Posts

Monday: Skate Away

/2 Comments/in , , /by

Monday means it’s movie day, and I think this charming little documentary fills the bill. Valley Of A Thousand Hills from Jess Colquhoun looks at Zulu youth participating in a skate camp and the impact on their lives. They’re quite optimistic in spite of limited resources and opportunities. The film left the feeling they’re on the verge of a breakthrough — like these kids could really change global culture if they wanted to. They appear more self-aware and energized than most adults I run into of late.

Wrath of Gods kind of weather

Might be time to brush off that copy of J. G. Ballard’s The Drowned World and ponder a post-apocalyptic future under water. We’ve likely passed the 1.5C degree global warming threshold without any sense of urgency to act on climate change which fuels this wave of flooding.

Sigh-ber

  • Hotels across ten states breached (Reuters) — Hey, now you philanderers have an excuse for that bizarre charge to your room at the Starwood, Marriott, Hyatt, or InterContinental hotel for strawberries, whip cream, and a leather flogger during your last business trip. “It’s just a hacker, honey, that’s all, really…” HEI Hotels & Resorts, the operator of the affected hotels, found the malware in its systems handling payment card data. The malware had been present in the system for roughly 18 months while 20,000 transactions were exposed.
  • Google ‘secretly’ developing a new OS (TechnoBuffalo) — A well-known Linux blogger wrote Google references “Pink + Purple == Fuschia (a new Operating System)” in its Git repository. The two colors are believed to refer to Magenta and LK kernels which Google is using to build a wholly new operating system. Magenta does not have a Wikipedia entry at the time of this post but Googlesource has a brief explainer for Magenta and LK. The two kernels serve different purposes but combined they may be able to operate any device whether small Internet of Things single purpose devices or multi-purpose devices like personal computers. This may be the direction Google has chosen to go rather than fully merge its Chrome OS with Android. The new operating system could also resolve some annoying problems with antitrust regulators if Android is cut loose and managed by an open source consortium, perhaps one established by and aligned with the Open Handset Alliance.
  • Banking malware attacks Android users browsing sites using Google AdSense (SecureList) — The thieves pay for a listing on AdSense, put their malicious ad in the system, and it downloads to an Android device whenever the user reads a website featuring the contaminated ad. Yuck. Use your antivirus app regularly on your Android devices as this nasty thing may pick up your financial information.

Longread: Manners matter?
At Aeon.com, Professor Eleanor Dickey of University of Reading-UK discusses the ‘magic word’ and its use in early democratic society, and its decline with the rise of a hierarchical system in the fourth century BCE. Are we a more or less democratic society based on our current level of societal manners?

Catch you tomorrow if the creek doesn’t rise!

Friday Morning: Mi Ritmo

/9 Comments/in , , , /by

Oye como va
Mi ritmo
Bueno pa gozar
Mulata

— excerpt, Oye Como Va by Tito Puente

This Latin jazz song was on the very first album I owned — Santana’s Abraxas. I have no idea what possessed my father to select this way back in 1971 because he’s not musically inclined. I prefer to think he was persuaded by the music store staff to buy it for me rather than think the cover art did it for him. To this day I don’t dare ask; I’d rather live with my illusion.

Perhaps he simply liked Oye Como Va by Tito Puente and decided I needed it. Maybe that’s what he wanted to listen to when I played the album over and over again, ad nauseam. The song is still easy to listen to even when played by a septuagenarian, isn’t it? Though Puente probably still felt the same way about this song in his last live performance as he did when he first recorded it in 1963.

The personal irony I’m certain my father never considered: the last line is a reference to a mixed race “mulatto” woman. That’s me.

Vamos, amigos!

Wheels

  • South Korea frustrated by Volkswagen’s response to Dieselgate (Yonhap) — Hard to tell how many VW passenger diesel cars with the emissions controls defeat tech have been sold in South Korea to date. Last year’s sales of 35,700 suggest VW needs to exert itself a little more than offer to recall a total 125,000 cars.

