Thursday Morning: Mostly Cloudy with a Chance of Trouble

/13 Comments/in , /by

This video came from a random browse for new artists. I don’t know yet if I have an opinion; first minute is rocky, but improves. Think I need to sample some more by this artist. You can find Unknown Mortal Orchestra on SoundCloud.com if you want to sample more without the video — I do like the cover of Sitting on the Dock of the Bay. Verdict still out on the more experimental atmospheric stuff.

Looking for more trouble…

House passed Email Privacy Act (H.R. 699) 419-0
Sampling of reports: Phys.org | Reuters  |  Forbes

A few opinions: ACLU | EFF  |  Americans for Tax Reform

Wow. An issue everybody could love. Do read the Forbes bit as they had the most objections. Caveat: You may have to see John Stossel’s mug if you read the ATR’s opinion.

Next up: Senate, which is waffling thanks to Grassley

But it was unclear if Senate Judiciary Committee Chairman Chuck Grassley, who holds jurisdiction over the legislation, intends to move it forward during an election year.

The Iowa Republican will review the House bill, consult with stakeholders and his committee “and decide where to go from there,” a spokeswoman told Reuters in an email.

Apple crisp

  • Apple’s stock tanked yesterday falling 7% in response to a drop in demand for iPhones; Apple suppliers likewise took a hit. Come on, there’s a finite number of smartphone users, and the limit must be reached some time. Shouldn’t have rattled the market so much — not like the market didn’t notice China’s market woes and subsequent retrenchment of purchasing over the last 6 months, too.
  • FBI said it wouldn’t disclose the means by which a “grey hat hacker” cracked the San Bernardino shooter’s work-issued iPhone 5c. Wouldn’t, as in couldn’t, since the FBI didn’t acquire intellectual property rights to the method. Hmm.
  • coincidentally, FBI notified Apple of a vulnerability in older iPhones and Macs, though an unnamed source said the problem had already been fixed in iOS9 and in Mac OS C El Capitan. Nice of FBI to make an empty gesture validate the problem.
  • And because I mentioned it, Apple Crisp. I prefer to use Jonathans and Paula Reds in mine.

Malware everywhere

  • The Gundremmingen nuclear power plant in Bavaria found malware in computers added in 2008, connected to the fuel loading system. Reports say the malware has not posed any threat, though an investigation is under way to determine how the plant was infected. Not many details in German media about this situation — timing and method of discovery aren’t included in news reports.
  • A report by Reuters says the malware was identified and includes “W32.Ramnit” and “Conficker” strains. The same report implies the malware may have been injected by devices like USB sticks found in the plant, though the report does not directly attribute the infection to them.
  • BONUS: Reuters quoted cybersecurity expert Mikko Hypponen of F-Secure about the nuclear plant’s infection — but Hypponen elaborated on the spread of viruses, saying that

    he had recently spoken to a European aircraft maker that said it cleans the cockpits of its planes every week of malware designed for Android phones. The malware spread to the planes only because factory employees were charging their phones with the USB port in the cockpit.

    Because the plane runs a different operating system, nothing would befall it. But it would pass the virus on to other devices that plugged into the charger.

    Pretty sure Reuters hadn’t counted on that tidbit.

  • Give their report on Gundremmingen’s infection, it’s odd that Reuters’ op-ed on the state of nuclear safety post-Chernobyl made zero reference to cybersecurity of nuclear facilities.

Miscellania

  • Online gaming community Minecraft “Lifeboat” breach exposed 7 million accounts (NetworkWorld) — Minecraft took its tell notifying users because it says it didn’t want to tip off hackers. Wonder how many of these accounts belonged to minors?
  • On the topic of games, feckless Sony leaks like a sieve again, tipping off new game (Forbes) — Jeebus. Sony Group’s entire holding company bleeds out information all the time. This latest leak is about the next version of Call of Duty. Not certain which is more annoying: yet another Sony leak, or that “Infinite Warfare” is the name of the game.
  • Open source AI consortium OpenAI shows a bit of its future direction (MIT Technology Review) — Looks like the near term will be dedicated to machine learing.
  • Just another pretty face on Cruz’ ticket may bring conflict on H-1B visas (Computerworld) — Seems Cruz wants to limit low-cost H-1B labor, and new VP choice Fiorina is really into offshoring jobs. Commence headbutting. (By the way, I’m being snarky about ‘another pretty face.’ They deserve each other.)

