Jan 222018

The most recent proposed regulations state:

Sec. 145. Before a marijuana establishment agent sells marijuana or marijuana products to a consumer, the marijuana establishment agent shall:
1. Verify the age of the consumer by checking a government-issued identification card containing a photograph of the consumer using an identification scanner approved by the Department to determine the validity of any government-issued identification card;

NRS 453D.200 5(a):

5. To ensure that individual privacy is protected:
(b)A retail marijuana store must not be required to acquire and record personal information about consumers other than information typically acquired in a financial transaction conducted at a retail liquor store.

They are requiring that retail marijuana store scan ID’s using a device ‘approved by the Department’.  No such requirement exists for retain liquor sales.  Clearly an overreach.  Perhaps the NV Department of Taxation doesn’t understand what the word ‘acquire’ means? Taking an ID from a customer and scanning in a device is acquiring personal information. These devices cannot function without recording that information in internal memory at best, at worst they’ll push it to a third party host for processing…

So far the Department has made no list of approved devices available to the public, however I can say from experience that these devices will be very insecure and many on the market transmit your personal information to a third party for processing.

The regulations go on to detail their plans for manipulating the market prices, as if you can overrule the law of supply and demand with legislation.  The black market will continue to thrive with these asshats in power.

Just wait until they roll out these same regulations for liquor, I suspect that will be the only response they can make when called on this.

Jan 022018

Medical buyers are used to having their personal information collected.  Recreational buyers should expect privacy, and in fact there is protection written into the law however it only binds the Department of Taxation (direct quote, emphasis mine):

5. To ensure that individual privacy is protected:

(a) The Department shall not require a consumer to provide a retail marijuana store with identifying information other than government-issued identification to determine the consumer’s age; and

(b) A retail marijuana store must not be required to acquire and record personal information about consumers other than information typically acquired in a financial transaction conducted at a retail liquor store.

Have you ever had a retail liquor store scan your ID or enter personal information into their database?  Of course not.  If you want to purchase from any of the following be prepared:

  • Sierra Wellness: Records information from ID in their database, possible ID scan however contact was not forthcoming with details
  • Kanna: Wanted to scan my ID using unidentified device
  • Greenleaf: Wanted to scan ID and enter personal information into their database
  • Silver State Relief: Enters info from DL and scans
  • Reef: “We don’t take a photo scan of your ID, but it is our policy to scan it with a barcode scanner. This pulls your name, address, DOB, and DL # & expiration date into our database.”
  • Blum: “We collect name, date of birth and ID number. We just need to prove that you were over the age of 21.”
  • Mynt: Unknown: after long FB messenger conversation (the only way I could get any responses) little details are clear.  Last message was “all they need to do in the store is verify that you have a valid ID and are over the age of 21. No information is saved.”  That could be taken to mean only a visual inspection, but there is a lot of detail hidden in the phrase “valid ID”.
  • Blackbird logistics (the company that handles wholesale and retail delivery): They require you upload an image of your ID to their system, first person I contacted claimed it was required by law which is a lie.  When I called her on it, she backed off and said it was policy.  Eventually gave me to a ‘supervisor’ who claimed it was to assure orders are legitimate, which is a joke….

You can see that some are greedier than others, so far the least invasive seems to be Blum.

Why should you care?  Name and DOB are PII (Personally Identifiable Information) prized by data thieves.  What can someone do with your name and DOB and the fact that you buy cannabis?

  • Medical industry commonly uses name and DOB, with that someone can have full access to your medical history.
  • Some banks are still using name + DOB and address to identify customers (common at credit unions).
  • Some online services will allow you to reset your password with name and DOB.
  • Many court systems will give you arrest/criminal reports using just a name and DOB…
  • Name and DOB are powerful bits of information for social engineering attacks.
  • Blackmail by threatening to tell your employer that you purchase cannabis.
  • Threatening to turn you into the feds as a dealer, ever seen what happens when they raid the wrong house?

That’s just a short list, the more PII a bad actor has the more damage they can do.  Imagine what they can do with everything on your DL? Say for example you have a motorcycle endorsement.  How could that be useful?  Imagine a call to one of your relatives claiming to be a from a hospital, you’ve been in a motorcycle accident and they need a CC number to start treatment until they can verify your insurance.  These kind of social engineering scams work very well, the more PII they have the more effective the attack is.

If you think your information is safe, think about all the high profile breaches recently (Anthem/BlueCross, Home Depot, Target). I had one dispensary tell me that the data is safe because they are HIPPA compliant, er.. Anthem is HIPPA compliant and spends millions of dollars a year on security.  If I were a dispensary owner there is no way I’d want to collect this toxic information unless absolutely necessary.

