Explainer

My wife read my article on passwords and “got it”. Which is nice. I was attempting to explain how password crackers use rule sets to modify input dictionaries to create more guesses from a single word list.

I decided to see how much things have advanced. To say I was shocked would be an understatement.

In 2013, the game “Battlefield” was hacked and the entire password database was captured.

This is not the major security threat you might instantly leap to, but it is bad.

Stealing Passwords

I worked in the Systems Group at my University. We were tasked with all software maintenance, installations, upgrades, and in house improvements to the operating system.

The systems group had taken the original manufacturer’s operating system and extended it to the point where it was no longer the same operating system. Having done this, we gave back all the code we had written to the manufacturer, who incorporated what they liked into their next release.

We had developed a long term backup plan. This plan was three tiered. We took daily backups of the entire file system. This was a rolling tape backup. There were 30 days of daily backups performed before the first tape was overwritten.

We also performed weekly backups. There were 52 weeks of weekly backups. So a total of 82 backup sets.

In addition to this, we did end of term backups. These were done just after the term ended. These tapes were kept.

What this meant was that if your file were to live for at least 24 hours, you would be able to recover to any particular day in the past 5 weeks of your file.

If your file were to exist over a weekend, you could recover that file to how it was on the weekend it was dumped for the past year. And if your file were to exist over the term break, it would exist for the lifetime of the storage. 9 track tapes now being dead, I’m not sure what the University did to preserve those old tapes.

In addition to these backups, we took a separate backup of the “password” file once a day. There were 30+ days of password file backups.

That is the setup. The actual story:

We used to give tours of the machine room. The operators enjoyed bragging about the quality of our backup system.

One of these tours, a little monster took one of the password backup tapes and put it in his backpack. He walked out of the machine room with that tape. Nobody noticed the missing tape for the next 30 days.

Said monster took that tape over to the engineering department, where they had their own 9 track tape drives. He read in the file.

He was presented with 10s of thousands of clear text passwords.

This had financial implications because we sold computer time.

We changed our policy to always encrypt the password file before it was written to tape. I have no idea if that encryption standard was any better than Sunday comic page ciphers.

No more Plain Text Passwords

The number of times somebody in a movie has gotten the idiot to give them somebody else’s password is astronomical. The truth is that most passwords are stored in an “encrypted” format. We don’t have access to your password.

We can reset your password, but we can’t tell you what it is because that isn’t recorded.

At the university, they were still storing passwords in plain text. They only encrypted the password when it was written to tape.

Modern systems store that password in an encrypted format. The old method was what is called “descrypt”.

The first two characters of the encrypted password is the “salt” and the rest is the DES hash of the password. This is NOT the same as encrypting your password with a secret and then being able to decrypt it with that same secret. Instead, we use your password to encrypt a given, known, piece of text. The encrypted result is what is stored.

When you provide your password, we encrypt the same text string with your password. If the resulting text matches what we have stored, you have proven you know the password.

Here are a couple of hashed passwords: SD2PFyBHY1oUY, q5M9nJsU/JSwI, sTd5NrAIMrisU, 8MbLuguRAeo92, $1$OcbNKu2y$l9faj.aCWodfonXiSlgnV0, $1$hh765lOJ$lrZ4jkCtUkG3qPBuFJQ/2., $5$2W0fdlfY.a/iXErF$xbzHcX8CfPc89vJkxsiC/BjDmqxI20Yk.Vj9OLL/6e2, and $5$HxfQ9B30d8GdmyPo$J6FWaeGKSez2cLbw3cktvaYgPvsTFaXdMzYp4yDcQjD.

These are all hashes of the same password, “hello world!”

Slow Them Down

Storing passwords in plain text is stupid. But computers are faster than you think. Thus, we want to slow down the speed at which computers can make guesses.

We do this by using a salt.

Consider the situation where you had 74,577,451,608 guesses you wanted to try. If you were to create the hash for each of those guesses, it might take you a bit of time. In the end, you would have them all. Now it is only seconds to look up the hash in a database/file and get the plaintext password used to generate that hash.

To fight this, we use the salt. The salt modifies the hashing process such that for any given password, there are many possible hashes to represent that password.

As shown above, even when using the same “hashing algorithm” we got many results.

This is to slow the guessing of passwords down.

And the results

In 2013, the game “battlefield” was cracked. They escaped with around a 1/4 million password hashes. These are not clear text, you can’t just type them into an account and get in, they are still “protected”.

I used a starting source of 184,000 known passwords. To this, I added an American and a British word list. I didn’t bother to get name lists for a total of 282,000 unique test words.

In the simplest case, with no salt applied, that is 184,000 * 282,000 different combinations to test.

In 2 minutes and 50 seconds, on my medium GPU and medium CPU, we tested 74,577,451,608 different passwords against 282,546 password hashes.

We were able to guess 7.30% of the passwords, or, 30943 passwords.

That is more than enough to make money.

And you can see how bad they can be.

What we are talking about is “authentication.” Authentication is the method of confirming that you are who you say you are.

There are three methods to determine authentication:

1. Something only you know
2. Something only you have
3. Something unique about you

In the old days, when people carried checkbooks with them and wrote checks for things, you would be asked to prove your identity before you could use a check. Proving your identity was a process where a person would first authenticate your identification card, and then they would verify that the identification card matched you.

A state issued identification card will have different aspects about it that should make identifying fakes easier for the trained person. In the those olden days, they would often have your Driver’s License number be a SoundEx of your last name. SoundEx was a simple encoding method that could be generated from a name.

