Friday Morning: Afro-Cuban Coffee

I should just dedicate Fridays to different genres of jazz. Today feels like a good day for Afro-Cuban jazz.

This chap, Francisco Raúl Gutiérrez Grillo, who performed under the name Machito with his Afro-Cubans, was an incredibly important innovator shaping Afro-Cuban jazz as well as modern American music. He was important to race in the music industry as well, as his Afro-Cubans may have been the first multi-racial band.

I’m brewing some Café Bustelo before I bust out my dancing shoes. ¡Vamonos!

Judge applies ‘Parkinson’s Law’ to VW emissions cheat case
You know the adage, “work expands so as to fill the time available for its completion”? U.S. District Court Judge Charles Breyer gave Volkswagen 30 days to come up with a fix* for all the emissions standards cheating passenger diesel engine cars in the class action lawsuits he oversees in San Francisco. Gotta’ love this:

“It’s an ongoing harm that has to be addressed … I’ve found the process is a function of how much time people have available to fill. The story about lawyers is that that if you give them a year to do something, it will take them a year to do something. If you give them 30 days to do something, they’ll do something in 30 days.”

As time passes, vehicle owners are increasingly damaged as no one wants to buy their cars and their investment is lost. Hence the aggressive time limit.

* Caution: that link to SFGate may autoplay video and ad content. Really, SFGate? That’s such hideously bad form.

Rough road ahead in Saudi Arabia to a post-oil world
This piece in WaPo paints a grim picture of cheap oil’s impact on Saudi Arabia — and there are huge pieces missing. Worth a read while asking yourself how much Saudis are spending on military efforts against Yemen and Syria, and what new industries they’re investing in to replace oil-based employment.

Took long enough: Software and social media firms get Apple’s back
Did their legal departments finally read the case thoroughly and realize they had skin in this game, too? Who knows — but Google as well as Microsoft are planning to file amicus briefs in support of Apple. Microsoft had already indicated they would support Apple in a congressional hearing yesterday morning; Google piped up later. The latest skinny is that Facebook and Twitter both intend to file briefs as well in favor of Apple. Looks like Microsoft’s current management took an 180-degree turn away from progenitor Bill Gates’ initial response, hmm?

Hit and run

That’s a wrap on this week. Keep your eyes peeled for news dumps while folks are still picking apart last night’s GOP-cast reality TV show. And make time to dance.

EDIT — 8:40 AM — Ugh, why didn’t the Detroit News publish this piece *yesterday* instead of a Friday morning? Michigan’s Gov. Snyder’s “inner circle” exchanged emails advising a switchback from Flint River a year before the switchback took place, and only three weeks before Snyder’s re-election. There was enough content in this to go to press without waiting for a quote from one of the former advisers.

Thursday Morning: Snowed In (Get It?)

Yes, it’s a weak information security joke, but it’s all I have after shoveling out.

Michigan’s winter storm expanded and shifted last night; Marcy more than caught up on her share of snow in her neck of the woods after all.

Fortunately nothing momentous in the news except for the weather…

Carmaker Nissan’s LEAF online service w-i-d-e open to hackers
Nissan shut down its Carwings app service, which controls LEAF model’s climate control systems. Carwings allows vehicle owners to check information about their cars on a remote basis. Some LEAF owners conducted a personal audit and hacked themselves, discovering their cars were vulnerable to hacking by nearly anyone else. Hackers need only the VIN as userid and no other authentication to access the vehicle’s Carwings account. You’d think by now all automakers would have instituted two-factor authentication at a minimum on any online service.

Researcher says hardware hack of iPhone may be possible
With “considerable financial resources and acumen,” a hardware-based attack may work against iPhone’s passcode security. The researcher noted such an attempt would be very risky and could destroy any information sought in the phone. Tracing power usage could also offer another opportunity at cracking an iPhone’s passcode, but the know-how is very limited in the industry. This bit from the article is rather interesting:

IOActive’s Zonenberg, meanwhile, told Threatpost that an invasive hardware attack hack is likely also in the National Security Agency’s arsenal; the NSA has been absent from discussions since this story broke last week.

“It’s been known they have a semiconductor [fabrication] since January 2001. They can make chips. They can make software. They can break software. Chances are they can probably break hardware,” he said. “How advanced they were, I cannot begin to guess.”

