Computers and Internet

The Darkweb and 3D Guns

The shorter story: 

We published the original Darknet paper in 2001. The paper initially caused a huge stir in a few very small places, which Timothy B. Lee captures well in this excellent article.

Everybody is suddenly freaking out about 3D printed guns, so I just updated our original paper to make the 3D gun and darknet connection more clear: The Darkweb and the Future of Gun Control.

The longer story: 

Back in 2001 I started thinking about what’s next for the Darknet, and 3D printed guns looked pretty obvious to me. I talked about this, wrote about it and generally sounded the alarm for the following decade (recall that this was WAY BACK in the early 2000s so there weren’t that many places to sound an alarm, and even fewer people who cared).

In 2013, 3D printed guns were finally “here”: First via Cody Wilson’s near-deathtrap of a .380 which he (bravely) made using consumer-grade 3D printing, and then later in the year in a much safer, more powerful and far more expensive all-metal 1911.

After doing the Darknet and the Future of Everything talk for Gov 2.0, I said I was done talking about it. You can’t roll your eyes at me anymore! Ha! SO THERE! ALL DONE!

However very recently there’s been a broad public freak out over 3D printed guns. It’s been 5 years since I said I was *done* talking about this stuff and now half of the news stories I am hearing are all about it. So I guess maybe I’m really not done after all.

Here’s why I think this story is mostly about the darknet, and not 3D printing nor guns:

In 2013 Wilson immediately put the files for his gun on the internet where they were downloaded 100K times before being taken down. However those files have clearly been “darknetted” as they have been showing up in different parts of the internet ever since.

What about the 1911 pistol files? There are many copies of 1911 design files on the internet. The underlying technical drawings used to build those files have been in the public domain for nearly 100 years and are all over the place. For nearly a century, those drawings haven’t been usable by anyone except skilled machinists, so they were “safe” (kind of like how locks used to be safe).

The drawing below shows the exact dimensions and tolerances – everything actually needed – to make what the US legally calls an actual firearm. There are about 50 parts in a 1911 pistol, but only one of them is legally a gun, and that’s the receiver, which is drawn below. Note that the date of the file is 1936.

Can I take this drawing and feed it into a 3D printer? Of course not… yet. Not YET. 3D printers *currently* need data described to them in very specific ways. However it’s extremely easy to assume that within 10 years (perhaps less than 5) we will be able to take this exact photo and print out the resulting “gun”, because that’s how technology works. It keeps getting better. 1911 Receiver

Seventeen years ago we showed, in a peer-reviewed scientific paper that has withstood rigorous and ongoing investigation and citation, that you can’t effectively control the distribution of desirable data. 3D printable gun files are clearly going to be desirable enough to be subject to being darknetted. Any responses or reactions to this fact must take this into account.

Excerpt from The Darkweb and the Future of Gun Control:

ANY PHYSICAL OBJECT THAT CAN BE REPRESENTED AND DISTRIBUTED AS DIGITAL DATA SHOULD BE CONSIDERED A FULL BENEFICIARY OF THE CONCLUSIONS OF THIS PAPER. 3D PRINTED GUNS START OUT AS DATA. They are then rendered (which is to say, made usable in the analog universe) in a 3D printer. They are no different from music, books or movies. If you want to freak out about things that still haven’t quite happened yet imagine the future of CRISPR and drug recombination, which is also just digital information that is rendered through a “printer”. Add nano-explosives, autonomous drones, diseases, bacteria, viruses, DNA, “fake news” and porn face swapping. Anything that can be data will be darknetted. 

Computers and Internet, Security

Here’s How It Will Go Down

5 years from now…

…in the middle of a hostage crisis…

…during heated trade negotiations…

…at the brink of global war…

…there will be a critical member of the US delegation – we’ll call him Chuck. Chuck is an ex-Marine and will have been a civil servant for nearly 20 years, working his way up thru various positions as a trusted and capable man.