If the SoundEx didn’t match the DL number, it was a fake.

For the most part, people trusted DLs. They were relatively difficult to fake, and it was often easy to spot fakes.

This is an example of something you have, your DL, and something unique about you. Your picture and description.

Computer Authentication

Computers authenticate you with the use of two pieces of information, the first is your “name”. The second is your password.

Your name can be an email address or a username. While the pair, username and password, are required, only the password is a secret. Or should be a secret.

In a perfect world, this would be good enough. In this imperfect world, see Password Security/Password Managers

We will assume that your password is strong and will not be cracked in this century.

What we want to protect against is people stealing your username and password. Be that by phishing or by tricking you, or by lifting your keyboard to read your password on a PostIt note.

We need to improve our overall security posture by adding something besides “something only you know” to the equation.

Biometrics

This is just a fancy word for something unique about you. What you look like. What you sound like. What the patterns of ridges on your fingers look like. What the blood vessels in your eye look like. These are things that are unique about you.

The super fancy eye scanner in NCIS is a myth. While it might actually work in practice, it will be expensive and is only part of the equation.

Fingerprint scanners are a joke. Facial recognition has more downsides than positives. And don’t have a sore throat if you are using vocal recognition.

Most low-cost fingerprint scanners don’t do a good job. They scan something they think is a fingerprint on a finger. That scan is processed and turned into a series of identified markers. That is turned into some sort of “value”. That value is what is actually compared and authenticates.

To reduce false negatives, these scanners often do a poor job of discriminating. They are also fairly weak at detecting live vs. Memorex.

Finally, if you have a fingerprint scanner or some other sort of biometric authenticator, bad actors can forcibly use your body to unlock your stuff.

It is far too common of an occurrence to have customs or law enforcement hold your finger to your phone’s scanner to unlock your phone. Don’t use biometrics to secure your devices. Oh, currently the courts find this to be legal and not a violation of your civil rights.

This takes use too:

Security Devices

A security device is a device that only you have that can communicate with other devices to help authenticate you.

Notice it is a helper, it is not the be all, end all.

The most common security device in use today is a mobile or cell phone.

The assumption is that you are the person holding your phone and that your phone can only be unlocked by you. This means that they can send you a text message, and you will have to unlock your phone to get the code they sent.

Except… Often the code is visible even when the phone is locked. The phone might be unlocked for other reasons. Or somebody cloned your phone and is getting the same SMS messages that you are.

In addition to that, some people have their devices configured to read messages to them. Or worse, they have configured their phones to read messages on command.

My favorite example of this was when I was working on a female friend’s car. She had a new boy and they were texting hot and heavy. Every time she received a new message, her phone would announce “To hear the message say “read message”.

At one point her phone announced, and I spoke up, “read message”.

She ran when her phone started to read the message out loud. It was just as spicy as I expected.

While the phone is very convent, it isn’t very secure.

Still, phones can be used as an authenticator.

This is a magic pseudo random number generator. The authenticator reads a seed from the remote device and attaches it to a particular site or device.

The two can generate the same pseudo random number at any point in time, based on the shared seed.

The site requests you provide the code from the authenticator. You unlock your phone, run the authenticator, find the correct device, copy the code from your phone to your computer to log in.

It is a fairly cheap and easy method and requires very little extra.

A number of my clients use this type of authenticator, and WordPress/WordFence does as well. It is an acceptable option if your phone is kept locked.

Better still, turn on extra security. The authenticator I use allows me to set a PIN for the application. Without the PIN, something only I know, the authenticator will not run.

Security Tokens

These supply a different form of security. They are designed to prove to a remote system, or local, that you have something that is unique.

A key.

One type of security token generates is a physical rendition of the phone authenticator. The one that I used required me to enter a PIN. It did not matter what PIN you entered, it generated numbers. If you entered the numbers from a correct PIN, you were logged in. If you entered the numbers from an incorrect PIN, the system would alert administrators or security, depending on how it was configured.

In other words, the system administrators and security personal could set them up to provide “panic” or “distress” codes.

Mine didn’t have that feature. If I put the wrong code in I couldn’t log in. Guess I wasn’t that important in the grand scheme of things.

Which takes me to my favorite authentication key, the YubiKey.

This is a small device, about the size of a thumb drive, but much thinner.

They have USB-A or USB-C connectors and some have NFC capabilities. They are small enough and light enough that I carry one of them attached to my key ring, along with a magic USB drive that contains a working version of Linux.

When properly configured, when a website needs a 2FA action, it will request that you insert the device. A small LED flashes, you touch the LED and the flashing stops. Some magic happens, and the website confirms that you have the right device.

If you have the NFC version, you can just tap the key to the back of your phone to accomplish the same thing as plugging it into a device.

In general, you should have two of them. Just in case you lose one.

Conclusion

Two-Factor Authentication adds a significant improvement to your security stance. They can almost completely stop phishing attacks.

Even if you are tricked into providing your credentials to a phishing website, when they attempt to use those credentials, they do not have the second factor to complete the authentication process.

Using your phone as your security device isn’t as strong as an authenticator. Using an authenticator application on your phone, is.

Combine these with a good password manager and you have a strong, secure system.

Until you find that the bad guys just ignore all that authentication stuff and took your computers.

Password Security

There are four ways of cracking a password.