The NSA has been awfully quiet about the San Bernardino shooter’s phone, haven’t they?

‘Dust Storm’: Years-long cyber attacks focused on intel gathering from Japanese energy industry
“[U]sing dynamic DNS domains and customized backdoors,” a nebulous group has focused for five years on collecting information from energy-related entities in Japan. The attacks were not limited to Japan, but attacks outside Japan by this same group led back in some way to Japanese hydrocarbon and electricity generation and distribution. ‘Dust Storm’ approaches have evolved over time, from zero-day exploits to spearfishing, and Android trojans. There’s something about this collected, focused campaign which sounds familiar — rather like the attackers who hacked Sony Pictures? And backdoors…what is it about backdoors?

ISIS threatens Facebook’s Zuckerberg and Twitter’s Dorsey
Which geniuses in U.S. government both worked on Mark Zuckerberg and Jack Dorsey about cutting off ISIS-related accounts AND encouraged revelation about this effort? Somebody has a poor grasp on opsec, or puts a higher value on propaganda than opsec.

Wonder if the same geniuses were behind this widely-reported meeting last week between Secretary of State John Kerry and Hollywood executives. Brilliant.

Case 98476302, Don’t text while walking
So many people claimed to have bumped their heads on a large statue while texting that the statue was moved. The stupid, it burns…or bumps, in this case.

House Select Intelligence Committee hearing this morning on National Security World Wide Threats.
Usual cast of characters will appear, including CIA Director John Brennan, FBI Director James Comey, National Counterterrorism Center Director Nicholas Rasmussen, NSA Director Admiral Michael Rogers, and Defense Intelligence Agency Director Lieutenant General Vincent Stewart. Catch it on C-SPAN.

Snow’s supposed to end in a couple hours, need to go nap before I break out the snow shovels again. À plus tard!

Wednesday Morning: If It Ain’t Baseball, It’s Winter

It may be sunny and 90F degrees where you are, but it’s still winter here. A winter storm warning was issued here based on a forecast 12 inches of snow and 35 mph winds out of the northeast off Lake Huron. For once, Marcy’s on the lee side of this storm and won’t be blessed with the worst of this system.

I’ll cozy up in front of the fireplace and catch up on reading today, provided we don’t have a power outage. Think I’ll nap and dream of baseball season starting in roughly five weeks.

Before the snow drifts cover the driveway, let’s take a look around.

Hey Asus: Don’t do as we do, just do as we say
Taiwanese computer and network equipment manufacturer Asus settled a suit brought by the Federal Trade Commission over Asus leaky routers. The devices’ insecurities were exposed when white hat hacker/s planted a text message routers informing their owners the devices were open to anyone who cared to look. Terms of the settlement included submitting to security auditing for 20 years.

What a ridiculous double standard: demand one manufacturer produce and sell secure products,while another government department demands another manufacturer build an insecurity.

Ads served to Android mobile devices leak like a sieve
Researchers with the School of Computer Science at the Georgia Institute of Technology presented their work yesterday at 2016 Network and Distributed System Security Symposium, showing that a majority of ads not only matched the mobile user but revealed personal details:

• gender with 75 percent accuracy,
• parental status with 66 percent accuracy,
• age group with 54 percent accuracy, and
• could also predict income, political affiliation, marital status, with higher accuracy than random guesses.

Still some interesting work to be presented today before NDSS16 wraps, especially on Android security and social media user identity authentication.

RICO – not-so-suave – Volkswagen
Automotive magazine Wards Auto straps on the kneepads for VW; just check this headline:

Diesel Reigns in Korea as Volkswagen Scandal Ebbs

“Ebbs”? Really? Au contraire, mon frère. This mess is just getting started. Note the latest class-action lawsuit filed in California, this time accusing VW and its subsidiaries Audi and Porsche as well as part supplier Bosch of racketeering. Bosch has denied its role in the emissions controls defeat mechanism:

…The company has denied any involvement in the alleged fraud, saying it sold an engine control unit to Volkswagen, but that Volkswagen was responsible for calibrating the unit.

The scandal’s only just getting going when we don’t know who did what and when.