I may have to quit calling these morning roundups given all the scheduling issues I have on my hands right now. At least it’s still morning in Alaska and Hawaii. Catch you here tomorrow!

Share this entry

Wednesday Morning: Lüg mich an, Lügner

/32 Comments/in , , /by

I admit freely my facility with the German language is poor. I hope this post’s headline reads, “Lie to me, Liar.” Which is about as close as I could get to “Lying Liars” because I can’t conjugate the verb ‘to lie.’

~shrug~

It’s not like anybody’s paying me for this, unlike the lying liars at Volkswagen who’ve been paid to deceive the public for a decade. This video presentation featuring Daniel Lange and Felix Domke — a security consultant and an IT consultant, respectively, who reverse engineered VW’s emissions control cheat — is a bit long, but it’s chock full of unpleasant truths revealing the motivations behind VW’s Dieselgate deceptions. The video underpins the cheat outlined in a 2006 VW presentation explaining how to defeat emissions tests.

The one problem I have with this video is the assumption that the fix on each of the affected vehicles will be $600. Nope. That figure is based on how much has been set aside for the entire Dieselgate fix, NOT the actual cost to repair the vehicles.

Because if VW really fixed the vehicles to match the claims they made when they marketed and sold these “clean diesel” passenger cars, it’d cost even more per vehicle. I suspect one of the motivations behind inadequate reserves for a true repair is a reluctance to disclose to competitors how much emissions standards-meeting “clean diesel” really costs.

And of course, avoiding more stringent calculations also prevents an even bigger hit to the company’s stock price, which might affect the pockets of some board members and executives rather disproportionately to the rest of the stock market.

Just how closely that figure per car hews to the agreement with the court this past week will be worth noting, since the video was published in December last year.

But now for the much bigger, even more inconvenient Lügner Lügen: This entire scandal exposes the fraud that is the U.N. Framework Convention on Climate Change Paris agreement.

We know a small nonprofit funded research by a tiny group of academics exposing VW’s emissions controls defeat. We know this set off a cascade of similar analysis, exposing even more cheating by more automobile manufacturers.

But why are we only now finding out from nonprofits and academics about this fraud? Didn’t our elected representatives create laws and the means for monitoring compliance as well as enforcement? Why aren’t governments in the U.S. and the EU catching these frauds within a year of their being foisted on the public?

These questions directly impact the Paris agreement. We’re not starting where emissions standards have been set and where the public believes conditions to be, but at real emissions levels. In other words, we are digging out of  a massive pollution hole.

Our elected officials across the world will avoid funding the dig-out; they’ll continue another layer of lies to prevent removal from office. And we can reasonably expect from them only what they’ve done so far, which Dieselgate has proven to be little.

For that matter, Flint’s water crisis has much in common with Dieselgate, relying on academic research and nonprofit entities to reveal mortal threats to the community. Flint’s crisis showed us government at all levels can be even worse at writing laws, monitoring compliance, and subsequent enforcement.

If the public cannot expect government to do the job it believes it elected them to do over the last several decades, how ever can they expect their government to enact the terms of the Paris agreement? How can we expect third world countries to reduce carbon emissions to save the world from the devastation of climate change while we and our governments continue to ignore corporations’ ongoing deceptions?

No roundup today, gang. I strongly recommend watching the video above. Thanks to BoingBoing for linking to it.

Share this entry

Tuesday Morning: Monitor

/15 Comments/in , , /by

Y me lamento por no estar alla
Y hoy te miento para estar solos tu y yo
Y la distancia le gano al amor
Solo te veo en el monitor

— excerpt, Monitor by Volovan

Sweet little tune, easy to enjoy even if you don’t speak Spanish.

Speaking of monitor…

Flint Water Crisis: Michigan State Police monitoring social media
Creeptastic. MSP is following social media communications related to Flint water crisis, which means they’re watching this blog and contributors’ tweets for any remarks made about Flint. Whatever did they do in the day before social media when the public was unhappy about government malfeasance?

