Royce Eddington

Nothing to see here. Move along people.

Month: June 2014

A serious question to the NSA about Snowden and master passwords

If anybody from the NSA reads this, I have a serious question.

Have you all scanned what Snowden stole/liberated (whatever floats your boat) for government backdoor and/or “master password” references? Were there any government backdoor and/or “master password” references stored in the systems he had access to?

OK, in English now… for a long time there have been rumors of backdoor and/or “master passwords” for all computer systems. With a certain password for a certain system, an “authorized” person could get full access.

There really are “master passwords” currently in place for PC BIOS systems, all vehicle-embedded systems, and even on all iPhones. (Seriously. It’s not a secret that “alpine” works for full SSH access on all iPhones.)

To make things even more interesting, since 1984 there have been ways to put backdoor and/or “master passwords” into compilers so not even programmers who make applications on their own would know such a backdoor and/or “master password” was put into the app they just created.

Cool, huh?

You do need a specialized program to access each of these systems, sometimes you also need local access to the device, and most of the Google-able backdoor and/or “master passwords” that show up are for things like maintenance and root-level hijinks, not “watch what people are doing live” kinds of things.

Regardless, I would bet there’s just a few backdoor and/or “master passwords” reserved for the government that are already embedded in some critical systems. I would also bet with the right password combination, a “watch what people are doing live” kind of thing could be set up with no problem.

All theoretically, of course.

Snowden stole/liberated somewhere between “too much” and “oh dear God” levels of data from the NSA. Now all that data was classified information. Communications. Transfers. Notes. Reports. Stuff not meant to see the light of day for some reason or other (justified or not).

I’m thinking things like this were in the pile of data…

  • Senator John Doe thinks Ambassador Moe Howard has a funny haircut, smells bad and isn’t too smart. This should remain classified because we need to make nice with Ambassador Howard for now, but if it got out, no big deal. Doe and Howard could work it out over a golf game and some scotch.
  • Senator John Doe is on the top secret Kinetic Intelligent Satellite Striker (KISS) committee – well, that’s bad, but not world-ending. There’s not much hard proof about this project, the locations are all buttoned down, and there’s nothing other countries can act on directly.
  • Senator John Doe used the password “BOHONKUS” to access files from a Dell Latitude E5430 system on an ambassador’s laptop from a country currently designated as “hostile”.

That last one? Clearly naming the government backdoor and/or “master password” for a specific system and purpose?

If that gets out, it can be used by ANYONE. Anywhere. Anytime. You can kiss EVERYTHING that backdoor and/or “master password” is embedded in goodbye forever.

Plan on everyone using that backdoor password, and by everyone I mean especially…

  • The Chinese “we’re not hackers – we’re just curious” brigade
  • Russia
  • North Korea
  • ISIS
  • Bored Americans

As an extra bonus, there’s no resetting a backdoor and/or “master password” on most embedded systems without local “hands on” access. No way to erase it. No way to change it. No way to block it.

I don’t know if Snowden would or would not release something like this if he found it in his data pile, but I guarantee a hostile government with access to this information would use it without question.

Which brings me back around to my question for the NSA.

Has the NSA scanned what Snowden stole/liberated for government backdoor and/or “master password” references? Were there any government backdoor and/or “master password” references stored in the systems Snowden had access to?

Finally, if there are backdoor and/or “master password” references in the pile of data Snowden has, what is the worst case scenario if a hostile entity uses this password to access the system(s) it is embedded in?

It’s going to be a terrible thing to admit to the U.S., but if there is a backdoor and/or “master password” reference of any kind in Snowden’s data pile, we need to do something about it right now.

The alternative would be far, FAR worse.

Any compromised systems for private citizens or commercial businesses would need to be updated as soon as possible.

Any compromised military systems would need to be taken offline IMMEDIATELY and kept out of active service until they have all been secured.

And NSA, going forward, if you’re going to ignore that “unreasonable search and something or other” part of the Constitution and put in backdoor and/or “master passwords” on some systems, please install VERY secure backdoor and/or “master passwords” that require multi-factor authentication that can be changed or be deleted if necessary.

The back door needs to be more secure than the front door.

At the bare minimum, I suggest a DIFFERENT password for different series of devices and/or software with something like a random key fob authentication system for each.

