Could you get spied on and ratted out by your computer repair shop?

This post was inspired by the recent widely publicized incident where a Best Buy customer in California was charged with child pornography-related crimes after he dropped his computer off at the local store and it was shipped to the Geek Squad center in Kentucky for the actual repairs. There’s also a tie-in with National Stalking Awareness Month related to privacy and security when it comes to electronic data which I will get to later in the post.

A representative sample of articles about the incident:

I’m not really going to go into quotes of any of the articles here, but simply restate what appear to be the facts in my own words. A Geek Squad staffer was running a data recovery (“file carving”) tool on this particular PC. Part of the assigned work was data recovery, so on its face it would appear to be a valid reason. However, the Geek Squad staffer’s job was just to get the PC running, not recover data. It turns out that he was a paid FBI informant who got $500 for each instance of apparent child porn he found.

To its credit, Best Buy issued this statement (quoted from the Network World article):

“Best Buy and Geek Squad have no relationship with the FBI. From time to time, our repair agents discover material that may be child pornography and we have a legal and moral obligation to turn that material over to law enforcement. We are proud of our policy and share it with our customers before we begin any repair.

“Any circumstances in which an employee received payment from the FBI is the result of extremely poor individual judgment, is not something we tolerate and is certainly not a part of our normal business behavior.

“To be clear, our agents unintentionally find child pornography as they try to make the repairs the customer is paying for. They are not looking for it. Our policies prohibit agents from doing anything other than what is necessary to solve the customer’s problem so that we can maintain their privacy and keep up with the volume of repairs.”

My first reaction to reading this was “looks like more spin than a Steve Mizerak massé”. I have a lot of respect for PR as a profession, but this smacks of trying to close the barn door after the horse has already bolted. Depending on the circumstances, I would even question that there is a moral obligation, even if a legal one is there. That they would be proud of this policy, especially if it goes over and above what the law actually requires (despite what they say), is a bit concerning from a privacy standpoint.

The law in Texas appears to have such a requirement. Without quoting the entire law here, the computer technician has to “view the image” “in the course and scope of employment or business” in order for the reporting requirement to kick in. There’s a criminal penalty of a class B misdemeanor ($4,000 fine and/or 180 days county jail as of this writing) as well as possible civil liability. For the terminally curious, it’s Section 110 of the Business and Commerce Code.

Anyway, whether your threat model is a Best Buy technician, or an intimate partner who may have turned to stalking you, the basic ways to protect yourself are pretty much the same. First, realize that without taking any other steps, “deleted” files aren’t really deleted. Whether one empties the Recycle Bin in Windows, or runs the rm command from a GNU/Linux command line, the only thing that is actually removed is the pointer to the data, not the data itself.

If the true intent is to erase a file, one needs to actually erase it, not just remove the pointer to it. BleachBit contains options for wiping the data in the free space of a hard drive (which I would recommend doing at least once per month, if not more often), as well as overwriting file contents or an entire directory’s contents prior to deletion. There is also the shred command for GNU and related systems if working from the command line. This mainly pertains to mechanical hard drives, as a properly configured solid state drive (SSD) should effectively do this for you: enable TRIM on Windows, or mount with the “discard” option on GNU/Linux (yes, it may affect performance but it’s a small price to pay for knowing that deleted files are actually gone and not just floating around). In fact, not only should one not need to overwrite files on have a solid state drive, doing so can shorten the drive’s lifespan.

Second, consider using encryption to keep your data private. There is a reason most websites (including this blog) use HTTPS (encrypted HTTP) now, and why it’s been recommended since the beginning of the World Wide Web to never submit credit card or banking information over unencrypted plain HTTP. Anyone can read plain HTTP while it’s in transit. It’s the electronic equivalent of writing information on a postcard and mailing it–something most people reserve for the most innocuous of communications. Similarly, data encrypted in storage won’t be readable without a decryption key, usually a passphrase (don’t just use a simple word).

Third, consider keeping particularly sensitive data on external storage devices such as USB hard drives, so that the data is not on the computer if it needs to be repaired. This would also reduce the chance of important data on the internal drive getting “accidentally” erased for whatever reason during a repair–though if it’s important, it should be backed up anyway (see below).

