my computer.

It was this article that made me want to read some of the transcripts from the Chelsea Manning trial. All the transcripts can be found on this web page, but it’s about 70 PDFs, which isn’t convenient for downloading or searching. You could right-click-save the PDFs one at a time, but that’s tedious and I’m good with computers so I (gleefully) used wget. That’s a tiny program that just downloads files, same as a web browser but with some nifty options. I use it for things like backing up websites; downloading homework assignments; or getting software updated at my job as a programmer for Amazon. And it’s great in a pickle like this.

I opened up a terminal, and here are the commands I ran:

mkdir transcripts
wget -h
wget -r -A.pdf -P transcripts https://pressfreedomfoundation.org/bradley-manning-transcripts
pdfgrep -ric 'wget|w-get' transcripts | grep -v ':0'

For the millions of software developers, these commands should look totally trivial. For everyone else, they’re pretty opaque, so, line by line, they mean:

  1. Create a new folder named “transcripts” (see Wikipedia page for mkdir)
  2. Open up the help file for wget, because I can never remember how to use it. (see Wikipedia page for wget)
  3. Run the wget program. Tell it to open that web address, look at all the links, download any PDFs and save them in my shiny new “transcripts” folder.
  4. Use grep to search those PDFs for any mentions of “wget” or “w-get”  (see Wikipedia page for grep). The results of that search look something like this:

manning-pdf-grep-results

It turns out that wget, that program I just used to download the transcripts, gets mentioned a lot in the transcripts. It comes up in 19 of the documents. It was mentioned 156 times on the afternoon of July 18. Nine times in the verdict.

I use wget to send NPR podcasts to my music player, so why was this banal program coming up in the verdict of the Chelsea Manning trial?

Chelsea Manning had access to millions of military documents, copied lots of them, and released them to the press. That is indeed a crime, and she was convicted of it. But one of the several nonsense charges against her was that she “exceeded authorized access.” She was accused of “circumventing” or “bypassing” security mechanisms to get the documents, and the evidence used to convict her of this was that she used wget. Even though this program can only download files one already has access to, the court decided that use of wget amounted to hacking government computers, and Manning was convicted of an additional crime that added years to her sentence.

From any technical point of view, this is insane. Without that avenue for argument, the prosecution instead seemed to rely on scaremongering. Here’s an exchange between the defense attorney and a government witness eager to malign:

Q: Now, I just want to talk sort of generally about the big picture about WGet. WGet is a program that’s in open source?
A: Correct.
Q: And it’s not a program that’s known for being synonymous with hackers, correct?
A: It could be.
Q: It could be, but it’s not necessarily?
A: Correct.
Q: It’s used for purposes by a lot of different people?
A: Yes.
Q: And a lot of those people aren’t hackers?
A: Yes.

Then the transcripts are littered with bizarre statements like:

Chief Royer further testified that Wget can be used in spear phishing and social engineering attacks…

I guess the lawyers involved are most familiar with using a mouse, and so to do otherwise must be breaking some kind of rule:

And what WGet does is it bypasses the normal mechanism for access to these cables — click, open, save.

Hacker!

There is this running theme of pointing to computer literacy to make her sound like a hacker mastermind. Like, when I just used wget, I had to open the help file to figure out what options to use (line 2 of the commands). So, apparently, did Manning because that was thrown at her in court.

Manning, after downloading Wget.exe, had to program Wget. [It] did not have a graphical user interface or GUI, therefore it was not as simple as double clicking an icon….
Your Honor, explained here is Prosecution Exhibit 189, page 1. This is the help file Special Agent Shaver testified he extracted from PFC Manning’s computer. When I type in wget -h, this help file displays in an MS dot prompt. Because Wget is a command line tool, it has many options as displayed on page 1 here.
PFC Manning had to research how to program Wget and how to program it in order to harvest the entirety of US SOUTHCOM database of DABs.

