Jan 222018

The most recent proposed regulations state:

Sec. 145. Before a marijuana establishment agent sells marijuana or marijuana products to a consumer, the marijuana establishment agent shall:
1. Verify the age of the consumer by checking a government-issued identification card containing a photograph of the consumer using an identification scanner approved by the Department to determine the validity of any government-issued identification card;

NRS 453D.200 5(a):

5. To ensure that individual privacy is protected:
(b)A retail marijuana store must not be required to acquire and record personal information about consumers other than information typically acquired in a financial transaction conducted at a retail liquor store.

They are requiring that retail marijuana store scan ID’s using a device ‘approved by the Department’.  No such requirement exists for retain liquor sales.  Clearly an overreach.  Perhaps the NV Department of Taxation doesn’t understand what the word ‘acquire’ means? Taking an ID from a customer and scanning in a device is acquiring personal information. These devices cannot function without recording that information in internal memory at best, at worst they’ll push it to a third party host for processing…

So far the Department has made no list of approved devices available to the public, however I can say from experience that these devices will be very insecure and many on the market transmit your personal information to a third party for processing.

The regulations go on to detail their plans for manipulating the market prices, as if you can overrule the law of supply and demand with legislation.  The black market will continue to thrive with these asshats in power.

Just wait until they roll out these same regulations for liquor, I suspect that will be the only response they can make when called on this.

Jan 022018

Medical buyers are used to having their personal information collected.  Recreational buyers should expect privacy, and in fact there is protection written into the law however it only binds the Department of Taxation (direct quote, emphasis mine):

5. To ensure that individual privacy is protected:

(a) The Department shall not require a consumer to provide a retail marijuana store with identifying information other than government-issued identification to determine the consumer’s age; and

(b) A retail marijuana store must not be required to acquire and record personal information about consumers other than information typically acquired in a financial transaction conducted at a retail liquor store.

Have you ever had a retail liquor store scan your ID or enter personal information into their database?  Of course not.  If you want to purchase from any of the following be prepared:

  • Sierra Wellness: Records information from ID in their database, possible ID scan however contact was not forthcoming with details
  • Kanna: Wanted to scan my ID using unidentified device
  • Greenleaf: Wanted to scan ID and enter personal information into their database
  • Silver State Relief: Enters info from DL and scans
  • Reef: “We don’t take a photo scan of your ID, but it is our policy to scan it with a barcode scanner. This pulls your name, address, DOB, and DL # & expiration date into our database.”
  • Blum: “We collect name, date of birth and ID number. We just need to prove that you were over the age of 21.”
  • Mynt: Unknown: after long FB messenger conversation (the only way I could get any responses) little details are clear.  Last message was “all they need to do in the store is verify that you have a valid ID and are over the age of 21. No information is saved.”  That could be taken to mean only a visual inspection, but there is a lot of detail hidden in the phrase “valid ID”.
  • Blackbird logistics (the company that handles wholesale and retail delivery): They require you upload an image of your ID to their system, first person I contacted claimed it was required by law which is a lie.  When I called her on it, she backed off and said it was policy.  Eventually gave me to a ‘supervisor’ who claimed it was to assure orders are legitimate, which is a joke….

You can see that some are greedier than others, so far the least invasive seems to be Blum.

Why should you care?  Name and DOB are PII (Personally Identifiable Information) prized by data thieves.  What can someone do with your name and DOB and the fact that you buy cannabis?

  • Medical industry commonly uses name and DOB, with that someone can have full access to your medical history.
  • Some banks are still using name + DOB and address to identify customers (common at credit unions).
  • Some online services will allow you to reset your password with name and DOB.
  • Many court systems will give you arrest/criminal reports using just a name and DOB…
  • Name and DOB are powerful bits of information for social engineering attacks.
  • Blackmail by threatening to tell your employer that you purchase cannabis.
  • Threatening to turn you into the feds as a dealer, ever seen what happens when they raid the wrong house?

That’s just a short list, the more PII a bad actor has the more damage they can do.  Imagine what they can do with everything on your DL? Say for example you have a motorcycle endorsement.  How could that be useful?  Imagine a call to one of your relatives claiming to be a from a hospital, you’ve been in a motorcycle accident and they need a CC number to start treatment until they can verify your insurance.  These kind of social engineering scams work very well, the more PII they have the more effective the attack is.