Technology Trends

  • Breakthrough in memory technology could change computing dramatically (IBM via YouTube) — I’m still trying to wrap my head around this; could be the simplicity of the underlying science seems so obvious I can’t understand why it wasn’t discovered sooner. Using polycrystalline rather than amorphous material, more data can be stored and in a manner which is stable and not prone to loss when electricity is cut. This technology could replace DRAM at flash memory prices. Imagine how quickly systems could begin processing if they could avoid seeking programs and data.
  • Google’s annual I/O event chary on enterprise computing (ComputerWorld) — Wonder if Google executives’ expressed intent to focus on the enterprise is a veiled threat directed at Oracle? The I/O annual conference didn’t have enough enterprise applications to satisfy the curious; is Google holding back? Or are there pending acquisitions to fill this stated intent, ones not yet ready for publication? I wouldn’t be surprised to see Google launch something on par with Salesforce or Zoho very soon. Google Drive components already compete with or are integrated with some of those Zoho offers in its small business offering.
  • Android’s coming to Chromebooks — finally! (Google Blog) — I’ve put off buying another laptop until this happened, guess I’ll look at the first three models on which developers will focus their development. The applications available for Android phones have been mind-boggling in number; it’d be nice to have the same diversity of selection for laptops. And then maybe desktops in the not-too-distant future? That would really make a dent in enterprise computing.

Cybersec

  • Security camera not password protected? Police may be able to tap it (Engadget) — Love the subhead: “Don’t worry, it’s supposed to be for a good cause.” Just add the invisible snark tag. Purdue University researchers found surveillance cameras could be tapped to allow law enforcement to monitor a crime scene. I don’t know about you but this sounds like a backdoor, not a convenient vulnerability. If the police can use it soon, who might already be using it?
  • Qualcomm mobile chip flaw leaves 60% of Android devices exposed (Threatpost) — Not good, especially since this boo-boo may affect both oldest and newest Android versions. But a malicious app is required to take advantage of this flaw, unlike the Stagefright exploit. Android has already issued a patch; the problem is getting it to all affected devices.
  • LinkedIn’s 2012 breach yielded info on more than 100 million accounts (Motherboard) — Only 6.5 million accounts were initially breached — but that’s only the first batch published online. The actual haul from 2012 was at least 117 million accounts, now for sale for a mere five bitcoins or $2200. Are you a LinkedIn user? Time to check Have I Been Pwned? to see if your account is among those in the breach.

Climate Crises

  • Record high temp of 51C (124F) recorded in India (The Register) — Drought continues as well; article notes, “Back in India, relief from the heat is expected when the annual monsoon hits. The cooling rains generally arrive in mid-June.” Except that with a monster El Nino underway, the amount of rain and cooling will depart from average.
  • Polymath Eleanor Saitta considers climate change and comes to some grim, mortal conclusions (Storify by @AnthonyBriggs) — If you’re a policymaker, you’d better worry about dealing effectively with climate refugees and deaths in the millions. Maybe billions. Refugees from Syria will look like a minuscule blip. If you’re not terrified, you should be.

Looks like it’s going to be a lovely late spring weekend here — hope you’re going to have a nice one, too. See you Monday!

Monday Morning: Falling

/8 Comments/in /by

This morning feels like a fall from great height — disorienting yet certain to end only one way.

Should have rolled over and gone back to sleep instead of mixing it up about politics during the wee hours. ~ yawn ~

The embedded video actually launches a playlist of Afro Celt Sound System. They’re a favorite mood lifter, a perfect example of diverse music styles meeting to create something even more special. Cuts I’ve worn out besides When You’re Falling (with Peter Gabriel) are Lagan, Life Begin Again (both with Robert Plant), and North — yes, I think my favorite album is Volume 3 – Further in Time.

Let’s fall forward.

Oracle v. Google: The most important technology case not about privacy and security
Yet another reminder/disclosure before I start on this case: I own $GOOG, $GOOGL, and $AAPL. I do not own $ORCL or $MSFT, nor did I ever own Sun before it was acquired.

That said, Oracle v. Google is about the gift economy, the march of time and its effect on technology companies, and patent/intellectual property trolling as a business model. The gift economy I’ve followed for years; I was hired to provide competitive intelligence on open source software because the company seeking my services felt it was a threat to their business. And it was, it very much was, though the threat changed over the last decade from free open source software (FOSS) to free software as a service (SaaS) provided with cloud storage.

In a nutshell, Oracle is suing Google for $9 billion — the amount it feels it is due as the heir to Java, acquired when it bought the former Sun Microsystems in 2010. You’ll recall that Sun Micro was once a moderately competitive producer of servers and the creator of open source operating system OpenSolaris (based on Solaris Unix) as well as Java.