I have that same help file on my computer. Millions do. And I, too, have read it. If I had asked the Internet how to use wget, the Internet would have collectively yelled back “rtfm,” and then I’m back to the help file. In Manning’s case, that help file was entered as evidence against her. It is meant to sound like she was overcoming major technical hurdles to get at these military documents, when really, she just read the manual. She was using computers the way the people who use computers use computers. That was sufficiently scary and confusing, and she was convicted of this extra charge.

These transcripts are filled with things like the judge asking for definitions of “webpage,” “website,” and “webserver” — and how those things might be related. The prosecution gets to exploit this ignorance and equate “computer knowledge” with “computer infiltration.” The defendant gets painted as a “hacker,” like an updated version of the “Mad Scientist” trope. And people make important decisions about technology they know nothing about.

And personally, all this has been a nice distraction from studying for the LSATs. But I’m suddenly feeling energetic, and it’s not too late. One more round.

Oh, shit, another Logical Reasoning section. NM. Bedtime.

The Consequences of Running a Tor Exit Node From My Apartment

For a couple of years I’ve been donating all my spare bandwidth to the Tor network by running some intermediate relays, including one in my apartment. A little while back I decided that, as a social experiment, I’d flip the switch and turn my home internet connection into an exit node. I knew I’d have to abandon the experiment after a couple of weeks, because I was sure that the consequences would be some subset of the following:

Imagined Consequences:

  • Someone uses Tor to DDOS a government website, it looks like it was my wrongdoing and I have to explain myself to the feds.
  • The IP address at my home gets blacklisted as a notorious spammer and no one lets me connect to their servers ever again.
  • <ISP redacted> starts throttling my connection and blocking ports because I’m clearly abusing their terms of service.
  • No one cares about DDOS, spam, or excessive bandwidth use. However, <ISP redacted> throws a shit fit at the scores of of DMCA complaints they’ve received, so they threaten to cut off my service, beat me up, and get me deported.
  • It all goes on my permanent record.

There is a lot of advice for running an exit relay, but I only took two precautions. First, I put up the Tor exit notice, and second, I set an exit policy which ought to block bittorrent. So, the experiment lasted more than two weeks. Actually, it’s now been 6 months and I can report:

Real Consequences:

  • Yelp blocks Tor by IP address, so I can’t use Yelp from home.

That’s it.

Just that. No police, no throttling, no angry letters. Just, every once in a while I click a link to Yelp, they tell me I can’t get there from here, so I don’t. And in the meantime, my home internet connection keeps facilitating private, anonymous, and secure traffic. Like, 2 terabytes per month. (I’m kind of surprised no one from <ISP redacted> has contacted me over that one, and don’t really want to push it.)

Used to be the family computer. Now it's a tor exit node.
Used to be the family desktop. Now it’s a tor exit node.

The only other thing to consider is that there is now one more hybrid category of consequences:

Real/Imagined Consequences (Apt Paranoia):

Bloody? And let us to his teeth.

Class ended yesterday, so I woke up this morning feeling uneasy. After running a mess of a life for weeks getting school work done, I really had no responsibilities today. It was slightly eerie.

“All this wondrous familiar to be exactly astern.”

So I took care of basic life things that have gone wanting for weeks. Groceries. Cleaning. Laundry.

“The monster is in the stranger.”

Perhaps there is not much more to my life than school these days. When I don’t have to drag myself to the library, I’m a little stumped.

“A vigorous pleasure to a whaling law, under a fair chance the devil did about it.”

So I looked through my list of “Christmas Break Distractions,” and got started. I made a Python script that builds and processes Markov Chains.

“It sometimes ends of Nantucket, and a hot tobacco wallet.”

It loads up the Gutenberg text of “Moby Dick,” then builds a graph of all the words and which ones probabilistic follow each other.

“Ocean, oh! thou may’st have talked with soft and then, that from his crew say to go and sixpence for a rag of the Spanish land.”

Throw a random number generator on top, and it loops through the whole text creating stochastic, Melville-like sentences.

” The continual cascade played at their defunct bodies.”

Neat, hunh?

“Ahab, unmindful of his report, stood thoughtfully eyeing his own lean Nantucketer.”

Hunh?!