Fourth, don’t keep data that you don’t need. If you don’t need your web browsing history from some months ago, get rid of it. Firefox sorts history by calendar month and lumps sites visited over 6 months ago into their own list; unfortunately, this has to be done manually every so often (again, I would recommend monthly). For stuff that should never go into the history to begin with, Chrome has an “incognito” mode and Firefox has a “private browsing” mode. Firefox, at least, also lets one completely disable keeping browsing history if appropriate for one’s situation (Preferences / Privacy / History then select “Never remember history”) and also includes a “Forget” toolbar button for quickly “disappearing” the last 5 minutes, 2 hours, or day’s worth of history.

Finally, don’t forget to keep adequate backups. Remember, if the main copy of the data is encrypted, it only makes sense for the backups to be encrypted as well (and often the backup copies should be encrypted even if the originals are not). The more important something is, the more backup copies of it should exist (either onsite or offsite).

The tale of the WordPress XML-RPC attacks

I can’t believe I’m writing this post. But, I am.

This concerns something in WordPress that a lot of people don’t even know is there called XML-RPC. The XML-RPC feature has been turned on by default since version 3.5 (released 2012 December 11) and which I think has been in WordPress itself since the beginning even if not enabled by default.

Without getting too technical, XML-RPC is responsible for two main features of note: pingbacks and external blog post editor support. Unfortunately, it has recently become the vector of choice for what I can only assume is some kind of worm/malware which sends thousands of requests in an attempt to either break into a site or just plain cause havoc and increased resource usage. That’s where the problem begins.

This wouldn’t be that vexing of a problem except for one thing: I actually use XML-RPC legitimately. This post, for example, was made via the XML-RPC function, not WordPress’s internal editor (though I have made posts via the internal editor before). Most of the posts you’ve seen me make in the last three years have had the XML-RPC interface come into play during editing at some point. So, just turning this thing off isn’t an option.

I tried a couple of plugins which promised to “secure” XML-RPC and they did so by completely breaking it. (I can do a better job of this with “rm xmlrpc.php” or “chmod go-rx xmlrpc.php” myself, I don’t need a plugin to effectively do something like this for me.) It is difficult to know for sure, but given the relatively low traffic I have, it does not make sense that my resource usage is what it is. (Resource usage which I pay for, I might add.)

So, what the h-e-double-hockey-sticks am I, or other WordPress site admins, supposed to do?

Well, right now (actually, by the time I post this, as of a couple of weeks ago), my solution is akin to a duct-tape-quality fix: copy the existing xmlrpc.php to something else, and use that for my editor’s XML-RPC endpoint. It’s the only thing I could think of to do, and thankfully almost everything still appears to work as designed.

I say “almost” because this doesn’t yet solve the problem of legitimate pingbacks potentially getting dropped. My host has XML-RPC protection, but unfortunately that protection is to change permissions on xmlrpc.php at the first sight of an attack (breaking the functionality until I manually restore it). Unfortunately I don’t have a way to tell sites sending me pingbacks to send them somewhere else automagically just yet. It also means I have to repeat this step on each upgrade (well, at least if xmlrpc.php changes). Like most actual duct tape repairs, it’s probably not the best solution. But, for now, it works, and to me that’s what matters.

The fox in the henhouse, cyberspace edition

Again, before I get into discussing exactly what this email is about, I need to lay down the background on who’s who and what’s what. Otherwise, it’s easy for one to gloss over all of this and assume it doesn’t affect oneself, when in reality this potentially affects or could affect a large chunk of the users of the Internet.

In the beginning, there was the original Unix, AT&T Unix. The University of California at Berkeley made their own version of Unix based on AT&T’s code and called it BSD. There exist today several different operating systems that came from the original BSD code; FreeBSD, NetBSD, OpenBSD, DragonFly BSD, etc. Due to its liberal license, code from BSD was used in many places; instead of writing their own software for Internet connectivity (the TCP/IP stack, for those who know what that is), Microsoft adapted the one from BSD. Apple Mac OS X also uses software adapted from FreeBSD and NetBSD, which also traces its lineage back to the original BSD. Many GNU/Linux distributions also use software which came from BSD. Put simply, it is likely somewhere your computer has some software on it somewhere which originally came from BSD.