Worth noting Wards’ breathless excitement about VW passenger diesel sales uptick in South Korea. But then Wards ignores South Korea’s completely different emissions standards as well as the specifics in promotions for that market. Details, details…

Splash and dash

Don’t miss Ed Walker’s latest in his series on totalitarianism and Marcy’s fresh exasperation with polling on FBI vs Apple. Wind’s brisk out of the north, bringing the first wave of flurries. I’m off to check the gasoline in the snowblower and wax my snow shovels.

Monday Morning: Fair of Face

Eh. Not so much. I can’t think of many working folks who greet Monday morning with joy, finding it a beautiful thing. But according to old English folk tales, a Monday birthday was supposed to bring better luck.

What good luck will today bring?

Dripping blood tips off discovery of dead body and millions in currency on plane
Reads like a murder-mystery novel, right? Except that this happened Sunday in Zimbabwe at Harare International Airport. Airport staff noticed blood leaking from the plane during refueling, after which an investigation began, revealing a dead body inside the plane and millions in South African rand on board. The plane was registered to Western Global Airlines of Florida and had been flying from Germany to South Africa. What are the odds we never hear of this plane, the body, or the currency again?

Volkswagen chief knew in 2014 U.S. would investigate; Germany wants spot checks
From scandals like Watergate, the U.S. knows the coverup is often worse than the crime. Looks like Volkswagen will learn this, too. Martin Winterkorn, VW’s former CEO, knew in May 2014 that U.S. officials suspected emissions controls defeat devices in VW’s diesel passenger vehicles. BUT…this is not quite news, as the study revealing VW’s non-compliant emissions were reported in May 2014, in a public forum, where VW asked about the results. What did Winterkorn know, and when did he know it?

Germany’s Transport Minister Alexander Dobrindt said yesterday, “There will be controls on vehicles in the style of doping tests (for athletes), …Unannounced and every year.” Dude. Come on. The defeat device evaded random tests in U.S. states like California. Random spot checks will NOT ensure emissions controls work. Only random road tests capturing real world driving outputs will do that. Dobrindt said a draft proposal outlining the test measures would be submitted to the Bundestag on Thursday. Will the lower parliament get wise to this problem?

British teen arrested for the hack on FBI, DHS, CIA director’s email, more
“I am innocent until proven guilty so I have nothing to be worried about…They are trying to ruin my life,” the 16-year-old said after his arrest last week. The most recent hack the teen is accused of included the “leak” of 30,000 FBI and DHS personnel contact information. He’s accused of being a member of Crackas With Attitude (CWA); CWA has said the hacking of CIA director Brennan’s email was “so easy to hack Brennan that ‘a 5-year old’ could have done it.” Doesn’t sound like mad hacking skillz required to pose a threat to law enforcement.

UK’s Investigatory Powers Tribunal said hacking devices by intelligence doesn’t violate human rights
British Foreign Secretary Philip Hammond believes the IPT’s ruling last week is fair, but of course, he would. The case pressed by Privacy International forced the UK’s intelligence agency GCHQ to reveal the use of mass surveillance using computer network exploits (CNE). The case can’t go any further in the UK, but could be reviewed in the EU. Wonder if these same CNE were deployed to identify the 16-year-old teenager charged with hacking Brennan?

From Department of Creepy Spouses: Man + Wife’s FitBit Data + Reddit = PG
A man asked a Reddit forum about wife’s unusual FitBit data and learned she’s pregnant. I would kick this butthead to the curb so fast if he’d been my spouse. Talk about a violation of privacy, let alone a breach of intimacy between married partners. I can only imagine how this discovery will influence hackers snooping wearable devices.

Not looking like good luck today after all. Perhaps better luck tomorrow?

Friday Morning: It’s Five Somewhere

This week has been really long. Painfully dragged out. Mid-week snowstorm probably didn’t help. But here we are, survivors with another week and yet another Presidential campaign debate under our belts.

I’ll keep it short and snappy given how much ugly we’ve been through.

Your information security is only as good as the stupidest person on staff
“Hello, FBI? I’m new here and I don’t have my code. Can you help a girl out?” No joke, that’s about all it took for one unnamed hacktivist to get inside the FBI. And yet the FBI demands backdoors into all mobile devices. I can’t even…

Meet your new immortal overlord: Your self-driving car
This first graf scares the crap out of me:

The computer algorithms that pilot self-driving cars may soon be considered the functional equivalents of human drivers. That’s the early opinion of the National Highway Traffic Safety Administration—and so begins our slow-burn acquiescence in the battle of man versus machine.