If you think your information is safe, think about all the high profile breaches recently (Anthem/BlueCross, Home Depot, Target). I had one dispensary tell me that the data is safe because they are HIPPA compliant, er.. Anthem is HIPPA compliant and spends millions of dollars a year on security.  If I were a dispensary owner there is no way I’d want to collect this toxic information unless absolutely necessary.

The intent of the law is clear, recreational marijuana sales should be no more invasive than purchasing a beer.  A visual inspection of ID is all that’s necessary to establish that someone is 21+.  Hand over your ID at your own risk.   Data breaches are a common occurrence, why willingly increase the chance that your data is stolen?

Dec 072017

I was considering buying a drone this year, so I did a little digging and found the DJI Go app requires these permissions:

Device & app history
  • retrieve running apps
  • read sensitive log data
  • find accounts on the device
  • add or remove accounts
  • find accounts on the device
  • approximate location (network-based)
  • precise location (GPS and network-based)
  • directly call phone numbers
  • read phone status and identity
  • access USB storage filesystem
  • read the contents of your USB storage
  • modify or delete the contents of your USB storage
  • read the contents of your USB storage
  • modify or delete the contents of your USB storage
  • take pictures and videos
  • record audio
Wi-Fi connection information
  • view Wi-Fi connections
Device ID & call information
  • read phone status and identity
  • Access download manager.
  • download files without notification
  • full license to interact across users
  • manage document storage
  • control media playback and metadata access
  • close other apps
  • view network connections
  • read battery statistics
  • pair with Bluetooth devices
  • access Bluetooth settings
  • send sticky broadcast
  • change system display settings
  • change network connectivity
  • connect and disconnect from Wi-Fi
  • control flashlight
  • full network access
  • close other apps
  • run at startup
  • draw over other apps
  • use accounts on the device
  • control vibration
  • prevent device from sleeping
  • modify system settings
  • add words to user-defined dictionary
  • Google Play license check
  • read Google service configuration

HOLY CRAP!  That is insane!  I’m not even going to cover this point by point, at a guess 80% of these permissions are un-necessary and 90% are massive security and privacy risks.  I don’t trust an app developer that can’t be bothered to manage permissions properly.

Apr 112017

I’m considering purchasing a ZOOM B3n bass effect processor, one of the nice features is the program that allows you to edit/load patches via a PC..  vs. having to do so on the device itself.   Being a security minded geek, I downloaded the software and took a look.

After installation, first thing it does is REQUIRE an active internet connection.  No explanation, it’s not in the system requirements..  So a little work with wireshark and a little snooping around, it’s downloading files from and placing them in %USERPROFILE%\AppData\Local\ZOOM Guitar Lab.

This appears to be some poor attempt at providing auto updating capabilities.  The first ‘conversation’ is via TLS however they do not appear to be authenticating the server certificate, AND the subsequent downloads .. at least some.. are happening via HTTP connection and appear to not be signed.

Poison DNS servers and reverse engineer their server protocol (likely trivial), and you have an easy way to deploy anything to everyone who uses this software.

Maybe not a likely target, however If you are concerned about your DAW being corrupted by malware, I’d suggest installing in a virtual machine as well as your DAW.  Turn off updating in the installation on your DAW (in Help menu, deselect “Notify when the new version of ZOOM Guitar Lab exists” and  “Notify when the new version of firmware exists”).

Let it do it’s update on the virtual machine, then copy the VM %USERPROFILE%\AppData\Local\ZOOM Guitar Lab to the same folder on your DAW.  That should get you the updates without any bad stuff (unless bad stuff was to installed in that folder of course).

Mar 292017

As noted here it’s likely that if not already, soon not only will you be paying exorbitant monopoly rates for internet access, the ISP will also sell your web browsing history.

There are many ways you can protect yourself, TOR comes to mind however the performance trade offs are often not worth it.  Personally I block java/javascript, cookies, 40,000 or so domains, ads, tracking sites AND often pipe traffic through Privoxy and TOR.   These tactics assure that my ISP is not getting a complete picture.   However all of this is a hassle, so my wife/guests/etc are not likely to put up with it.