The intent of the law is clear, recreational marijuana sales should be no more invasive than purchasing a beer.  A visual inspection of ID is all that’s necessary to establish that someone is 21+.  Hand over your ID at your own risk.   Data breaches are a common occurrence, why willingly increase the chance that your data is stolen?

Dec 072017

I was considering buying a drone this year, so I did a little digging and found the DJI Go app requires these permissions:

Device & app history
  • retrieve running apps
  • read sensitive log data
  • find accounts on the device
  • add or remove accounts
  • find accounts on the device
  • approximate location (network-based)
  • precise location (GPS and network-based)
  • directly call phone numbers
  • read phone status and identity
  • access USB storage filesystem
  • read the contents of your USB storage
  • modify or delete the contents of your USB storage
  • read the contents of your USB storage
  • modify or delete the contents of your USB storage
  • take pictures and videos
  • record audio
Wi-Fi connection information
  • view Wi-Fi connections
Device ID & call information
  • read phone status and identity
  • Access download manager.
  • download files without notification
  • full license to interact across users
  • manage document storage
  • control media playback and metadata access
  • close other apps
  • view network connections
  • read battery statistics
  • pair with Bluetooth devices
  • access Bluetooth settings
  • send sticky broadcast
  • change system display settings
  • change network connectivity
  • connect and disconnect from Wi-Fi
  • control flashlight
  • full network access
  • close other apps
  • run at startup
  • draw over other apps
  • use accounts on the device
  • control vibration
  • prevent device from sleeping
  • modify system settings
  • add words to user-defined dictionary
  • Google Play license check
  • read Google service configuration

HOLY CRAP!  That is insane!  I’m not even going to cover this point by point, at a guess 80% of these permissions are un-necessary and 90% are massive security and privacy risks.  I don’t trust an app developer that can’t be bothered to manage permissions properly.

Apr 112017

I’m considering purchasing a ZOOM B3n bass effect processor, one of the nice features is the program that allows you to edit/load patches via a PC..  vs. having to do so on the device itself.   Being a security minded geek, I downloaded the software and took a look.

After installation, first thing it does is REQUIRE an active internet connection.  No explanation, it’s not in the system requirements..  So a little work with wireshark and a little snooping around, it’s downloading files from www.zoom.co.jp and placing them in %USERPROFILE%\AppData\Local\ZOOM Guitar Lab.

This appears to be some poor attempt at providing auto updating capabilities.  The first ‘conversation’ is via TLS however they do not appear to be authenticating the server certificate, AND the subsequent downloads .. at least some.. are happening via HTTP connection and appear to not be signed.

Poison DNS servers and reverse engineer their server protocol (likely trivial), and you have an easy way to deploy anything to everyone who uses this software.

Maybe not a likely target, however If you are concerned about your DAW being corrupted by malware, I’d suggest installing in a virtual machine as well as your DAW.  Turn off updating in the installation on your DAW (in Help menu, deselect “Notify when the new version of ZOOM Guitar Lab exists” and  “Notify when the new version of firmware exists”).

Let it do it’s update on the virtual machine, then copy the VM %USERPROFILE%\AppData\Local\ZOOM Guitar Lab to the same folder on your DAW.  That should get you the updates without any bad stuff (unless bad stuff was to installed in that folder of course).

Mar 292017

As noted here it’s likely that if not already, soon not only will you be paying exorbitant monopoly rates for internet access, the ISP will also sell your web browsing history.

There are many ways you can protect yourself, TOR comes to mind however the performance trade offs are often not worth it.  Personally I block java/javascript, cookies, 40,000 or so domains, ads, tracking sites AND often pipe traffic through Privoxy and TOR.   These tactics assure that my ISP is not getting a complete picture.   However all of this is a hassle, so my wife/guests/etc are not likely to put up with it.

There’s another option, fill their database with so much garbage that it’s useless.  This will not defend against ISP’s selling your data, however if enough people shovel enough shit into the system the buyers will eventually realize the data is useless and stop buying.

Introducing Obfuscatron GIGO this is a start.  I would love to see more people create more systems like this, run them all!  Fill their databases with garbage that is indistinguishable from real data!

If there’s enough interest I’ll keep enhancing this.  One idea I have is to provide a list of Zip codes for the U.S. and allow URL’s in the ‘seeds.txt’ list to contain place holders like %ZIP% that the system replaces with a random zip code..  May be useful for weather and travel sites.

If you have any questions/concerns or would like source code, leave a comment here.