1. Guess the password
2. Brute Force the password
3. Go around the password authentication
4. Trick the password from the owner

If your password is easy to guess, then it is a weak password. Examples of weak passwords are: password, 1234, YOUR_NAME, BIRTHDAYS. Many things use a four digit PIN. When guessing them, the best place to start is the set of numbers between 1950 and 2005, followed by 1930-1949, and 2006-2024. Years of importance to you.

Brute force is when you try all possible passwords. Back in the days of the TRS-80, there was a password on some part of the operating system. I wrote a simple brute force cracker for it.

Once it was running, my host and I got ready to go to dinner. Before we got out the door, the program stopped.

I assumed the program failed. Turned out that the password was so weak, three or four characters long, that it only took a few minutes to try all the passwords to that point.

Going around a password is sometimes easier than it should be. People don’t bother to log out. When I was visiting my father, I sat down at his computer. It was unlocked. I was able to “be” him if I had wished. I didn’t have to bother with a password.

There is an entire industry devoted to tricking people into handing over their passwords. It is so bad that it has its name, “phishing”.

And anybody can get caught in the net. I was caught just once. My wife’s school was phished, hard. The entire school got an email that looked legitimate from an administrator for the district. Her account then automatically sent it to me because I was in her address book.

I opened because it was from my wife. It had a good subject line. It looked legit.

It didn’t do anything to me because I run Linux, but it caused a great deal of damage to the school district.

Besides phishing, there is looking for the passwords that people have written down.

Again, using my father, the password for my mother’s computer was written on a PostIt note stuck to the inside of her laptop.

There is no need to guess, force or phish when the password is just given to you.

The Balancing Act

It is rather oxymoronic that the harder it is to remember a password, the harder it is to crack the password. If your password is “happyfaces” it might be easy to remember, but it is also easy to guess.

On the other hand, “wynt>Otchib5” is difficult to remember and difficult to guess. The password generator I used gave that to me as “wynt-GREATER_THAN-Otch-ib-FIVE” as how I might pronounce it and remember it. Still, it isn’t going to work

When passwords get too difficult to remember, people need to write them down. You would be amazed at the number of personal, and business, computers which have a file named “passwords”. People write them down.

The other thing that happens is that people remember one “good” password, then use it over and over again. If they ever lose that password, they lose access to everything, or the bad hat gets access to everything.

Many people think they will be tricky and use character substitution. Instead of “password” they write, “p@55w0rd”, and think they are clever. They aren’t.

There is a scene in Schindler’s List where they have just cleared the ghetto. Now they are searching for hidden Jews. The German’s come in, and they know where to look. They are experts at finding people. They’ve done this before. They know all the hiding places.

If you think you have found something clever that will make your password “unguessable”, you are mistaken.

Long Passwords Are Better(?)

Let’s assume that you are going to use a password that can’t be guessed easily. This leaves the brute force method.

This is a matter of mathematics. The larger the symbol set, the better. Longer passwords are better.

Consider a four digit pin, there are 10,000 possible PINs. As a password, that sucks.

But if we increase the symbol set to digits and letters, we get a slightly better result: 36^4 = 1,679,616. Still not strong.

But let’s say you go all out and have a symbol set of all ASCII printable tokens. There are 128 ASCII tokens, of which 94 are printable. This gives us 81,450,625 different passwords. Which still sucks, but it is getting better.

Now, let’s just make the password longer, call it 8 characters, at that point our results would be: 6,634,204,312,890,625. This is a strong password. Unfortunately, it is likely to be nearly impossible to remember.

My default is 12 characters.

Creating Strong Passwords You Can Remember

When we go back to that original statement, “The larger the symbol set, the better.” What if I told you that there is a symbol set of approximately 100,000 symbols, that you already know?

That symbol set is the set of all common English words.

What we would like to see is a number near 6 Quadrillion. With a symbol set of 100,000 words, 3 words give you 1 Quadrillion and four words give you 118,495,929,354,657,605,136.

This doesn’t consider word separators or case. Here is one such random password, “farm particularly wild refer”. If you modify the spaces to be different characters, or capitalize some letters, even if it only the first letter, you get even better results.

So what’s the problem? The issue is that it doesn’t look like a strong password. Many password checkers will see that long password and reject it because it doesn’t have special characters.

For me, a programmer, I can put together a simple program, take the string above, feed it into sha256sum to get 256 bits of pseudo noise. Extracting the printable characters, I get “dLuxo8x’H54MBd”

Now I have a good password I can remember, which can be used to generate a password which the rest of the world will accept as strong.

Password Managers

Password managers are supposed to fix much of this. They exist to store your passwords in a “secure” form, which you can then extract when needed. In addition, they will generate strong passwords for you to use.

I, personally, use four password managers and have used a fifth.

The first, most people are aware of, is the password manager built into your browser. I use Firefox and Chrome, so those are two password managers. My Linux system has another password manager built in. Finally, I use “Keeper” and have used “Last Pass”.

I love Keeper, I pay for the version I use, but there might be a free version. For me, it is worth it. One of the reasons it is worth it to me, is that with the paid version I can share access to password folders or individual passwords.

I never liked “LastPass” but I can’t say why. I do know they were cracked within the last few years. Because of their security model, when they were cracked, the bad guys extracted all the passwords.

Keeper stores all passwords encrypted. Only you have the decryption key. Thus, if they were to lose everything, they would not expose your passwords.

The browser managers are there because I was using them before Keeper. I’m slowly phasing them out.

I’m also looking into a self-hosted version of a password manager. I have not decided on which one, if any, I will try.

Chicken and Egg

The problem with all password managers is that there is a single point of failure. That is the password to access your password manager.