For example…

  • The backdoor password for Dell laptops model A with serial numbers 00001-10500 would be DWW-TATANKA.BUFFALO synced to key fob series ALPHA-9.
  • The backdoor password for Dell laptops model G with serial numbers 00001 – 10500 would be CJLP-TEA.EARL.GREY.HOT synced to key fob series ALPHA-3.
  • The backdoor password for accessing everything the “Angry Birds” app sends to the NSA would be HONEY-WHERE.IS.MY.SUPER.SUIT synced to key fob series BETA-111
  • Etc.

Make a different password string for each manufacturer’s series and each manufacturer’s model numbers. Tie all of that into a version of a key fob multi-factor authentication generator for final access.

After this update, to access a system’s backdoor, you would not only need the “master password” embedded in the device, you would also need the randomly synced password that would be generated on the key fob to proceed.

Worst case – if a master backdoor password is compromised or stolen by a future Snowden, it would be useless in and of itself without the key fob generator to finish “opening the door” and it would only be valid on a limited set of systems. If both a master backdoor password and its’ correlating key fob system were compromised, you would only risk access to a limited series of systems.

That’s the minimum recommended civil-rights violations per serving. Seriously. No more single word passwords for an entire warehouse of systems or for all software made with compiler X.

I know there’s insanely more complex ways of implementing backdoor access, but depending on the “audience” using the backdoor passwords, the NSA guys need to keep it accessible by the non-tech-savant crowd and reasonably quick as well.

Systems from the 80s, 90s and 2000 era are still out there. Applications built and modified on top of existing systems in this time period are legion. Only the NSA knows if there’s really such a thing as backdoor single-word-passwords and where they might be installed at.

To quote Forrest Gump, “that’s all I got to say about that.”

Now back to silly cat photos, already in progress.

Courting a disaster with open-door immigration

I saw an article in the New York Times titled “Migrants Flow, As Do Rumors, In South Texas” (see the article scan following my rant).

I don’t think anyone has mentioned a massive problem with how this is playing out right now.

Since there is “no specific plan to monitor compliance” for those illegally crossing over the border, what is to stop an Al-Qaeda, ISIS or other terrorist agent with intent to harm the US from crossing into the US completely undetected and dispersing into America once they are released with their free “bus ticket to travel where they have relatives in the country”?

Humanitarian care must be provided for those that need it, and the current immigration policy desperately needs streamlining, but there must also be an accounting for every individual who crosses over during this de-facto open-door immigration policy.

Failure to do so is courting a national security disaster.


Migrants Flow NYT article

Migrants Flow NYT article


EDIT: Corrected ISS to ISIS

Somebody didn’t do their market research [PHOTO]

Whoever decided to try and sell something named KuKui near Mexico has either (a) never done any market research in their life or (b) has a particularly vicious sense of humor.

KuKui photo

KuKui photo


For the rest of the world that has no idea what a KuKui is, it’s a very famous folktale monster told to misbehaving kids around Mexico. “You better behave, or the KuKui will get you!”

The closest thing to a KuKui in the US is the “boogeyman”, but saying “you better behave, or the boogeyman will get you” isn’t even close to the kind of terror mentioning a KuKui can bring.

You know, now that I’m thinking about it, maybe I should have bought a bottle. For research purposes, of course.

GM seems to be racing toward something else

So if I understood everything correctly from the article in the 6/12 Wall Street Journal titled “Lawyers Race GM to find black boxes“…

* GM executives ordered their engineers to secretly change a core vehicle component for new vehicles after they discovered its’ critical failure rate, but did not disclose this critical failure rate on existing vehicles to the public or to the NHTSA.

* GM executives are currently ordering their employees and persons in their employ to search and recover evidence (“black boxes”) from multiple mortal accidents, but apparently are not returning this evidence to the accident victims or to the NHTSA.

* GM executives refused to allow the full disclosure of the data content of those “black boxes” involved in mortal accidents to the NHTSA until February of this year.

An organized activity sanctioned by upper management to obscure and withhold evidence? Evidence that could potentially tie the multiple deaths of individuals to the permissive knowledge that upper managers have?

Has GM ever heard of RICO?

Powered by WordPress & Theme by Anders Norén