NOTE: this works best if you have a computer that’s on 24×7.  If your computer goes to sleep, so will this.  It’s likely still helpful, just a bit less due to leaking your PC active hours (that may reveal when you work, got to school, come home, etc).

Mar 232017

According to art-technica: https://arstechnica.com/tech-policy/2017/03/senate-votes-to-let-isps-sell-your-web-browsing-history-to-advertisers/

The fix is easy, obfuscate.. fill their database with garbage that’s indistinguishable from real traffic.  For the do-it-yourselfer that it willing to accept some risk, running a TOR exit node would likely do the job.

For people who want a bit more control over the process, this is the official announcement for the Obfuscatron!  In short it’s a windows service (I’ll write a *nix deamon is there’s any demand) that will run in the background and generate very random web traffic.  The starting sources will be based on the Wikipedia random article function, however from there is will go out to external links on the page.  You will also be able to control the user agent, as well as configure how aggressive it is.

Currently in very early alpha, I’ll be running a version of this locally over the next several days and refining as I go.  Expect an available beta version in a couple of weeks.

I can’t imagine how they’d be able to distinguish this traffic from user traffic..  as long as it’s random enough and not just a constant stream of traffic going to a small set of sites.

Jan 082016

This article keeps popping up (along with related articles).  The Author Mat Honan jumps to conclusions not supported by the facts.  He makes claims such as “the way WE daisy chain account” being a problem, well maybe HE does that (and I suspect a lot of users do as well).

His problem can be summed up easily.  He relied on his Apple account as a point of security.  Once that was compromised (easily via simple social engineering phone call) they then could take over his GMail account (because the author used his Apple email as an alternate address) and once in that account the bad guy had the ability to  take over everything.

In an attempt to deflect blame from himself (and Apple) the author keeps repeating his same baseless assertion that passwords are bad and is now in a crusade to ‘kill’ passwords.  Mat Honan needs to grow up and accept responsibility for his own screw up and help people understand how to properly use passwords and properly secure online systems (as much as possible) rather than sowing FUD to protect his ego.

Main take away is never trust third parties who have no interest in securing your data with your ‘keys to the kingdom’.  There is no one set of rules that works or applies to everyone.  In my case (as an example) I have a yahoo account I use for non-sensitive sites (forums, online shopping sites where it NEVER store CC’s, etc).  All of my banking and financial access credentials are linked with addresses that are highly secure (server controlled by myself or trusted third party).  All of my secure passwords are the maximum complexity allowed and all are different.  This works for me.

People in general need to stop blaming technology when a failure is due to misuse (by themselves or others).

Jan 072016

Someone posted a comment on an old article with a bunch of SEO related rubbish and of course a link to a paid add-on for WP…    Search Engine Optimization doesn’t interest me in the least. It used to be possible to game search engines and it still is to some extent, however these tactics will backfire eventually.

A well written article in a good content management system stands on its own without any effort spent trying to trick or game search engines.  SEO is the refuge of bad writers and spammers only, don’t waste time on it.

Sep 182015

Decided to give Allods another go, installed and it came loaded with some crapware ‘gaming dashboard’ from my.com.  when I tried to uninstall it claims I’ll not be able to play Allods if I uninstall, when I confirmed that it tried to access the internet (which I denied) and blew up.  So I killed the task, deleted the files and then let windows blow out the uninstall entry….

Shortcut to aogame.exe.. no problem running without this crap..

All I can conclude is that it’s malware and serves no purpose at all…. kinda like nearly everything that wants to play ‘middle man’..

Aug 142015

Thursday Malware bytes reported on an ad server pushing malware via various exploits.

Checked my network and I’m already blocking adspirit.de at the router.  I have no idea why more people don’t do this, likely not all that many are running linux based routers or don’t have access. For those that do, here’s my simple script which runs weekly:

mkdir /tmp/hostupdate
cd /tmp/hostupdate
wget http://winhelp2002.mvps.org/hosts.txt

# copy local host definitions into hosts file first
cp /etc/hosts.local /etc/hosts

# we only want the host lines, no local host or comments.
grep -vE ‘localhost|#’ hosts.txt >> hosts.clean

# change to blackhole server
sed ‘s/’ hosts.clean >> /etc/hosts

# cleanup
cd /etc
rm -Rf /tmp/hostupdate

/etc/init.d/dnsmasq restart

Because I have other blocks and static hosts, I have a hosts.local file in /etc/ that is added to the hosts and obviously this system is my DHCP and DNS server for my local network.  People could of course shoot themselves in the foot a variety of ways, mostly by using a hardcoded DNS.. however if someone wants to do that.. so be it..