Chuck will get a phone call. It will list as being from someone he hasn’t talked to for over 20 years, a very old friend. He will answer the phone, and on the other line will be a man’s voice, speaking perfect, unaccented English.

“Chuck, we know about the thing you used to do. We know that you told your wife, and that you went to couples therapy about it. But we also know that you never told your children, you never told your parents, and you never told the foursome – all of you Marines – you play golf with every Tuesday. If you don’t want them to know then we need you to do something for us. It’s not a bad thing – we know you’re considering it as an option in your internal discussions. All we want is for you to choose a specific, entirely reasonable option. We will never call you again to ask you to do anything, and no matter what you will never hear from us directly again. We just need this one thing. We just need you to…”

…order your SEAL team to kill the terrorists instead of question them.

…change the wording of section 7.c. from “shall” to “may“.

…tell the President you think the Russians should be given the territory they’ve gained so far.

There are over 4 million Chuck’s working for the US now. They are great employees, fine citizens and honorable men and women. Many of them have secrets that were previously only known by trusted employees of the US government.

Somebody else somewhere else now knows ALL of these secrets. They now have the power to do this thousands or even millions of times.

OPM Hack

Computers and Internet

What is your Hat Trick? The Magicians Hat – a Parable

Edwardian_top_hatThere once was a brilliant young man who longed to be a great magician. He toiled and researched and tried the mundane and the uncanny. Eventually, almost by accident (although those who looked back at him slways attributed it to his genius) he discovered the most amazing trick. When he held up his top hat and spun his wand around the inside of it three times while chanting a magical incantation, money would come shooting out of the hat. Real money!

This trick became the highlight of his shows and he always ended with it. He would hand some of the money out to people in the audience to prove it was real and they would come from miles around and wait in the rain for a chance to watch one of his breathtaking shows.

As all people do, he became old, so he began to teach his oldest daughter how to be a great magician so she could carry on the family business. His daughter was a great student and followed everything he did exactly to the letter. She begged to learn the Hat Trick but he demurred, thinking she wasn’t yet ready for such greatness.

But eventually – on his death bed – he relented and taught her the trick. He was adamant that it could only work on stage, in front of people, and only when you shared the money. She didn’t understand and asked “but papa! – how does the money get into the hat in the first place?!?”. He opened his mouth to answer, but before he could tell her the answer, he died.

The first night she did the Hat Trick on her own she was terrified – she was the Daughter of the Great Sardini! If this trick didn’t work then her whole act would be at risk. But to her relief the trick worked, and it seemed that maybe it worked even better than it had worked for her father. The money shot out of the hat like it had been launched from a cannon, fluttering down onto the audience and the stage to everyone’s delight.

Soon the Daughter of the Great Sardini stepped out from her father’s aura and took on the name Odessa, Mistress of the Macabre. Her acts were sold out everywhere she went and kings and emperors, queens and divas all sought her out. She was the greatest of living magicians.

As all people do, she became old, so she began to teach her youngest son (her oldest had become a lawyer) how to be a great magician so he could carry on the family business. Worried she wouldn’t have time to teach him everything she started much earlier than her father had. Her youngest son was also a great student and as she had, begged to learn the Hat Trick. She also demurred, thinking the lad precocious (he was almost half as old as she had been when she learned it!) and not yet ready. Her son, frustrated by not being able to take on the trick right away, studied what she did on stage, seeking to copy everything she did exactly so that he might uncover the secret to the trick and be able to do it himself.

But then tragedy struck – in the middle of a huge tour across Europe, Odessa was suddenly killed in an accident, and she had yet to tell her youngest son how to do the Hat Trick! He decided to take on her shows anyways, and just omit the Hat Trick. But the audience would have none of that. They screamed and yelled and almost stormed the stage, and so near the end of a particularly disastrous run of shows he did the trick out of total desperation, and it worked.

The audience was delighted – such great showmanship, they all said! The papers the next day immediately said it was the best version of the Hat Trick they had ever seen, and other magicians were suddenly envious of a man they had come to dismiss as a pale imitator to his great mother. This son clearly was also a force to be reckoned with.