Which takes us back to “Long passwords work better”. Generate a random four – word password, I used xkcd Password Generator but you can just open a physical dictionary and randomly select four words.

Memorize those four words. Then you can use that as your master password.

Make the move to a good password manager. Use one that distrusts the government.

Two Factor Authentication

I need to look at my articles to see if one already exists, if it doesn’t, I’ll write something up.

In general, people are idiots. In groups, they have a combined IQ of less than 70 and the common sense of a three year old.

Daniel Penny is a US Marine who stepped up and protected the people on the subway. He held a homeless, violent, man until the man could be arrested.

He was then interrogated for hours without a lawyer because the police interrogating him established a relationship, by being an ex-marine.

It is often said that there is no such thing as an ex-marine or a former marine. You are a marine for life. There are exceptions, the cop who interrogated Daniel Penny is an ex-marine.

Having charged and arrested this hero, they are now trying to screw him over, yet again.

Prosecutors have wide latitude in what they charge. One of the standard tricks is to bring multiple charges for the same crime, over charging at least one.

Humans like to think they are being fair and reasonable. One of the oldest and most famous instances of this is when a man was taken before a Roman Governor to be “sentenced” for claiming to be a king above Caesar.

The Governor refused to kill the man, instead sentencing him to be whipped. Even though I’ve found nothing wrong with him, he still had the man flogged. When the mob insisted he be put to death, the Governor replied, I told you — he’s not guilty! I find no reason to condemn him..

The complete tale can be found in John 19:1-25.

In other words, to appease people, an innocent man was flogged.

Prosecutors overcharge in expectations that the jury will often find the accused not guilty of the most serious charge, but to appease the prosecutor, will find the accused guilty of the lesser charge.

They can go home, secure in the knowledge that they didn’t sentence a man to 20-life but only 5 to 10. (made up numbers).

Not really internalizing that 5 to 10 is still too much for an innocent person.

The Jury deadlocked. Some members of the jury found that Daniel was not guilty of second-degree manslaughter, some insisting that he was. When they reported a deadlock, the judge charged them to work harder.

The prosecutor then did Daniel a dirty. He requested that the second-degree manslaughter charge be dismissed.

Why is this dirty pool?

If the Judge accepts the motion to dismiss the second-degree manslaughter charge, then the deadlock goes away. If the deadlock goes away, then the jury will have to deliberate over the second charge of criminally negligent homicide.

Human nature will make it easier for the jury to return a guilty verdict on the lessor charge.

The judge should have declared a mistrial. Instead, he accepted the motion to dismiss. He released the jury until Monday.

On Monday, they will start deliberation on the second charge.

I hope that they deadlock on the second charge as well.

I wish this were easy. It isn’t.

At issue is the number of people claiming that Donald Trump is a convicted felon.

Like most things legal, the answer is never simple. The reason is that many laws have internal definitions that do not match the definitions in other parts of the law. And there is the use of the common vernacular.

First, the common vernacular, and the language used by the court, is that a person is convicted when they have been adjudicated guilty. This is when the jury returns a guilty verdict or a judge, in a bench trial, finds a person guilty. This also applies to certain pleadings of the defendant, such as a pleading of guilty or nolo contendere plea.

By this definition, Hunter Biden and Donald Trump are both convicted felons.

Second, in some places in the U.S.C., they define “convicted” to mean when found guilty, when sentenced, or both. 41 USC § 8101(a)(3) uses this definition. Chapter 81 of 41 USC is the chapter on a drug-free workplace.

In other words, the definition of convicted, when talking about a drug-free workplace, uses the “when found guilty”.

The Kicker

The Criminal Resource Manual (CRM) has the following:

So what does this mean?

In my NON-lawyer opinion? Donald Trump is a convicted felon who is seeking reversal on appeal. Until he is sentenced, he is not convicted per international law.

In addition, the judgement is currently stayed, pending the outcome of the appeal.

Hunter Biden is a convicted felon who has been pardoned.

Monday, I had an opportunity to visit the SIG Academy/SIG Experience Center.

In the late 70s, I had a chance to visit NYC for the first time. That feeling of awe, looking up at the skyscrapers. Trying hard not to have pidgin droppings fall into our open mouths.

That is sort of how I felt walking into the building. I spent a long time in the museum portion of the building. I was surprised at the lack of firearms from the 1700 and 1800 hundreds. Starting in the 1900s, they had a presence.

One of the people who worked there was willing to discuss the things that are coming out of SIG for the military. One of the coolest is their short stroke piston operated rifles. Using a new caliber, they are getting good velocity out of shorter barrels.

I want one of those belt feed rifles. They might be out of my price range.

Part of the coolness factor is that with the dual action bars with the short stroke piston, they don’t need buffer tubes. This allows for true folding stocks. Or, something that was just FUD sick.

They took this beautiful action and shoved it into a plastic “hunting” rifle. No pistol grip. No buffer tube. It doesn’t look like an AR platform in any way, unless you shove a 30 round magazine into it.

I’m hoping for a version is 7.62×521(Win .308). That would be a nice rifle. No scaring the mundanes, packs a punch, light weight and reliable.

Unfortunately, I got to looking at the display case full of pistols…

Wouldn’t you know it, a cute little black guy followed me home.

Now, I’m a firm believer in my 1911s. I love the feel of them. I love shooting them. They are tack drivers.

I think I’ve found a new love. The P365 x macro.

This guy fits my hand perfectly. It doesn’t point exactly like the 1911s, but close enough. The grip size is perfect, if it wasn’t, you just replace the back strap. The gun comes with three different back straps.