MDEQ personnel told Flint city water employee to omit tests with high lead readings
The charges filed last week against two Michigan Department of Environmental Quality and a Flint city employee were related to the manipulation and falsification of lead level tests. From out here it looks like Mike Glasgow did what the MDEQ told him to do; with the city under the control of the state, it’s not clear how Glasgow could have done anything else but do what the state ordered him to do. Which governmental body had higher authority under emergency management — the city’s water department, or the MDEQ? And what happens when personnel at the MDEQ aren’t on the same page about testing methodology?

MDHHS too worried about Ebola to note Legionnaire’s deaths in 2014-2015?
Michigan’s Department of Health and Human Services director Nick Lyons maintains a “breakdown in internal communication” kept information about the Legionnaire’s disease outbreak from reaching him. He also said MDHHS was focused on Ebola because of its high mortality rate overseas. There were a total of 11 cases of Ebola in the U.S. between 2014 and 2015, none of which were diagnosed or treated in Michigan. Meanwhile, 10 people died of Legionnaire’s due to exposure to contaminated Flint water in that same time frame. Not certain how MDHHS will respond to an imported biological crisis when it can’t respond appropriately to a local one created by the state.

Other miscellaneous monitoring

  • Charter Communications and Time Warner tie-up approved, with caveat (Reuters) — Charter can’t tell content providers like HBO they can’t sell their content over the internet – that’s one of a few exceptions FCC placed on the deal. I think this is just insane; the public isn’t seeing cheaper broadband or cable content in spite of allowing ISPs to optimize economies of scale. Between Charter/TWC and Comcast, they’ll have 70% of all broadband connections in the U.S.
  • Mitsubishi Motors fudged its fuel economy numbers for last 25 years (AP) — This investigation is exactly what should happen across EU, because EU-based manufacturers have done this for just as long or longer. And the EU knows this, turns a blind eye to the tricks automakers use to inflate fuel economy ratings.
  • Goldman Sachs has a brand new gig: internet-based banking (Fortune) — This is the fruit of GS’ acquisition of General Electric’s former financial arm. Hmm.
  • BAE Systems has a nice graphic outlining the SWIFT hack via Bangladesh’s central bank (BAE) — Makes it easy to explain to Grampa how somebody carted off nearly a billion dollars.

Toodledy-doo, Tuesday. See you tomorrow morning!

Share this entry

Monday Morning: Tectonic Shift

/6 Comments/in , /by

Last week after the artist Prince Rogers Nelson died, a segment of the population were mystified by the reaction to his passing. They’d missed impact this artist had had on music which happened concurrent with a paradigm shift in the entertainment industry. Prince rose in sync with music videos in the 1980s when musical artists became more than sound alone.

Music television has since collapsed as anyone who watched MTV and VH-1 since 2000 can tell you. Programming once dedicated to music videos became a mess of unscripted reality programs and oddments, punctuated occasionally by music specials, chasing an audience which increasingly found and consumed music on the internet.

This weekend, though, marked another shift. R&B pop artist Beyoncé released a ‘visual album’ on HBO on Saturday evening entitled ‘Lemonade’. The work was available exclusively through Tidal after its HBO premiere until midnight last night when it was released on Apple iTunes. This is the first music collection released in this manner, using a cable network not previously dedicated to music in tandem with internet streaming and download sales.

I won’t offer any analysis here about the album; you’re not looking if you do not see at least a fraction of the deluge of reaction and think pieces responding to Beyoncé’s latest work. I will say, though, that like Prince’s Purple Rain in 1984, this collection of work will have long-term impact across not only music but the entire entertainment industry.

Let’s launch this week’s roundup…

The Dutch pull a Lavabit-plus
Encrypted communications network Ennetcom was shut down on Friday and its owner arrested. Dutch law enforcement claimed Ennetcom was used by organized crime; its owner is accused of money laundering and illegal weapons possession. The network relied on servers located in Canada, where law enforcement has cooperated with the Netherlands by copying the information on the servers. Unlike the former secure email provider Lavabit in the U.S., it’s not clear there was any advance request for information by way of warrant served on Ennetcom in either the Netherlands or in Canada. Given the mention of illegal weapons, one might wonder if this seizure is related to the recent prosecution of gun smugglers in the UK.