The act now always ended with the son – now called Orlando, Mystical Money Machine – pretending he wouldn’t do the trick. He started to believe that he was actually doing magic! It was all so easy. 

The way you made money was just by doing the trick! 

Hat Trick, money. 

Hat Trick, money. 

Hat Trick, money.
One day, after a particularly hard show in a new town none of the family had ever been to, the Hat Trick actually DIDN’T WORK. Not at all. He thought that the had done it exactly right but nothing came out. Panicked he fled the stage as the crowd erupted, nearly setting the entire town ablaze.

By now the hat was frayed and the lacquer on the wand had been completely worn off. Perhaps he needed a new hat and wand? But these were THE hat and THE wand that had always worked! Maybe he said the words wrong? But no, they were the words he had always said. Unsure of what to do, the next night when it didn’t work again, he just tried over and over again as quickly as he could, before the crowd could overwhelm the stage and tear him apart.

After a few tries the Hat Trick worked. Orlando was relieved! He just needed to keep trying the Hat Trick and eventually it would work.

This continued, with the Hat Trick failing more and more often. Eventually Orlando had to try it so many times each night it took up over half the show. The hat became so worn that it was nearly rags, the wand a thin stick where once it had been a solid rod. He no longer sold out the largest venues and wasn’t invited to visit world leaders. Orlando’s Ted talk was quietly relegated to an archive and after that, a boilerplate “file not found” error. But he still could secure decent venues – not the best, but still good box office.

As all people do, he became old, so he came to his middle daughter to teach her (his oldest had become an entrepreneur and his youngest was traveling the world jumping off of buildings) how to be a great magician so she could carry on the family business. 

She was a very practical girl, and she said “Pops, you need to tell me how the Hat Trick works. Our numbers have been consistently down for the past 11 quarters and without that trick, I’m not sure we should keep going.”

He told her that yes, the new customer numbers were down and growth was stagnant at best, but the business was still making tremendous amounts of money off of repeat customers. Some of them had been to shows given by Odessa, or even Sardini when they were children. The family business was still profitable. 

They argued and argued. It soon became apparent to the daughter that her father was not just being proud – he was also afraid. He was hiding something from her. Finally she confronted him:

“Pops, if you won’t tell me how the Hat Trick works, I’m going to scrap it and try something different. Other acts are doing different stuff and we have a lot of great infrastructure, so I’m going to look into other things. Aerials maybe, or dance. Perhaps comedy, or a cooking competition. Something we know that people want and which we can learn how to do.”

Finally, he relented. With his own last dying breath, he told her his secret of the Hat Trick: “I have no idea how it actually works. I just stand on stage, do what your grandma did and hope that the money will come out.”

If you work for a wildly successful organization then chances are you work for (or are) one of the people above.

What is your Hat Trick?

Do you know how it actually works?

Computers and Internet

The Katyushas Little Sister

The Soviets were fond of multi-tube rocket launchers in WWII. They called them the Katyusha and the design persists to this day. They didn’t invent it – I believe that honor goes hundreds of years back to the Chinese – but they really turned it into a weapons system. As we see in the Middle East, they have never been able to hit the broad side of a barn, although they might scare half the cows to death anyway.

katushaWhy use them at all? They are an incredibly cheap and easily deployed way to get payload down field. Not remotely accurate but again very cheap and your truck driver can, in a pinch, serve as your firing team. “Yes Petrovich, I know the rest of the team is dead, but all you have to do is drive somewhere over there (pointing at map drawn in blood on a table in a bombed out cafe) point tubes up and towards Germany, and push button. Is piece of cake. All of our people over there are probably dead anyway! So what are you worried about! Shoot rockets, come back!”

Basic Soviet battle doctrine can be summed up as “why use 10 when 100 might work better?”. If you put enough explosives into the air then some of them will accidentally kill people you want to kill and destroy things that you want to destroy.