Java is a software language used as an alternative to C and C++. Its creators at Sun wanted “Write Once, Run Anywhere” capability so that software written in Java could run on any hardware platform. Contrast this to Microsoft software which runs on Windows-compatible PCs only. Sun did not sell Java licenses but instead sold developers’ kits to encourage the propagation of both the language and its Java-friendly hardware and Solaris Unix operating system. Java was a loss leader offering — like the dozen eggs for free if your total grocery order is $50 or more. This is the gift economy at work.

Java’s creation was initially a response to the lock-in of the desktop PC environment. However, IBM began using Java, allowing the same language to be used on everything from its mainframes to IBM-supported handheld devices.

Handheld devices now include smartphones and tablets running the Android operating system, a variant of Linux now owned by Google after its acquisition of Android, Inc. in 2005. Android’s popularity ate away at cellphone market share running Symbian, Nokia OS, and Windows-based mobile OS. Approximately 80% of the world’s smartphones now run on Android and with it Java application programming interfaces (Java APIs). It’s this installed user base from which Oracle insists it deserves a cut of the revenues.

Oracle is a software company, though unless you are in a larger enterprise, you’ve probably not used their products. Initially, a relational database management system company, over time Oracle has purchased a number of middleware businesses which rely on databases. Like PeopleSoft, a human resource management software — human resource information in a database, manipulated and managed by a middleware application above it. It has also acquired software and businesses with which its products once competed. Innobase, an open-source relational database management system (RDBMS) developer, was acquired in 2005; its application was based on MySQL, another open-source RDBMS.

MySQL’s parent company MySQL AB was itself purchased by Sun in 2008, and acquired by Oracle with Sun in 2010. MySQL remains open source and underpins many commonly used applications used across the internet, though Oracle is now its owner/developer.

You can see the ownership chain gets incredibly messy over time. But it’s also easy to see that Oracle is predatory; its business model relies on consuming other businesses to ensure the survival of its underlying database software, not merely to flesh out its offerings. It has acquired software to build an enterprise stack, or it buys nascent threats to its database software and closes them off in a way to ensure no leak of profit-making opportunities (ex: killing OpenSolaris, the FOSS version of Sun’s Solaris operating system). It also buys businesses and applications used to monitor intellectual property and competitive intelligence.

Not a surprise, really, when one considers the founders — Larry Ellison, Bob Miner and Ed Oates — all once worked on a CIA project code-named Oracle.

A test of the gift economy and the open source movement are at the heart of this case. FOSS relies on it, and now the internet does, too. Anyone connecting to the internet is touched by software and hardware consisting of or shaped by FOSS. Many believe the roots of the open source movement are in software, but the underlying premise goes even further back, to the late 1700s and the first freedom of information law (Sweden’s Freedom of the Press Act, c. 1766). Based on freedom of information, some contemporary governments demand FOSS as a means to ensure citizens have access to information without regard to proprietary business models.

Read any of the links above and your head will spin with the Byzantine convolutions of the software industry over the last two decades. Add the snark-laden quirks of geekdom shaping the decision-making process — quirks which are inside baseball and define one’s belonging to the industry.

Top it off with the inexorable co-development and emergence of the gift economy, and it’s utterly beyond the comprehension of the average Joe or Josephine on the street. Unfortunately, Joe and Josephine are seated as jurors, directed by an equally clueless judge appointed by a neoliberal president (who likewise cannot grok anything created and given to benefit all without some immediate upfront cost benefit in an offshore account). The concepts behind APIs are particularly hard for the judge and jury to understand, exacerbated by testimony from people who did not rise to the top of their industry because of their facility with spoken English.

Read Sarah Jeong’s piece in Motherboard about this case. Read others, like the overview at Ars Technica (read the enlightening comments, too), but keep in mind that everyone who has a stake in the success of technology also has an agenda. Sometimes it’s as simple as their stock portfolio or the type of phone they hold in their hand.

Sometimes their agenda is more complex and based on the concepts of free open-source software and the gift economy. What is open-source if it can be bought and retroactively used as a profit center long after the horses have been freed from the barn? What did the progenitors and decades of collaborators intend Java to be: a profit center in itself for a company they couldn’t see coming more than a decade later, or a means by which users/owners could freely choose more than a single software or hardware company to accomplish their tasks?

And will this case discourage and suppress the explosion of technology developed using a variety of open source licenses?