Time for ‘Spring Cleaning’ — get rid of digital dust bunnies
Seems like a surprising source for a nudge on this topic, but the Better Business Bureau is right to encourage cleaning and maintenance. If you read Marcy’s post this morning, you know failing to use adequate passwords and firewalls can be costly. It’s time to go through your electronic devices and make sure you’re using two-factor authentication where possible, freshly reset strong passwords, and on your network equipment as well as your desktop and mobile devices.

Planning for your funeral – on Facebook?
A BBC piece this past week noted that Facebook will eventually have more dead users than live ones. Which brings up an interesting question: how do you want your digital presence handled after you die? Do you have instructions in place? Keep in mind, too, that your social media could be mined to recreate an online personality — your personality. Do you want to live forever in teh toobz?

Investigation into Flint’s water crisis continues
A Michigan legislative panel appointed by Governor Rick Snyder will hear from more state and local officials today in its fifth such meeting to investigate the Flint water crisis. Snyder is conveniently out of the country trying to drum up business in Europe — and conveniently not drinking Flint’s water.

Odds and sods

  • Waiting for word on Yahoo’s final bidders list (Bloomberg) — No word yet on who will remain among the 10 first-round bidders offering between $4-$8 billion.
  • German regulators won’t approve recall and fix of VW’s 2.0-liter diesel-powered Passat (Bloomberg) — And yet the U.S. is going forward with VW’s proposed fix for 2.0l vehicles? Odd, given Germany’s less-stringent approach to automotive emissions compared to U.S. and California in particular.
  • A UK-based inquiry found widespread emissions controls failure (Phys.org) — By widespread, I mean “not a single car among the 37 models involved in the study met an EU lab limit for nitrogen oxide emissions under normal driving conditions.” VW’s emissions controls defeat was just the tip of the iceberg.

There’s your Monday. Have at it!

UPDATE — 5:25 P.M. EDT — Oops, the auto-publish feature failed me today. I wasn’t able to come back and check the egg timer on this post and it got stuck in the queue. Oh well, better luck tomorrow morning!

Share this entry

Turns Out Their Reassurances Were Too SWIFT

/5 Comments/in /by

When I first wrote about the $81 million bank heist of Bangladesh, I noted that the hack appeared to target SWIFT, the international payment transfer system, even while SWIFT itself was giving us reassurances that they had not been breached.

While SWIFT insists it has not been breached, the hackers used a name making it clear they were targeting the SWIFT system.

On Jan. 29, attackers installed “SysMon in SWIFTLIVE” in what was interpreted as reconnaissance activity, and appeared to operate exclusively with “local administrator accounts.”

SWIFT is sending out a security advisors to its members, advising them to shore up their local operating environments.

Three days ago, Reuters issued a report that seemed to reiterate the centrality of the negligence of Bangladesh bank for the hack, which was relying on a second-hand, $10 router for its SWIFT set-up.

Bangladesh’s central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT global payment network, an investigator into one of the world’s biggest cyber heists said.

The shortcomings made it easier for hackers to break into the Bangladesh Bank system earlier this year and attempt to siphon off nearly $1 billion using the bank’s SWIFT credentials, said Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police’s criminal investigation department.

“It could be difficult to hack if there was a firewall,” Alam said in an interview.

The lack of sophisticated switches, which can cost several hundred dollars or more, also means it is difficult for investigators to figure out what the hackers did and where they might have been based, he added.

Though local cops cast some of the blame on SWIFT.

The police believe that both the bank and SWIFT should take the blame for the oversight, Alam said in an interview.

“It was their responsibility to point it out but we haven’t found any evidence that they advised before the heist,” he said, referring to SWIFT.

A spokeswoman for Brussels-based SWIFT declined comment.

Which might have been the tip-off that this was coming…

The attackers who stole $81 million from the Bangladesh central bank probably hacked into software from the SWIFT financial platform that is at the heart of the global financial system, said security researchers at British defense contractor BAE Systems.