The one I took home has an external safety, this is to standardize my manual of arms.

On Tuesday, I went to the range and put rounds down range. FUN!!!

I have three plates set up. 1/4 torso behind a round gong and a 1/2 torso to the side. One of my drills is to hit the head of the target hiding behind the gong, then hitting the 1/2 torso to the side, then back again.

With 17 rounds in the magazine, the grip wasn’t double stack wide. It performed admirably. From first to last round, it was consistently ringing steel.

The only downside is the magazines. You will want to use the loading tool to help load the magazine. Even with the tool, getting rounds 14 through 17 into the magazine was a pain. In some ways, it reminds me of loading the M3 grease gun magazines. Heavy springs to push those rounds reliably all the way.

The other thing is that I don’t like the bright orange followers in the magazines. I haven’t looked, but I’m pretty sure I can find replacement followers.

Now for the next bit of coolness, this thing has a drop in FCU. It is the FCU that is the registered firearm. This means that you can pay once for the FCU, then have multiple frames that you can put the FCU into.

Want a sub compact? Buy the frame, barrel, and magazines, you are good to go.

Want a full size? Buy the frame, barrel, and (maybe?) magazines, you are good to go.

I am going to add more SIGs to my collection.

Two is one, one is none. Have more.

During the dark days before Heller, the rogue inferior courts, like the Ninth Circuit, came to the consensus that the phrase “a well regulated militia” was more indicative of who had the right to keep and bear arms than “the right of the people”.

The result of this piece of stupidity was that we, The People, could not challenge a law based on the Second Amendment. We had no standing.

The federal courts can only address active controversy for the people affected for which they can grant relief. You cannot go to the court and have them decide on which color is best. Nor can you challenge many government regulations, even if they are known to be bad. You have no bone in the fight. No skin in the fight.

The courts have long ruled that being a taxpayer does not grant you the right to challenge the government.

Heller says that the Second Amendment applies to the people

Yes, it does. The Court did a fantastic job of driving a spike through the heart of that bit of sophistry in Heller, ⁣ but that doesn’t mean that the inferior courts haven’t found other things they can twist.

That idea, that the only “people” that had standing to make a Second Amendment challenge were the Militia. That private Militias are banned in many states. The only “legal” militia is the National Guard. The state controls the National Guard. The only people that can challenge state infringements on Second Amendment grounds was the state.

What Part of the Constitution Authorizes the Department of Education?

When the Supreme Court issued their opinion in Missing citations for GVSH6ITR the Federal Government has used the 14th Amendment to justify prosecuting legally sanctioned discrimination.

The issue is that the Federal Government’s lust for power caused them to overstep “…to correct for persistently unequal access to resources…” Missing citations for T29JHW7B. This is all the justification they really needed to create the Department of Education.

You and I can look at this and agree that the Department of Education is not authorized under our Constitution. What can you, or I, do about it.

You would think we could run to the courts and file a lawsuit to stop the law. It doesn’t work that way.

You have not suffered a distinct and palpable injury. You would have paid taxes regardless of the law, and the only injury you, or I can point to is our tax dollars being miss-spent.

Most of the requirements that the DoE places on the state are stated in terms of getting or not getting money.

A few years ago, the school board was hearing a request to raise the price of school meals for students. There was no need to raise the price of the meals. The costs were still covered by what the students were paying.

They were required to raise prices to maintain compliance with a DoE “free lunches” program. Under the program, the schools are allowed to purchase food from the government at a significant savings.

If we had ditched the program, the cost of school meals would have gone up more than what the program required.

The board was forced to raise prices so that they could continue to offer lower priced school meals. You can’t make this stuff up.

Who has standing?

Let’s say that on day one, Trump uses Obama’s pen and phone methodology and shuts down the Department of Education. The DoE answers to the executive. He decides how the laws are enforced and carried out.

You are no longer having your money taken to give to failing schools, that will never succeed. You don’t get to keep any more of your money, that’s still going to be taken away.

But somebody is now being injured. All the people who are no longer getting the beautiful DoE money have been injured by the executive order.

This means that they have standing to file a lawsuit in federal court.

Which means the government can now argue that the DoE violates the Constitution. The plaintiffs (people wanting money from the federal government), have to argue how the Constitution authorizes the transfer of wealth to them.

Reading the plain text of the Constitution and the 14th Amendment, we can see that education is not mentioned in the Constitution, as amended.

At the first step, the plaintiffs lose. If we presume, without finding, that it is constitutionally authorized, the plaintiffs need to show a match to this Nation’s historical tradition of education regulations.

That fails as well.

In the question of Anchor Babies, the same is true. As soon as Trump says “no more anchor babies”, somebody will sue. Then it can go through the court system. During that process, they will find that the Supreme Court has already decided the question of Anchor Babies with Missing citations for NUR4L367

In other words, if the child is not subject to the jurisdiction of the United States, it is not a citizen of the United States. Welping your child on American soil does not make your child a citizen of the United States.

Life is going to get interesting, in a good way.

Blackmail is a nasty thing. It is about exposing secrets. If you don’t give me what I want, I will expose your dirty little secret.

When you look at American traitors, spying for our advisories, you find that most, if not all of them, were bought off for dirt cheap.

What would happen is that the traitor would decide they needed something, generally money. They then tried to sell the information they had. They were offered very little for the information. Then they were blackmailed for having sold the information.

Blackmail is normally about hiding dirty little secrets.