There’s another option, fill their database with so much garbage that it’s useless.  This will not defend against ISP’s selling your data, however if enough people shovel enough shit into the system the buyers will eventually realize the data is useless and stop buying.

Introducing Obfuscatron GIGO this is a start.  I would love to see more people create more systems like this, run them all!  Fill their databases with garbage that is indistinguishable from real data!

If there’s enough interest I’ll keep enhancing this.  One idea I have is to provide a list of Zip codes for the U.S. and allow URL’s in the ‘seeds.txt’ list to contain place holders like %ZIP% that the system replaces with a random zip code..  May be useful for weather and travel sites.

If you have any questions/concerns or would like source code, leave a comment here.

NOTE: this works best if you have a computer that’s on 24×7.  If your computer goes to sleep, so will this.  It’s likely still helpful, just a bit less due to leaking your PC active hours (that may reveal when you work, got to school, come home, etc).

Mar 232017

According to art-technica:

The fix is easy, obfuscate.. fill their database with garbage that’s indistinguishable from real traffic.  For the do-it-yourselfer that it willing to accept some risk, running a TOR exit node would likely do the job.

For people who want a bit more control over the process, this is the official announcement for the Obfuscatron!  In short it’s a windows service (I’ll write a *nix deamon is there’s any demand) that will run in the background and generate very random web traffic.  The starting sources will be based on the Wikipedia random article function, however from there is will go out to external links on the page.  You will also be able to control the user agent, as well as configure how aggressive it is.

Currently in very early alpha, I’ll be running a version of this locally over the next several days and refining as I go.  Expect an available beta version in a couple of weeks.

I can’t imagine how they’d be able to distinguish this traffic from user traffic..  as long as it’s random enough and not just a constant stream of traffic going to a small set of sites.

Dec 202016

I’m somewhat active in various online RV communities, and it never fails to amaze me how people can be easily manipulated into purchasing a trailer that is unsafe to tow with their vehicle. Or even better are the people that show up with an unsafe combination and try to justify it, “but the towing capacity is 10,000 pounds”. What most do not realize is the numbers are cooked in all manner of ways, starting with a basic understanding of the terms Towing Capacity, Tongue Weight, Payload and Axle Ratings. Towing Capacity in particular may not mean what you think.

Further RV manufacturers actively confuse things (and IMO outright lie) about numbers, they get away with this by including “specs subject to change” in all marketing materials. I cover that in more detail in When Optional = Mandatory.
Continue reading »

Dec 202016

RV manufacturers lie about weights, no two ways to say it. They actively use numbers for trailers that they will never deliver in an attempt to get people to buy more trailer than they can tow safely. If that causes an accident, not their problem because YOU are responsible 100% and they surely told you clearly ‘specs subject to change’.

One way they obfuscate numbers is by listing weights using a base model trailer that they will never build or sell because (if you read the title you know what’s coming) of the options that are mandatory.

Here’s some examples from Coachman Apex line:



The mandatory APEX NANO PACKAGE further hides details under a ‘show more’ button.. if you press that you find the following:
Continue reading »

Mar 112016

Make sure the ‘charity’ isn’t a scam.  Having ‘non-profit’ status means nothing except they filed forms.  In order to be considered a public charity an organization must receive a substantial part of its support from a ‘government unit’ or from general public support.  There’s the first part of the scam, many charities are just a front to launder grant money which for some idiotic reason is considered ‘public support’ even though nobody in the public has any control over this money.  Feeding at the public trough does not make for a good charity.

So how do you do a ‘background check’ on a charity?  Easy, non-profit organizations tax returns are public information.  They are fairly easy to find, I used to use guidestar however they’ve gone to a subscription only format so currently the easiest free site is Foundation Center. Decoding 990’s isn’t very fun, however it’s the only way to get facts.  I’ll try to walk you through an example.  For the purposes of this article I’m using the 2014 990-EZ for Project Great Outdoors, if you want to follow along here it is: 943368163_201412_990EZ

Continue reading »