SWIFT, a cooperative owned by 3,000 financial institutions, confirmed to Reuters that it was aware of malware targeting its client software. Its spokeswoman Natasha Deteran said SWIFT would release on Monday a software update to thwart the malware, along with a special warning for financial institutions to scrutinize their security procedures.

[snip]

Deteran told Reuters on Sunday that it was issuing the software update “to assist customers in enhancing their security and to spot inconsistencies in their local database records.” She said “the malware has no impact on SWIFT’s network or core messaging services.”

The software update and warning from Brussels-based Swift, or the Society for Worldwide Interbank Financial Telecommunication, come after researchers at BAE (BAES.L), which has a large cyber-security business, told Reuters they believe they discovered malware that the Bangladesh Bank attackers used to manipulate SWIFT client software known as Alliance Access.

One wonders whether SWIFT would have released a public statement if not for BAE’s imminent public report on this?

Again, NSA managed to hack into SWIFT (double-dipping on the sanctioned access they got through an agreement with the EU) via printer traffic at member banks.

NSA’s TAO hackers hacked into SWIFT (even though the US has access to SWIFT to obtain counterterrorism information via an intelligence agreement anyway), apparently by accessing printer traffic from what sounds like member banks.

The NSA’s Tracfin data bank also contained data from the Brussels-based Society for Worldwide Interbank Financial Telecommunication (SWIFT), a network used by thousands of banks to send transaction information securely. SWIFT was named as a “target,” according to the documents, which also show that the NSA spied on the organization on several levels, involving, among others, the agency’s “tailored access operations” division. One of the ways the agency accessed the data included reading “SWIFT printer traffic from numerous banks,” the documents show.

So SWIFT had warning there were vulnerabilities in its local printer system (though it’s not clear this is the same vulnerability the Bangladesh thieves used).

You’d think SWIFT would have made some effort when that became public to shore up vulnerabilities in the global finance system. Instead, they left themselves vulnerable to a $10 router.

Share this entry

CyberCommand Turns Its “Cyberbombs” from Assad to ISIS

/3 Comments/in /by

David Sanger has a long piece on how CyberCom is — for the first time, he says! — launching cyberattacks on ISIS.

The United States has opened a new line of combat against the Islamic State, directing the military’s six-year-old Cyber Command for the first time to mount computer-network attacks that are now being used alongside more traditional weapons.

The effort reflects President Obama’s desire to bring many of the secret American cyberweapons that have been aimed elsewhere, notably at Iran, into the fight against the Islamic State — which has proved effective in using modern communications and encryption to recruit and carry out operations.

The National Security Agency, which specializes in electronic surveillance, has for years listened intensely to the militants of the Islamic State, and those reports are often part of the president’s daily intelligence briefing. But the N.S.A.’s military counterpart, Cyber Command, was focused largely on Russia, China, Iran and North Korea — where cyberattacks on the United States most frequently originate — and had run virtually no operations against what has become the most dangerous terrorist organization in the world.

[snip]

The goal of the new campaign is to disrupt the ability of the Islamic State to spread its message, attract new adherents, circulate orders from commanders and carry out day-to-day functions, like paying its fighters. A benefit of the administration’s exceedingly rare public discussion of the campaign, officials said, is to rattle the Islamic State’s commanders, who have begun to realize that sophisticated hacking efforts are manipulating their data. Potential recruits may also be deterred if they come to worry about the security of their communications with the militant group.

[snip]

“We are dropping cyberbombs,” Mr. Work said. “We have never done that before.”

The campaign has been conducted by a small number of “national mission teams,” newly created cyberunits loosely modeled on Special Operations forces.

Golly, what a novel idea, hacking an adversary that relies on the Internet for its external strength? Imagine how many people we could have saved if we had done that a few years ago? And all this time CyberCom has just been sitting on its thumbs?

Sanger suggests, of course, that CyberCom has been otherwise focused on Russia, China, Iran, and North Korea, which (post-StuxNet) would be significantly an active defense. He pretends that cyber attacks have not been used in the ISIS theater at all.

Of course they have. They’ve been going on so long they even made the Snowden leaks (as when NSA “accidentally” caused a blackout in Syria).