Back when I had a security clearance, they were concerned about several things. Can you keep your mouth shut? Can you be blackmailed? Can you be bought?

When I was in debt, I explained that I was in debt and that my country was worth more to me than money ever could be. I showed that I had been paying my debt down and that I was not hurting financially. For that level of clearance, that was enough.

At another time, there was a personal issue. I went to my boss and told him the personal issue. I told my parents. When security asked about the personal issue, I could easily show that I couldn’t be blackmailed by it because I had told my boss, my parents, and them.

The gist of this is that if you can’t be embarrassed by your actions, you can’t be blackmailed by a dirty little secret.

History

My first wife was an expert in emotional blackmail. When we got married, I was informed that she had had her cat for longer than she had known me and that I would go before she would let go of the cat.

In other words, a cat was more important to her than the person she had just sworn to love.

I am allergic to most fur bearing critters. Cats in particular. My allergies started off bad, they are impossible now. Because we lived with a cat.

The most common refrain that still echos through my head was, “If you don’t do X, I’m going to leave.”

It was used over and over, again.

One night, I spent a long time talking to my father at a bar. This was unusual because mom was the emotional rock, not dad. Plus, we had never done it before, we didn’t do it again after.

I left that conversation and returned to the hotel room where my wife and kids were. I was more relaxed than I had been in years. I had come to the decision that I wasn’t going to be emotionally blackmailed anymore.

When we returned home, it was just about like normal. Until the day she said, “If you don’t do X, I’m going to leave.”

My reply rocked her to her soul and a bit further, “Ok, there’s the door.”

Our life became more of a partnership until her abuse became too much and I left.

Just what is “emotional blackmail”

It is anytime you attempt to control somebody with threats that engender strong emotional responses.

The person who is threatening to commit suicide is using emotional suicide. The person who withholds love unless you do your chores. The person who threatens to leave you if you don’t give them money.

All of these are emotional blackmail.

Peer pressure is a type of emotional blackmail. When you feel like you will be ostracized if you don’t go along with your peers.

Having that feeling of belonging is incredibly powerful. Loosing it is even more powerful.

This is how you get teenagers to submit to being “jumped in”. Being jumped in for males is generally allowing other peer members beat the shit out of you. For women, it is often submitting to being gang raped.

That desire for membership in a peer group, or gang, can be that strong.

The Left and Emotional Blackmail

We are seeing large numbers of leftists resorting to emotional blackmail.

• You are dead to me if you voted for Trump.
• The 4Bs. No sex with men, no children, no dating men, no marriage with men
• Withholding sex until Trump is out of office
• Divorce or threats of divorce
• Excommunicating people from the peer group.
• Dissolving friendships
• Blue “friendship” bracelet. If you don’t have it, you aren’t a friend.

Conclusion

The only way to deal with emotional blackmail is a strong “fuck off, I don’t care.” Yes, that might cost some friends. They might come to their sense later. For now, don’t let them blackmail you.

There are two parts to access control, the first is authentication, the second is authorization.

Authentication is the process of proving you are who you claim to be.

There are three ways to prove you are who you say you are, something you know, something you have, or something about you.

When you hand your driver’s license to the police officer at a traffic stop, you are authenticating yourself. You are using two-factor authentication. The first part is that you have that particular physical license in your possession. The second is that the picture on the ID matches you.

After the officer matches you to the ID you provided, he then proceeds to authenticate the ID. Does it have all the security markings? Does the picture on the DL match the picture that his in-car computer provides to him? Does the description on the DL match the image on the card?

He will then determine if you are authorized to drive. He does this by checking with a trusted source that the ID that he holds is not suspended.

People Are Stupid

While you are brilliant, all those other people are stupid.

So consider this scenario. Somebody claims that they can read your palm and figure things out about you. Your favorite uncle on your mother’s side of the family is Bill Jones. You laugh and reply, you got that wrong, James Fillmore is my favorite uncle.

So, one of the more common security questions to recover a password is “What is your mother’s maiden name?” Do you think that the person who just guessed your favorite uncle incorrectly might do better at guessing your mother’s maiden name?

It was assumed that only you know that information. The fact is that the information is out there, it just takes a bit of digging.

The HR department at a client that I used to work for liked to announce people’s birthdays, to make them feel good.

She announced my birthday over the group chat. I went into her office and explained that she had just violated my privacy.

The next time you are at the doctor’s office, consider what they use to authenticate you. “What is your name and date of birth?”

I lie every time some website asks for my date of birth, unless it is required for official reasons.

Finally, people like to pick PINs and codes that they can remember. And they use things that match what they remember. What is a four-digit number that is easy for most people to remember? The year of their birth.

You do not want to know how many people use their year of birth for their ATM PIN.

In addition, it is easy to fool people into giving you their password. We call that phishing today. But it is the case that many people will read that their account has been compromised and rush to fix it. Often by clicking on the link in the provided e-mail.

A few years back, I was dealing with a creditor. They have a requirement to not give out information. A blind call asking me to authenticate myself to them. I refused. I made them give me the name of their company as well as their extension and employ number.

I then looked up the company on the web. Verified that the site had been in existence for multiple years. Verified with multiple sources what their main number was. Then called the main number and asked to be connected to the representative.

Did this properly authenticate her? Not really, but it did allow us to move forward until we had cross authenticated each other.

Biometrics

If you have watched NCIS, they have a magic gizmo on the outside of the secure room. To gain access, the cop looks into the retina scanner. The scanner verifies that pattern it scans with what is on record and, if you are authorized, unlocks the door.