Phew, this was more than I expected to write about this. Swamped my usual morning roundup, which I’ll save for tomorrow morning.

One more thing: after reading the above about the legal war between the Titans of Technology, you might find this speculative mythological fiction rather entertaining. Where do these Titans fit in this mythology?

Monday Morning: Brittle

/17 Comments/in , /by

The Emperor’s Palace was the most splendid in the world, all made of priceless porcelain, but so brittle and delicate that you had to take great care how you touched it. …

— excerpt, The Nightingale from The Yellow Fair Book by Andrew Lang

Last week I’d observed that Apple’s stock value had fallen by ~7% after its financial report was released. The conventional wisdom is that the devaluation was driven by Apple’s first under-performing quarter of iPhone sales, indicating weaker demand for iPhones going forward. Commenter Ian remarked that Apple’s business model is “brittle.” This perspective ignores the meltdown across the entire stock global market caused by China’s currency devaluation, disproportionately impacting China’s consumption habits. It also ignores great untapped or under-served markets across other continents yet to be developed.

But more importantly, this “wisdom” misses a much bigger story, which chip and PC manufacturers have also reflected in their sales. The video above, now already two years old, explains very neatly that we have fully turned a corner on devices: our smartphones are and have been replacing our desktops.

Granted, most folks don’t go through the hassle of purchasing HDMI+USB connectors to attach larger displays along with keyboards. They continue to work on their phones as much as possible, passing content to and from cloud storage when they need to work from a keyboard attached to a PC. But as desktops and their attached monitors age, they are replaced in a way that supports smartphones as our main computing devices — flatscreen monitors, USB keyboards and mice, more powerful small-footprint external storage.

And ever increasing software-as-a-service (SaaS) combined with cloud storage.

Apple’s business model isn’t and hasn’t been just iPhones. Not since the debut of the iPod in October 2001 has Apple’s business model been solely focused on devices and the operating system required to drive them. Heck, not since the debut of iTunes in January 2001 has that been true.

Is there a finite limit to iPhones’ market? Yeah. Same for competing Android-driven devices. But is Apple’s business just iPhones? Not if iTunes — a SaaS application — is an indicator. As of 2014, there were ~66 million iPhones in the U.S., compared to ~800 million iTunes users. And Apple’s current SaaS offerings have exploded over time; the Apple store offers millions of apps created by more than nine million registered developers.

At least nine million registered developers. That number alone should tell you something about the real business model.

iPhones are a delivery mechanism, as are Android-based phones. The video embedded above shows just how powerful Android mobile devices can be, and the shift long underway is not based on Apple’s platform alone. If any business model is brittle right now, it’s desktop computing and any software businesses that rely solely on desktops. How does that change your worldview about the economy and cybersecurity? Did anyone even notice how little news was generated about the FBI accessing the San Bernardino shooter’s PCs? Was that simply because of the locked Apple iOS account, or was it in part because the case mirrored society’s shift to computing and communications on mobile devices?

File under ‘Stupid Michigan Legislators‘: Life sentences for automotive hackers?
Hey. Maybe you jackasses in Michigan’s state senate ought to deal with the permanent poisoning of nearly 8000 children in Flint before doing something really stupid like making one specific kind of hacking a felony worthy of a life sentence. And maybe you ought to do a little more homework on hacking — it’s incredibly stupid to charge a criminal with a life sentence for a crime as simple as entry permitted by wide-open unlocked doors. Are we going to allocate state money to chase hackers who may not even be in this country? Are we going to pony up funds for social media monitoring to catch hackers talking about breaching wide-open cars? Will this law deter citizen white hats who identify automakers’ vulnerabilities? File this mess, too, under ‘Idiotic Wastes of Taxpayers’ Money Along with Bathroom Legislation by Bigots‘. This kind of stuff makes me wonder why any smart people still live in this state.

File this, too, under ‘Stupid Michigan Legislators‘: Lansing Board of Water and Light hit by ransomware
Guess where the first ransomware attack on a U.S. utility happened? Do I need to spell it out how ridiculous it looks for the electric and water utility for the state’s capitol city to be attacked by ransomware while the state’s legislature is worrying about who’s using the right bathroom? Maybe you jackasses in Lansing ought to look at funding assessment and security improvements for ALL the state’s utilities, including both water safety and electricity continuity.