But it would be inconvenient to mention attacks on Syria (as distinct from its ally Iran), I guess, because it might raise even more questions about why we’d let ISIS get strong enough, largely using the Internet, to hit two European capitals without undercutting them in the most obvious way. It all makes a lot of sense if you realize we have, at the same time, been directing those resources instead at Bashar al-Assad.

Share this entry

DOJ’s Awesome New Trick to Break into Apple Phones

/11 Comments/in /by

DOJ has apparently come up with an amazing new trick to break into Apple phones: to ask defendants in the weeks before they sentence them.

Throughout the challenge over the phone in EDNY, Apple has raised a number of other ways DOJ could get into Jun Feng’s phone. That includes some known forensic tools, but especially — given that Feng pled guilty — simply asking him for his password a second time. According to WSJ’s report on why DOJ just withdrew their request in that case, DOJ hadn’t tried the latter method, until now.

In a one-page letter filed with a Brooklyn federal court Friday night, the government said an individual had recently come forward to offer the passcode to the long-locked phone. The filing means that in both of the high-profile cases pitting the Justice Department against Apple, the government first said it couldn’t open the phone, only to suddenly announce it had found a way into the device as the case proceeded in court.

“Yesterday evening, an individual provided the passcode to the iPhone at issue in this case,’’ prosecutors said in their terse letter to the judge. “Late last night, the government used that passcode by hand and gained access to the iPhone. Accordingly, the government no longer needs Apple’s assistance to unlock the iPhone, and withdraws its application.’’

[snip]

After he was arrested, Mr. Feng told agents that he didn’t remember the phone’s passcode, leading investigators eventually to seek Apple’s help. The Wall Street Journal reported last week that Mr. Feng only recently learned his phone had become an issue in a high-stakes legal fight between prosecutors and Apple. Mr. Feng, who has pleaded guilty and is due to be sentenced in the coming weeks, is the one who provided the passcode to investigators, according to people familiar with the matter.

Geniuses! Use the sentencing process, rather than the All Writs Act, to open up a phone captured two years ago (which probably has even less usable evidence than Syed Rizwan Farook’s phone did.

These prosecutors are really using some amazing tools these days.

 

Share this entry

Friday Morning: This Thing Called Life

/15 Comments/in , /by

It’s Friday, when we usually cover a different jazz genre. But we’re playing these sorry cards we’ve been dealt this week and observing the passing of a great artist.

We’ll probably all be sick of seeing this same video, but it is one of the very few of Prince available for embedding with appropriate intellectual property rights preserved. It’s a result of Prince’s tenacious control over his artistic product that we won’t have ready access to his past performances, but this same tenacity taught many artists how to protect their interests.

It’s worth the hour and a quarter to watch the documentary Prince in the 1980s; the enormity of his talent can’t be understood without reactions by professionals to his abilities.

The way his voice slides easily into high registers at 05:44, his guitar playing beginning at 06:53, offer us just the smallest glimpses of his spectacular gifts.

Good night, sweet Prince, may flights of angels sing thee to thy rest.

Great Google-y moogley

  • European Community’s Antitrust Commission issued a Statement of Objections regarding perceived breaches of antitrust laws by Google’s Android operating system (European Commission press release) — The EU has a problem with Android’s ~90% market share in some member states. They may have a tough time with their case as the EU did very little to preserve the Nokia Symbian OS when Microsoft bought Nokia phone business. Their point about lack of application interoperability and portability between mobile devices is also weak as they did not make that case with Windows-based applications on personal computers. Further, Google has been aggressive to the point of annoyance in its efforts to segregate Android and Google apps — I can attest to this, having a handful of Android devices which have required irritating application upgrades to facilitate this shift over the last year and a half. This will be an interesting case to watch.
  • The second annual Android Security Report was released on Google’s blog this week (Google Blog) — Some interesting numbers in this report, including Google’s revelation that it scans 400 million devices a day. Gee, a figure intelligence agencies must envy.
  • Roughly 29% of Android devices can’t be accessed to issue monthly security patches (Naked Security) — Sophos has a bit of an attitude about the back-of-the-envelope number it scratched out, calculating a little more than 400 million Android devices may not be running modern Android versions Google can patch, or may not be accessible to scanning for patching. You’d think a cybersecurity vendor would revel in this opportunity to sell product. Or that an otherwise intelligent and successful security firm would recognize the numbers reflect Android’s continued dominance in the marketplace with more than 1.4 billion active devices. The risk is big, but how much of that risk is due to the success of the devices themselves — still highly usable if aging, with insufficient memory for upgrades? Sounds so familiar (*cough* Windows XP)…
  • Google passed a benchmark with mobile version of Chrome browser on more than 1 billion devices (Business Insider) — Here’s another opportunity to screw up interpretation of data: mobile Chrome works on BOTH Android and iOS devices. I know for a fact the latest mobile Chrome will NOT work on some older Android devices.