And not even for the reasons that PC World’s editor-in-chief Jon Phillips outlines in his editorial. If a governmental agency recognizes an algorithm as equal to a human, how long before humans are actually subordinate to artificial intelligence?  It’s bad enough corporations — legal constructs — have nearly the same rights as humans and can live forever. This needs to die on the vine right now — especially since Google is ramping up hiring for its line of self-driving cars.

Speaking of Google…

Busy week on Zika front

Media commentator Douglas Rushkoff interviewed on digital society

You left Facebook in 2013. How is that working out for you?

Professionally, I’m thinking it may be good for one’s career and business to be off social media altogether. Chris Anderson was wrong. “Free” doesn’t lead to anything but more free. Working for free isn’t leverage to do a talk for loads of money; now they even want you to talk for free. What am I supposed to do? Join YouTube and get three cents for every 100,000 views of my video? That is crap; that is insane! …

A worthwhile read, give it a whirl when the dust begins to settle.

Here’s hoping the weekend moves as slowly as this week did. Huli pau!

Wednesday Morning: Ashes to Ashes

It’s your second morning-after this week, this one launching the countdown on Christian calendars to Easter. I’m a lapsed Catholic, but we do observe Lent in my household. My agnostic son resists, but I’ve explained this is an opportunity to be mindful about others’ experience of going without. We are privileged to choose to give up, and we consciously recognize it by Lenten observation. Some choices we make, like giving up meat and sugar, are beneficial for us, but it’s still the luxury of choice when others are forced to simply suffer without recourse.

This year we will be mindful of water. We take it for granted every time we turn on the faucet. Yet our brethren go without in nearby Flint, in spite of water’s essential nature to life. I’ll donate the money I would have spent on 46 days of meat-based meals to Flint’s United Way Water Fund and the Food Bank of Eastern Michigan, as both organizations are helping distribute water and filters to Flint residents. Last night’s Boil Water order issued because of a water main break only underlines the difficulties Flint’s residents will face until the entire water system is replaced.

Dept of Duh: Director of National Intelligence says Internet of Things can be used to spy
NO! Say it isn’t so! Like it never occurred to us that any device attached to the internet, including the growing number of WiFi-enabled household appliances, might be used to spy on us.

Volkswagen recalls cars — and not because of emissions
VW didn’t need more trouble; this time, it’s not the German car makers’ fault. 680,000 VW-branded vehicles are being recalled because of Takata-made airbags which may be defective. TAKE NOTE: Mercedes-Benz models were also recalled yesterday.

Toyota, Honda, Acura, BMW, Nissan, Subaru, GM, Ford, Chrysler, and Daimler also issued recalls over the last two years for the very same reason — defective Takata-made airbags. See this article for a running timeline of events related to the recalls as well as a list of affected vehicles (to date).

Attacking the grid? Try a squirrel first – hacking is much harder
A honeypot mimicking an energy management system demonstrated the challenge to hackers trying to crash a power grid. Dewan Chowdhury, MalCrawler’s founder, spoke at Kaspersky Lab security Analyst Summit about the knowledge set needed to attack energy systems:

“It’s extremely difficult. You’ can’t just be a NSA or FSB hacker; you need an electrical engineer on board to weaponize attacks and figure out what’s going on … When it comes to weaponization, you need a power substation engineering who knows what needs to be done and tested.”

After reading about Chowdhury’s presentation, I have two caveats. The first is the notion that an “electrical engineer” or a “power substation engineer” is required. Many non-degreed workers like electricians and technicians are familiar with computers, networks, and SCADA equipment. The second is this bit:

The groups had access to the HMI, which would allow them to manipulate the grid, but Chinese, U.S., and Russian groups, he said, stick to a gentlemen’s agreement and leave the grid alone. Middle Eastern actors, however, will try to perform control actions to sabotage the grid.

A “gentlemen’s agreement”? When do the gloves come off? When one of these actors align with a Middle Eastern actor?