Of particular note in the BSD-derived operating systems is OpenBSD. The OpenBSD project was started by Theo de Raadt as a fork of NetBSD originally due to conflicts with the latter project’s leadership back in 1995. The focus of OpenBSD became security, and today many consider it the most secure operating system on the planet.

OpenBSD has software built into it to implement IPsec, which appears to have been started in the latter half of 1997. Theo de Raadt recently received an email from Gregory Perry. Gregory was working with a company called NETSEC and helped arrange funding for the OpenBSD Crypto Framework, upon which the IPsec software is based. The email, which Theo forwarded to the tech@openbsd.org mailing list, contains a rather direct accusation that developers accepted money from the FBI to weaken the IPsec software in OpenBSD (specifically, to add “backdoors” to it intended for FBI use).

The full email is archived on marc.info, and also implies that this sabotage of the IPsec software in OpenBSD is the reason that the OpenBSD project lost its DARPA funding suddenly and unexpectedly. Now, back in 2003, sources such as ComputerWorld reported on Theo’s no-nonsense comments against the war on Iraq (such as the often-quoted “I try to convince myself that our grant means a half of a cruise missile doesn’t get built”) and it was suggested these were DARPA’s motivation.

First, Theo is to be commended for, as he states, “refus[ing] to become part of… a conspiracy.” It is not an easy decision for anyone, let alone someone of Theo’s stature, to decide to publish a private email. It involves a careful consideration of the consequences of violating a social norm for the greater good, and he acknowledges this:

Of course I don’t like it when my private mail is forwarded. However the “little ethic” of a private mail being forwarded is much smaller than the “big ethic” of government paying companies to pay open source developers (a member of a community-of-friends) to insert privacy-invading holes in software.

(I’ll get back to this decision Theo had to make in a bit.)

Gregory also deserves some recognition here, for blowing the whistle as soon as he was legally permitted to. This email serves as a prime example of the kind of damage a non-disclosure agreement (NDA) can do to the public good. I don’t think all NDAs are bad, and it’s way too easy to see why the FBI wouldn’t want the news of backdoors in OpenBSD’s IPsec software getting out. And, to be fair about it, I honestly think Gregory expected his email to become public; had he wanted this to truly remain a secret, he would have told no one. This almost certainly weighed into Theo’s decision as well.

This news has anywhere from annoying to disastrous consequences to users of OpenBSD’s IPsec software, and products derived from it. The latter half of this is the most troubling, as Theo wrote in his email:

Since we had the first IPSEC stack available for free, large parts of the code are now found in many other projects/products. Over 10 years, the IPSEC code has gone through many changes and fixes, so it is unclear what the true impact of these allegations are.

However inconvenient it may be for law enforcement agencies such as the FBI, back doors in security software are still weaknesses. It is easy to forget sometimes that computers are pretty stupid; they do what humans tell them to do. Exactly what humans tell them to do. A computer cannot, by itself, tell the difference between honest, largely law-abiding citizens such as me and the vast majority of you out there reading, someone acting with criminal intent, someone representing the FBI or another law enforcement agency, or someone working with a group like al Qaeda or the Taliban. As an example, anyone who knows my password on any of my computers, can type in the username (which is usually not intended to be kept secret; mine is normally “skquinn”) followed by that password (which is intended to be kept secret), and will be logged in as me. It does not matter to the computer one bit if it really is me; a police officer who wound up with one of my computers somehow, legally or not (and who as a rule, I would not want just going through the stuff on my computer; I value my Fourth Amendment rights), or an al Qaeda operative who somehow has access to my computer. (Sidenote: Biometric devices such as fingerprint scanners can be fooled as well, and in fact are in some cases more dangerous than a password typed in via the keyboard, as once compromised changing one’s fingerprints is impossible for all practical purposes.)

So it follows, the same “backdoors” the FBI put in, will work for anyone who knows about them, regardless of their good or evil intent. Such “backdoors,” as well as unintentional security holes which stem from bugs (programming errors) in the software, get found without the help of the source code (a human-readable form of the computer’s instructions) all the time. It was and is incredibly naive and stupid of the FBI and like-minded law enforcement agencies to assume that these “backdoors” would never be found.