Under Not-Google: Opera browser now has free built-in VPN
A lesser-known browser with only 2% of current market share, Opera is a nice alternative to Chrome and Firefox. Its new built-in free VPN could help boost its market share by offering additional privacy protection. It’s not clear this new feature will protect users against censorship tools, though — and this could be extremely important since this Norwegian software company may yet be acquired by a Chinese company which placed a bid on the firm a couple of months ago.

Definitely Not-Google: Apple cracker cost FBI more than $1 million
Can’t swing an iPad without hitting a report on FBI director James Comey’s admission at the Aspen Security Forum this week in Londn that cracking the San Bernardino shooter’s work iPhone cost “more than I will make in the remainder of this job, which is 7 years and 4 months,” or more than $1 million dollars. Speaking of exorbitant expenses, why was Comey at this forum in London? Oh, Comey was the headliner for the event? Isn’t that interesting…wonder if that speaking gig came with speaker’s fee?

That’s it for this week’s morning roundups. Hope you have a nice weekend planned ahead of you!

Share this entry

Thursday Morning: Come on Now [UPDATE]

/10 Comments/in , /by

Come on now,
who do you,
who do you,
who do you,
who do you think you are,
Ha ha ha bless your soul.
You really think you’re in control.

— excerpt, Crazy by Gnarls Barkley

The kids are all #TBT on Twitter — posting throwback material from their youth, which seems like just yesterday to me. I’ve got socks older than most of the stuff they share. But I have fun with it anyhow, like this Gnarls Barkley song. Perfect to sing at the top of your lungs in the office if you can get away with it.

Speaking of crazy…

Deadline today for Volkswagen
A deadline for a “concrete proposal for getting the polluting vehicles off the road” was due last month on March 24th after U.S. District Judge Charles Breyer gave VW a 30-day period to develop this solution.

That deadline was not met; Judge Breyer offered another 30-day extension as he felt progress was made. Today’s that second deadline, and it’s not clear a technical solution fixing the vehicles will be included in the proposal.

Reports suggest a combination of vehicle buy-backs and financial incentives may be offered along with funding for remediation. But no reports indicate development of true clean diesel technology to replace the emissions control units programmed to defeat emissions testing. Note from LAT’s article:

…The agreement would give some owners the choice of having Volkswagen repair their cars or buy them back, but it does not include plans on how to repair the vehicles, according to the person, who asked not to be identified because the deal hadn’t been made public.
[…]
… But some owners of newer models who get just a software fix may receive little. About 325,000 owners of older cars that require more extensive repairs likely will get more, because the repairs could affect mileage and performance.

In other words, some of the emissions test-defeating software may be replaced with software that actually meets emissions tests, but it may make the vehicles much less fuel efficient.

This is the crazy, right here: Barring a surprise announcement today, there is no commercially-viable clean passenger diesel technology. There never was — not even years after the first so-called clean passenger diesel was sold. That’s the fraud at the heart of Dieselgate.

UPDATE — 4:00 P.M. EDT —
At a hearing this morning in San Francisco, VW agreed on a deal to buy back or repair about 480,000 passenger diesel cars. Details have not yet been released and may not be until June 21st when VW is expected to have finished dotting all I’s and crossing all T’s.

The deal appears to cover 2.0L vehicles, but 85,000 VW-, Audi- and Porsche-brand vehicles with 3.0L engines are still up in the air. This may suggest performance and fuel efficiency are still problems with any emission control unit repairs.