Older shows and movies used palm scanners or fingerprint scanners. The number of movies in which the MacGuffin is the somebody taking a body part or a person to by-pass biometric scanners is in the 1000s, if not higher.

So let’s say that you are using a biometric to unlock your phone. Be it a face scan or a fingerprint scan.

The bad guys (or the cops) have you and your phone. While they cannot force you to give up your password, they can certainly hold the phone up to your face to unlock it. Or forcibly use your finger to unlock it.

Biometrics are not at the point where I would trust them. Certainly, not cheap biometric scanners.

It Doesn’t Look Good

We need to protect people from themselves. We can’t trust biometrics. That leaves “something they have”.

When you go to open unlock your car, you might use a key fob. Press the button and the car unlocks. That is something you have, and it is what is used to authenticate you. Your car knows that when you authenticate with your key fob, you are authorized to request that the doors be unlocked.

If you are old school, and still use a physical key to unlock your home, the lock in your door uses an inverse pattern to authenticate the key that you possess. It knows that anybody who has that key is authorized to unlock the door.

Since people might bypass the lock or make an unauthorized duplicate of your key, you might add two-factor authentication. Not only do they have to have something in their possession, they must all know the secret code for the alarm.

Two-Factor Authentication

Two-Factor authentication is about providing you with something that only you possess. You need to be able to prove that you have control of that object and that the answer cannot be replayed.

Consider you are coming back from patrol. You reach the gate and the sentry calls out “thunder”. You are supposed to reply with “dance”. You have now authenticated and can proceed.

The bad guy now walks up. The sentry calls out “thunder”. The bad guy repeats what you said, “dance”. And the bad guy now walks through the gate.

This is a “replay” attack. Any time a bad guy can repeat back something that intercepted to gain authentication, you have a feeble authentication.

The first authenticator that I used was a chip on a card. It was the size of a credit card, you were expected to carry it with you. When you tried to log in, you were prompted for a number from the card. The card had a numeric keypad. You input your PIN. The card printed a number. That number was only good for a short time.

You entered that number as your password, and you were authenticated.

There were no magic radios. Bluetooth didn’t exist. Wi-Fi was still years in the future. And it worked even if you were 100s of miles away, logging in over a telnet session or a dial-up modem.

How?

Each card had a unique serial number and a very accurate clock. The time of day was combined with the serial number and your pin to create a number. The computer also knew the time, accurately. When you provided the number, it could run a magic algorithm and verify that the number came from the card with that serial number.

One of the keys to computer security is that we don’t store keys in a recoverable format. Instead, we store cryptographic hashes of your password. We apply the same hash to the password/pass phrase you provided us and then compare that to the stored hash. If they match, the password is correct. There is no known methods for going from the hash to the plaintext password.

That security card had some other features. It could be programmed to have a self-destruct PIN, or an alert PIN, or a self-destruct after too many PIN entries in a given amount of time.

When it self-destructed, it just changed an internal number, so the numbers generated would never again be correct. If the alert PIN was set up, using the generated number would inform the computer that the PIN was given under duress. The security policies would determine what happened next.

Today, we started to see simple two-factor authentication. “We sent a text to your phone, enter the number you received.” “We emailed the account on record, read and click on the link.”

These depend on you having control of your email account or your phone. And that nobody is capable of intercepting the SMS text.

A slightly more sophisticated method is a push alert to an app on your phone. This method requires radio communications with your phone app. The site requesting you to authenticate transmits a code to your phone app. Your phone app then gives you a code to give to the site. Thus, authenticating you.

There are other pieces of magic involved in these. It isn’t a simple number, there is a bunch of math/cryptology involved.

Another method is using your phone to replace the card described above.

I authenticate to my phone to prove I’m authorized to run the authenticator application. There is a 6-digit number I have to transcribe to the website within 10 seconds. After 10 seconds, a new number appears.

I’ve not looked into all the options available, it just works.

The cool thing about that authenticator, is that it works, even if all the radios in my phone are off.

Finally, there are security keys. This is what I prefer.

I need to put the key into the USB port. The key and the website exchange information. I press the button on the security key, and I’m authenticated.

Another version requires me to type a passphrase to unlock the key before it will authenticate to the remote site.

Conclusion

If you have an option, set up two-factor authentication. Be it an authenticator app on your phone or a Yubico security key. It will help protect you from stupids.

The Heller opinion clearly stated that the right to keep and bear arms was an individual right. That was the holding.

To get to that decision, the Supreme Court did their standard analysis. First, is the plain text of the Constitution implicated by the proposed conduct? Second, what is this nation’s historical tradition of regulation in this area?

Can I call a politician stupid? The congress might create a bill that makes it illegal to make ad hominem attacks on politicians. The president could sign that bill into law. I could then be arrested for violating that law.

That doesn’t mean that the law is constitutional. Regardless of what the congress might have said while contemplating the bill, claiming that “hate speech isn’t free speech”. The law must be evaluated in light of those two questions, is the plain text implicated and what is the history of regulation regarding speech.

Looking at the constitution, before the Bill of Rights, there is nothing in the enumerated powers granted to the State that authorizes them to limit speech. Thus, the law is unconstitutional. The state would argue that “promote the general welfare” authorizes them to make the law.

We can go a step further, we can look at the amendments.

Here we have a more clearly defined restriction on the authority of the state, Congress shall make no law … abridging the freedom of speech, or of the press. The conduct at hand, making speech, implicates the plain text of the First Amendment. It then becomes the state’s burden to prove a historical tradition of regulating speech.