Venezuela changes clocks to reduce electricity consumption
Drought-stricken Venezuela already reduced its work week a month ago to reduce electricity demand. Now the country has bumped its clocks forward by 30 minutes to make more use of cooler early hour during daylight. The country has also instituted rolling blackouts to cutback on electricity. Cue the right-wing pundits claiming socialism has failed — except that socialism has absolutely nothing to do with a lack of rainfall to fill reservoirs.

Coca Cola suing for water as India’s drought deepens
This is a strong piece, worth a read: Whose Water Is It Anyway?

After a long battle, the UN declared in 2010 that clean water was a fundamental right of all citizens. Easier said than done. The essential, alarming question has become, ‘Who does the groundwater belong to?’ Coca Cola is still fighting a case in Kerala where the farmers rebelled against them for using groundwater for their bottling plants. The paddy fields for miles around dried up as water for Coke or the company’s branded bottled water was extracted and transported to richer urban consumers.

Who did that groundwater belong to? Who do our rivers belong to? To the rich and powerful who can afford the resources to draw water in huge quantities for their industries. Or pollute the rivers with effluent from their industries. Or transport water over huge distances at huge expense to turn it into profit in urban areas.

Justus Rosenberg: One of Hannah Arendt’s rescuers
Ed Walker brought this piece to my attention, a profile of 95-year-old Justus Rosenberg featured in this weekend’s New York Times. I love the last two grafs especially; Miriam Davenport characterized Rosenberg as “a nice, intelligent youngster with no family, no money, no influence, no hope, no fascinating past,” yet he was among those who “…were a symbol of sorts, to me, in those days […] Everyone was moving Heaven and earth to save famous men, anti-fascist intellectuals, etc.” Rosenberg was a superhero without a cape.

That’s our week started. See you tomorrow morning!

See you tomorrow morning!

Friday Morning: This Thing Called Life

/15 Comments/in , /by

It’s Friday, when we usually cover a different jazz genre. But we’re playing these sorry cards we’ve been dealt this week and observing the passing of a great artist.

We’ll probably all be sick of seeing this same video, but it is one of the very few of Prince available for embedding with appropriate intellectual property rights preserved. It’s a result of Prince’s tenacious control over his artistic product that we won’t have ready access to his past performances, but this same tenacity taught many artists how to protect their interests.

It’s worth the hour and a quarter to watch the documentary Prince in the 1980s; the enormity of his talent can’t be understood without reactions by professionals to his abilities.

The way his voice slides easily into high registers at 05:44, his guitar playing beginning at 06:53, offer us just the smallest glimpses of his spectacular gifts.

Good night, sweet Prince, may flights of angels sing thee to thy rest.

Great Google-y moogley

  • European Community’s Antitrust Commission issued a Statement of Objections regarding perceived breaches of antitrust laws by Google’s Android operating system (European Commission press release) — The EU has a problem with Android’s ~90% market share in some member states. They may have a tough time with their case as the EU did very little to preserve the Nokia Symbian OS when Microsoft bought Nokia phone business. Their point about lack of application interoperability and portability between mobile devices is also weak as they did not make that case with Windows-based applications on personal computers. Further, Google has been aggressive to the point of annoyance in its efforts to segregate Android and Google apps — I can attest to this, having a handful of Android devices which have required irritating application upgrades to facilitate this shift over the last year and a half. This will be an interesting case to watch.
  • The second annual Android Security Report was released on Google’s blog this week (Google Blog) — Some interesting numbers in this report, including Google’s revelation that it scans 400 million devices a day. Gee, a figure intelligence agencies must envy.
  • Roughly 29% of Android devices can’t be accessed to issue monthly security patches (Naked Security) — Sophos has a bit of an attitude about the back-of-the-envelope number it scratched out, calculating a little more than 400 million Android devices may not be running modern Android versions Google can patch, or may not be accessible to scanning for patching. You’d think a cybersecurity vendor would revel in this opportunity to sell product. Or that an otherwise intelligent and successful security firm would recognize the numbers reflect Android’s continued dominance in the marketplace with more than 1.4 billion active devices. The risk is big, but how much of that risk is due to the success of the devices themselves — still highly usable if aging, with insufficient memory for upgrades? Sounds so familiar (*cough* Windows XP)…
  • Google passed a benchmark with mobile version of Chrome browser on more than 1 billion devices (Business Insider) — Here’s another opportunity to screw up interpretation of data: mobile Chrome works on BOTH Android and iOS devices. I know for a fact the latest mobile Chrome will NOT work on some older Android devices.