The deal will also include some funds for pollution remediation, but details about remediation efforts are also unavailable.

Here’s Bloomberg’s report on VW, and here’s Reuters.

Guess we’ll save the Google-y bits for tomorrow, leave today for Volkswagen.

Share this entry

SS7 and NSA’s Redundant Spying

/9 Comments/in , , /by

SS7 countermeasuresOn Sunday, 60 Minutes brought attention to an issue first exposed by researchers some years back: the ease with which people can use the SS7 system that facilitates global mobile phone interoperability to spy on you.

Sharyn Alfonsi: If you just have somebody’s phone number, what could you do?

Karsten Nohl: Track their whereabouts, know where they go for work, which other people they meet when– You can spy on whom they call and what they say over the phone. And you can read their texts.

60 Minutes was smart in that they got Congressman Ted Lieu to agree to be targeted.

Congressman Lieu didn’t have to do anything to get attacked.

All Karsten Nohl’s team in Berlin needed to get into the congressman’s phone was the number. Remember SS7 –that little-known global phone network we told you about earlier?

Karsten Nohl: I’ve been tracking the congressman.

[snip]Sharyn Alfonsi: Are you able to track his movements even if he moves the location services and turns that off?

Karsten Nohl: Yes. The mobile network independent from the little GPS chip in your phone, knows where you are. So any choices that a congressman could’ve made, choosing a phone, choosing a pin number, installing or not installing certain apps, have no influence over what we are showing because this is targeting the mobile network. That of course, is not controlled by any one customer.

[snip]

Sharyn Alfonsi: What is your reaction to knowing that they were listening to all of your calls?

Rep. Ted Lieu: I have two. First, it’s really creepy. And second, it makes me angry.

Sharyn Alfonsi: Makes you angry, why?

Rep. Ted Lieu: They could hear any call of pretty much anyone who has a smartphone. It could be stock trades you want someone to execute. It could be calls with a bank.

Karsten Nohl’s team automatically logged the number of every phone that called Congressman Lieu — which means there’s a lot more damage that could be done than just intercepting that one phone call.

So now Lieu is furious — and pushing House Oversight Committee to conduct an investigation into SS7’s vulnerabilities.

Of course, it’s probably best to think of SS7’s vulnerabilities not as a “flaw,” as 60 Minutes describes it, but a feature. The countries that collectively aren’t demanding change are also using this vulnerability to spy on their subjects and adversaries.

But the fact that Lieu — who really is one of the smartest Members of Congress on surveillance issues — is only now copping onto the vulnerabilities with SS7 suggests how stunted our debate over dragnet surveillance was and is. For two years, we debated how to shut down the Section 215 dragnet, which collected a set of phone records that was significantly redundant with what we collected “overseas” — though in fact the telecoms’ production of such records was mixed together until 2009, suggesting for years Section 215 probably served primarily as legal cover, not the actual authorization for the collection method used. We had very credulous journalists talking about what a big gap in cell phone records NSA faced, in part because FISC frowned on letting NSA collect location data domestically. Yet all the while (as some smarter commenters here have said), NSA was surely exploiting SS7 to collect all the cell phone records it needed, including the location data. Members of Congress like Lieu — on neither the House Intelligence (which presumably has been briefed) or the House Judiciary Committees — would probably not get briefed on the degree to which our intelligence community thrives on using SS7’s vulnerabilities.

What I find perhaps most interesting about this new flurry of attention on SS7 is that the researchers behind it were hired by some “international telecoms” to find ways to improve security sometime in advance of December 2014 (when they first presented their work). The original CCC presentation on this vulnerability (see after 40:00) included a general discussion of what cell phone providers could do to increase the security of their users (see above). 60 Minutes noted that some US providers were doing more than others.

The NSA presumably could and did use entirely SS7 collection for cell phones — especially US based ones — until such time as domestic providers started making them less accessible (and once they were unaccessible overseas, then subject to legal process, though even some of the countermeasures would still leave a US user exposed to other US providers). That needs to be understood (should have been, before the passage of USA Freedom) to really understand the degree to which Congress has any influence over the NSA.

Share this entry