The state cannot find historical regulations restricting speech because it is mean; therefore, the law is unconstitutional.

The Supreme Court used the same methodology when deciding Heller. They first looked to see if the plain text was implicated. That required them to analyze the language of the Second Amendment.

Knowing the games that the circuit courts had been playing, they defined almost all the words. They used dictionaries from the time. They used dictionaries from multiple sources. Plus, they compared the words as used at the time.

This was part of dicta. Some inferior courts understand dicta and follow the guidance of the Supreme Court. Others do their best to twist the words. Often the inferior courts are more interested in what the Supreme Court didn’t say than in what they did say. Frequently, the inferior courts will say something like, “The Supreme Court didn’t say that 2+2=4, they said that 2+3=5. Since they didn’t tell us what 2+2 equals, we will just have to do our best.” Then proceed to hide a divide by zero to get an answer that says that 2+2=3.1415, getting pi in the face later when their opinion is vacated.

After establishing that the plain text covered the proposed conduct, the Supreme Court moves to the next stage, looking at this nation’s historical tradition of firearms regulation. In that historical analysis, they found that there were no laws that were analogous to a weapon ban, unless the weapon was both dangerous and unusual.

The Case at Hand

Barnett v. Raoul is a challenge to the PICA passed in Illinois. The People originally sought a preliminary injunction. They got it from Judge McGlynn. The state then appealed to the Seventh Circuit court. There, the administrative panel consolidated the case with other challenges to PICA. They stayed the preliminary injunction, allowing the law to stay in effect. They denied the requests for a preliminary injunction from the other parties and put the case to the merits panel.

This was not unexpected. The Admin panel had both Judge Easterbrook and Judge Woods on it. Both are statist and have often ruled against The People. Judge Easterbrook is most famous for having been overturned in McDonald v. Chicago.

Amazingly, the Merits panel had the same three judge panel as the original administrative panel. The circuit court heard the case quickly. They were under scrutiny by the Supreme Court.

The Supreme Court had denied cert in a different case, with Justice Thomas writing that if the case was delayed for the plaintiffs (good guys) to petition for rite of cert. again.

Having heard the case, the merits panel sat on their opinion. The Second and Fourth were sitting on their opinions as well. Most of the Second Amendment cases were locked in, waiting for the Circuit Courts to issue an opinion.

The Seventh Circuit was the first to issue their opinion. First, they found that they were not guilty of the two-step shuffle. That they had always been faithfully applying text and history. Because they were using text and history before Bruen, their earlier work was still good case law.

That case law found that the plaintiffs had not proved that “assault weapons” were arms under the plain text of the Second Amendment.

They remanded the cases back to continue the process.

Judge McGlynn did not allow any delay tactics. His case was argued on September 16th, 17th, 18th and 19th of 2024.

It is now time for the Court to analyze the briefings and testimony to determine the facts of the case and to reach conclusions of law.

Both parties will submit their proposed findings of fact and conclusions of law. This is what they want the court to find/agree with.

On October 21st, the state of Illinois submitted their brief. There are 3585 pages, 58 exhibits, 2 attachments and an appendix.

Some facts are just that facts. They are easy to verify and check the veracity of. Others are opinions stated as facts.

The state says that PICA was enacted after July 4th. This is true and a fact. They identify that particular July 4th as the 4th of July when an asshole shot and killed 7 people.

It is not relevant to the Constitution that the shooting took place. Nor that the bill was enacted before or after that date. But it is a fact.

The state also wants the court to agree that the shooter used an AR-15 rifle and a 30 round magazine to kill 7 and would 48 people that July. Again, a fact but not relevant. The state then repeats that PICA was enacted after July 4th.

A more important date was the date when Bruen issued.

Here is an example of an opinion, dressed up like a fact.

Is the AR-15 a semiautomatic version of a firearm specifically designed for the military? Yes and no.

The AR-10 was a select fire weapon that Armalite designed for military sales. The AR-15 was a redesign, also for the military, using the lighter 5.56×45 cartridge. The original AR-15 was field tested in Vietnam, as the AR-15. The design was adopted and standardized as the M-16.

A new product was developed by Colt for the civilian market. It used the same name, AR-15. The differences were to make it capable of semi-automatic fire only. The simplest modification was the removal of the select fire control group and not drilling the hole for the auto-sear.

The early AR-15 SP1s out of Colt were M-16s without an auto-sear and with the hole for the auto-sear missing.

What is the state’s goal?

The state wants the district court to find that the weapons and magazines banned by PICA are not arms, as defined by the Seventh Circuit court.

To accomplish this, they need to have the court find that AR-15s and the ilk are really modifications of the M-16/M-4 platform.

The real trick in this that it is the plaintiff’s burden to prove that something is an arm protected by the plain text. The state does not carry that burden.

This is the difference between presumed innocent and presumed guilty.

Regardless of anything that happens in Judge McGlynn’s court, PICA will stay in effect for the foreseeable future.

It is likely that Judge McGlynn will issue his opinion with a short administrative stay to allow the state to appeal.

The Seventh Circuit administrative panel will issue a stay pending the merit panel issuing their opinion.

If the merit panel finds for the plaintiffs, the state will seek a rehearing en bloc. This will take time.

If the merit panel finds for the state, I hope the plaintiffs file a petition for certiorari with the Supreme Court.

It is likely that the Seventh Circuit will actually hold the case until the Snope case is decided by the Supreme Court.

Regardless, cases are starting to move again.