We may not know for several more years just how much damage has been done by developers bribed by the FBI. This is but one small example of why I tend not to trust law enforcement agencies. Shame on the FBI for weakening the security of computers worldwide, including those outside of US jurisdiction. I hope restitution is made that involves fixing the intentionally broken software made fraudulently by programmers on the take from the FBI. That, and a pledge never to violate our privacy and peace of mind in such a fashion again, would be the minimum needed for me personally to start trusting the FBI again. Sadly, I don’t see that coming.

Another look at photographer’s rights

Gizmodo recently ran a story (which in turn drew on and linked to a Popular Mechanics story) on what they termed “photography bullying” or the intimidation of photographers taking still pictures and/or video.

One of the more interesting parts of the story is a quote from Bruce Schneier, well-known security expert currently employed by British Telecom. From the Gizmodo article:

As Bruce Schneier, head of security technology for British Telecom points out, the notion that terrorist conspirators photograph their targets is an overblown one: “Look at the 9/11 attacks, the Moscow and London subway bombings, the Fort Hood shooting—no photos.” Rather, [Popular Mechanics writer Glenn Harlan] Reynolds argues, a camera in the hand of every pedestrian can only serve to foil potential plotters.

The latter story contains a chilling, yet almost comical, example of just how bad things are getting:

Not long ago, an Amtrak representative did an interview with local TV station Fox 5 in Washington, D.C.’s Union Station to explain that you don’t need a permit to take pictures there–only to be approached by a security guard who ordered them to stop filming without a permit.

The Popular Mechanics story also mentions the Anthony Graber case yet again. Anthony faces 16 years in prison for recording his own arrest under Maryland’s wiretapping laws. If upheld, this would essentially mean law enforcement has the right to privacy when arresting someone in a public place, and the right of the common citizen to document things like the Rodney King beatings no longer exists. To say the least, I find this frightening, and I believe you should too.

I find it ironic that an obvious video camera or DSLR merits harassment, yet those looking to do reconnaissance for a future crime or terrorist act would likely use an inconspicuous pocket sized point-and-shoot or even a cell phone camera. Usually, the odds are against being hassled by cops when using one of the latter two devices, as the assumption made in those cases is usually “tourist” as opposed to “terrorist.”

Anyway, I’ll close with reminders to the fellow photographers out there, paraphrased from the articles (this is primarily for the US, the rules might be different elsewhere):

  • If you’re on public property, it is the rule, not the exception, that photography is allowed.
  • If you are on (someone else’s) private property and you are hassled by security or police, politely ask on what legal basis they are ordering you to stop taking pictures, and be ready to either call a real police officer (for security) or ask to speak to a supervisor (for police).
  • You never have a legal duty to delete pictures or video already taken and should never do so on the order of security or police officers.

Aggressive, hardball censorship threats by the TSA

Continuing on with the airport security theme, even though the holiday travel season has came and went:

Wired.com’s Threat Level blog reports on an attempt by the TSA to censor two bloggers who posted a TSA document describing screening procedures, sent to many major airports worldwide (not just in the US). According to one of these blogers, Steven Frischling, “they’re looking for information about a security document sent to 10,000-plus people internationally. You can’t have a right to expect privacy after that.”

The TSA agents who visited Steven at his home the evening of 2009-12-29 aggressively questioned him about the source of the document as well as threatened him with the loss of his job and a “security risk designation”– something which may be a mere annoyance for people like me who don’t fly very often, but which carries far greater ramifications for someone who works for an airline as Steven does.

It’s a pretty low blow to aggresively and mercilessly threaten an airline employee while he is holding his three-year-old daughter (as Steven was). This is a huge abuse of Steven’s civil liberties, and it is alarming to me that the TSA would use a subpoena in a similar manner to a search warrant. The two are not the same thing.

Shame on you, TSA agents who did this. How disgraceful, cold, thoughtless, and unkind of you.

For those of you out there who find yourself in a similar spot, be aware of the difference between a subpoena and a search warrant. It’s a good idea to have contact information for the local office of organizations like the ACLU and the EFF handy, especially for bloggers who write about issues the least bit controversial. (And let’s face it, blogs without a little controversy once in a while tend to get a bit boring.)