Enter the plucky little GBU-39B, a small bomb that is the antithesis of the Katyusha. It’s relatively small (50ish lb payload) so 6 of them can be carried INSIDE a Joint Strike Fighter. It has wings and a bunch of electronics allowing it to glide down and hit things with pinpoint accuracy. How pinpoint, I hear you ask?

SDB testingSDB testingNow engineers at Boeing and SAAB are partnering on what can be described as the smart kid sister of the Katyusha. They are taking the GBU-39B, gluing an existing off0the-shelf rocket motor to its butt and packaging it up so that it can be fired from the M270A1, which is a multi-tube launch vehicle that is already on the ground all over the world. The M270A1 has for the most part been a lot like the Katyusha and has even been nicknamed the GSRS, which stands for Grid Square Removal System because it can cover an entire 1 Km sqaure with grenades (of which several hundred probably won’t explode right away, which is bad).

So what will this new munition do? It will give the M270A1 12 guided bombs that can each be independently precisely targeted (no more hail marys) at ranges of up to 75+ Km. It’s a giant mobile battery firing pinpoint explosives, which among other things is good for civilian populations that aren’t all already dead.

Here’s the Janes take on this new system:

Computers and Internet

Another BitLocker Exploit?

The simple answer is “no“.

We knew (and modeled, and tested) DPA back when we were testing BitLocker. As readers of this blog know we also tested Freon attacks, dual ported memory, tempest attacks and going after the root itself. (And other tests! Many, many tests. I had an extremely enthusiastic team in the “let’s break all the things!” department.)

Of course if you can get the root keys out of the TPM you can bork the root – that kinda goes without saying, right? As in, duh? I can’t fault the paper writers for using BitLocker for PR for their paper – after all, what other solutions are as successful and secure as BitLocker? It sounds like they did some great work. But it’s so not new news. It’s a decade old fact.

If you worry about this attack then you should use a TPM that is DPA resistant – historically there hasn’t been much money in building higher security TPMs. I saw some extremely robust TPM designs as far back as 2002 but they cost more money and the exploits weren’t there yet so the vendors couldn’t charge for them.

If this attack becomes common then I hope that vendors will respond and build more secure TPMs.

Computers and Internet

We said 1 Gb? We meant 1.5 Mb…

Last summer CenturyLink announced that my  Beacon Hill neighborhood will have 1 Gb Ethernet service. Beacon Hill was considered to be particularly important. 

I just tried to sign up for service, and the best (and ONLY) service level available is “up to 1.5 Mbps”. Other places in the world with this kind of service include, uhm. NOWHERE. 

Centurylink don’t even admit in their online speed comparison that this service level exists: 

I talked to their new accounts department and they confirmed that 1.5 Mbps is all that’s available and they weren’t able to give me any  idea of when they’d offer something better. 

You got the PR, Centurylink. How about following thru? 

Computers and Internet

Modern Heirlooms

Son: what’s this, pops?

Father: you’ve been looking at the family moments, I see. 

Son: yep – what’s this? Is it jewelry? It doesn’t seem to do anything… 

Father: your grandpa gave that to me when I closed my first big sale! It’s an Apple Watch. 

Son: Apple? 

Father: they were a famous company back in the day! Made all sorts of stuff – cars, houses, airplanes… 

Son: so how do I turn this “watch” on? 

Father: you don’t, unfortunately. They had a very slow leak in the firmware garbage collector and when it finally wiped out the memspace, Apple had cancelled support for it

Son: but can’t you just hack it? 

Father: Apple didn’t publish their firmware interfaces… 

Son: what? Seriously? Isn’t that against the law?!? 

Father: well it is *now*, but that was a different age… 

Son: why don’t you sell it? 

Father: it’s only worth a little bit. Now that the oceans catalyst mining is up and running, we’re practically swimming in gold. 

Son: so Grandpa was a sucker? 

Father: it was just a different age, son. Now go reboot your brother, it’s time for school.