Global disaster — how would you respond?
In case a mess of squirrels are deployed to take down the world’s power grids, one might need to know how to deal with the inevitable meltdown of services. Johns Hopkins Center for Civilian Biodefense Strategies modeled a global disaster in 2013 by way of a simulation game. The results were predictable:

What they discovered was that the country was ill prepared to cope. Within two weeks there would be enormous civilian casualties, a catastrophic breakdown in essential institutions, and mass civil unrest. Food supplies, electricity and transport infrastructures would all collapse.

International security scholar Dr. Nafeez Ahmed was asked how people should respond; he offered a nifty guide, outlined in six points.

But disaster isn’t always global, and current cases show our gross inability to respond to limited disasters. Flint, for example, already struggles with running water, item number three on Dr. Ahmed’s list. Conveniently, Flint doesn’t necessarily rely on government or law enforcement (item number four) because neither responded appropriately to the ongoing water crisis. What remains to be seen is whether Flint will muster long-term self-sufficiency (item number six) as government and law enforcement continue to let them down.

Speaking of Flint, I wonder how today’s Democratic Steering and Policy Committee hearing on Flint’s water crisis will go, as Michigan’s Governor Rick Snyder declined to appear.

“Don’t necessarily trust the government or law enforcement” in global disaster, indeed.

Monday Morning: Taking out the Garbage

Most of the time, I’m here in Michigan and I’m taking out the garbage every Monday. — Bob Seger

Morning-after blues now set in, feeling the weight of too much beer and cheese, doing the Walk of Shame, reeking of regret. Gotta’ love American excess in all things, including sports.

Take out last night’s garbage, pour yourself an herbal tea or a detox smoothie, and let’s get back at it. Speaking of garbage…

VW expected to make appetizing offer to U.S. passenger diesel owners — BUT…

The German car maker has still not decided whether vehicle owners will be offered cash, car buy-backs, repairs or replacement cars, Kenneth Feinberg told the Frankfurter Allgemeine Sonntagszeitung.

In other words, everything compensation manager Kenneth Feinberg said on behalf of VW for a German media outlet is vaporware. Best to keep in mind Feinberg has previously represented shining examples of corporate ethics like BP after the Deepwater Horizon spill.

Zika, Zika, Zika…
The virus is now driving some people mad — and they’re not even infected. Like Republican presidential candidates who believe persons traveling to the U.S. should be quarantined if they come to the U.S. from Brazil (Christie), or could be quarantined if they have been infected (Carson). Or scientists pushing to kill all the Aedes aegypti mosquitoes, without much thought for what removal of a species of insects will do to the rest of the ecological system which they’ve made home. Viruses are opportunistic; lose one host and they’ll hop to another. Are scientists modeling that next likely host?

Electronic toy maker VTech offers to buy LeapFrog
LeapFrog was popular with my kids 10 years ago; their line of educational toys helped my kids’ grades with spelling test games. But LeapFrog made a strategic error leaving the smaller handheld games for children’s tablets, and is now limping along. VTech has its own problems with technology, like the recent breach of user data, exposing millions of children and their families. Perhaps LeapFrog’s information technology will help shore up VTech’s through this acquisition.

Death from outer space
A bus driver in India may have been the first recorded casualty of a meteorite this weekend. Three others were injured when the meteorite exploded, leaving a small crater and broken windows.

Gong Xi Fa Cai or Gong Hey Fat Choy to you, depending on whether you speak Mandarin or Cantonese, as we enter the Year of the Monkey. Oops, perhaps you shouldn’t take out the trash just yet, especially if it requires sweeping. It’s bad luck to do so on the first new moon of the year — you might sweep your good luck out the door! Oh, your team lost last night? Sweep away. Best wishes for a prosperous new year!

Thursday Morning: War All The Time

War All The Time — seems appropriate now, and it’s been more than a dozen years since this song was released. Also rather pathetic that MTV censored a reference to suicide in this tune, like a drop of merthiolate on a gaping wound.

Say it isn’t so, girl! Wendy’s investigating possible breaches
On the face it, this doesn’t sound like a corporate-wide cybersecurity event. It may be confined to specific stores. But fast food chain Wendy’s contracted a security firm to look into unauthorized credit card charges made to cards used at their stores. Wendy’s joins Jimmy John’s and Chick-Fil-A in the growing list of compromised fast food chains.

Ransomware infects Israel’s Electric Authority
No outage has been reported as a result of ransomware infection of Israel’s electrical power system via phishing. Computers may have been isolated from the system’s network, though. The full extent of the malware’s impact is difficult to determine from reports available online; some likened this to the cyberattack on a Ukrainian power plant, and others called this a hacking, though neither description appears to fit well.

California struggles with self-driving car regulations
Oh dear Cthulhu…this bit:

Google has concluded that human error is the biggest risk in driving, and the company wants to remove the steering wheel and pedals from cars, giving people minimal ability to take over.

But computers never, ever make mistakes, right? No wonder California is struggling with this…but no. Even though Google’s DeepMind AI mastered GO a decade early, it can’t master California’s highways.

New high-speed wireless internet service launched by former Aereo CEO
Using microwave technology, new gigabit internet service provider Starry will begin in Boston this year once the FCC approves a limited test run in 15 cities. For now, this looks like a solution for urban areas, but it could be an alternative in rural areas where existing telecoms/ISPs fail to provide high-speed internet in spite of federal funds allocated to expand coverage. Imagine using wind turbine towers for Starry microcells to carry gigabit service to rural America.

All right, everybody back to the front, back to the foreverwar.

Wednesday Morning: Adulting is Hard

While looking for Wednesday, I discovered there’s a video short series based on a grownup version of Wednesday Addams character. Cute, though from Wednesday’s POV becoming an adult isn’t all the fun one might expect.

So much for those carefree days when one could leave all the bad news and difficult choices to parental figures. It was all an illusion there were ever any grownups in charge.

Playstation moves to U.S. as Sony melds and migrates interactive entertainment divisions
What’s this really all about? Does this consolidation of Sony Computer Entertainment with Sony Network Entertainment and their move to California as Sony Interactive Entertainment allow better collaboration with Sony Pictures? Or does this allow for easy access by U.S. government entities suspicious of Playstation Network as a potential terrorist communications platform? Or is this a means to secure a leaky business by pulling more of Sony Group inside a single network? Sony explained SIE will “retain and expand PlayStation user engagement, increase Average Revenue Per Paying Users and drive ancillary revenue” — but that sounds like fuzzy vapor to me.

Bent spear? Oh, THAT bent spear…” Air Force review omits report of damage to nuke
I hope like hell President Obama has already called someone on the carpet and asked for heads to roll. Not reporting a “bent spear” event in a review of U.S. nuclear force isn’t exactly a little boo-boo. A “bent spear” in 2007 spawned a rigorous investigation resulting in a large number of disciplinary actions including resignations and removals from duty.

Zika virus: risk to U.S. mounting
There have been more non-locally transmitted cases of Zika virus here in the U.S. as another Latin American country warns women against pregnancy. Not to worry, it’s not like Ebola, relax, we’ve been told…except that we’ve seen this playbook before, where there were casualties as a pandemic began before either federal or state agencies took effective action. In the case of Zika, we may not see mortalities; casualties may be serious birth defects following a rapid spread with mosquito season. Fortunately President Obama has now asked for more accelerated research into Zika, though we may not see results before Aedes mosquito season hits its stride this year. For more information about this virus, see the CDC’s Zika website.

EU seeks hefty fines in draft law to overhaul auto industry regulations
At fines of €30,000 (£22,600) per vehicle found in violation, the EU might get some results out of proposed regulations governing automotive emissions standards. But the problem hasn’t been the lack of EU standards — it’s the inability to validate and extract compliance when so many member states are willing to turn a blind eye to their constituent manufacturers’ failings in order to preserve employment. Can the EU make these fines stick once new regulations are passed?

By the way, Consumer Reports published a really snappy overview of the VW emissions scandal. Worth a read.

Con Edison’s creaky website leaves online customers exposed
You’d think by now after all of the successful hacks on business and government websites that companies would catch a clue. But no, not in the case of Con Edison. Read the article here so you know what to watch for at other websites; all of ConEd’s site’s links do not open fully encrypted connections. This is a really easy thing to fix, should be the very first thing every single business allowing customers to log in or pay online should check.

Heading out to act like an adult for the next eight hours. Maybe less.