Under Not-Google: Opera browser now has free built-in VPN
A lesser-known browser with only 2% of current market share, Opera is a nice alternative to Chrome and Firefox. Its new built-in free VPN could help boost its market share by offering additional privacy protection. It’s not clear this new feature will protect users against censorship tools, though — and this could be extremely important since this Norwegian software company may yet be acquired by a Chinese company which placed a bid on the firm a couple of months ago.

Definitely Not-Google: Apple cracker cost FBI more than $1 million
Can’t swing an iPad without hitting a report on FBI director James Comey’s admission at the Aspen Security Forum this week in Londn that cracking the San Bernardino shooter’s work iPhone cost “more than I will make in the remainder of this job, which is 7 years and 4 months,” or more than $1 million dollars. Speaking of exorbitant expenses, why was Comey at this forum in London? Oh, Comey was the headliner for the event? Isn’t that interesting…wonder if that speaking gig came with speaker’s fee?

That’s it for this week’s morning roundups. Hope you have a nice weekend planned ahead of you!

Monday Morning: Synthesized Brain

/6 Comments/in , /by

When you need a break this hectic Monday morning, take five minutes and watch ANA from Factory Fifteen. I’m intrigued by the props and set — how much is CGI, and how much is actual production line? What company allowed this production company access to their equipment?

Though snappy and visually engaging, the story’s not realistic — yet. But much of the equipment on the production line is very close to that used in manufacturing today. And just as depicted in this short film, the weakest link is the human.

Worth keeping in mind this week as we plow deeper into the conflict at the intersection of humans and devices. Speaking of which…

Apple-heavy week ahead

  • Hearing in California tomorrow in front of Judge Sheri Pym over the San Bernardino’s shooter’s iPhone. Be sure to read Marcy’s take on the hearing and witnesses.
  • WLTX of Columbia SC posted a timeline of #AppleVsFBI events — unfortunately, it starts on February 16 with Judge Pym’s order to Apple.
  • NYT reported last week that Apple employees may quit if Apple is ordered to cooperate and write security-undermining code. But is this a deliverable in itself? The article offered an incredible amount of detail about Apple’s operations; if employees quit, any entities observing the technology company will know even more. Has this shakedown been designed to yield information about Apple’s operations, while risking corporate and personal security?
  • Apple will release information about new products today at a media event. The buzz may be less about the new products than the hearing tomorrow.
  • An iPhone 6 bursting into flames during a flight to Hawaii didn’t help Apple. One might wonder why this particular phone flamed out so spectacularly as it’s a relatively new device.

HEADS UP TECH USERS

  • Kindle users: Amazon is forcing a mandatory update across all its older Kindle reader devices. Deadline: TOMORROW MARCH 22 — after that date, users will have to manually update devices and download books via PC and not over the internet.
  • Tweetdeck users: Owner Twitter will kill the Windows app on April 15th. After that time, Windows-based users will need to use a browser. Can’t blame Twitter–it’s ridiculously expensive to write and service so many apps when the same devices usually have a browser.
  • Android users: 1) Protect your privacy and security by checking these settings; 2) Check this setting, stat, to prevent unauthorized access.
  • Nexus users: Make sure you have the latest patch issued last week. All other Android users should nag their equipment makers for their version of the same patch.

Before the machines complete their occupation of our world…

  • Nice read on law emerging with the rise of robots. Too bad none of them really incorporate Asimov’s Three Laws of Robotics. (The Atlantic)
  • Want to bet the overlords will argue workers should be paid less because they don’t have to work as hard wearing an exoskeleton — like these at Panasonic? (By the way, DARPA, that’s yet another commercially-developed exoskeleton near release; where’s yours/ours?) (Mashable)
  • Artificial intelligence already pitted against humans by those bloody banksters. Watch this video and ask yourself if this guy from Global Capital Acquisitions realizes there are humans at the nodes of the investment network whose lives are affected by his blah-blah-blah-babbling about artificial intelligence. STG he could be a machine himself. (Bloomberg)
  • Myths about AI busted – another solid read. Combined with the preceding Bloomberg bankster video it reinforces AI threat awareness. (Gizmodo)

After watching that video at Bloomberg, I think we’re a lot closer to ANA than we realized. Watch your backs — Monday is certainly gaining on you, if robots aren’t.

Monday Morning: Swivel, Heads

/2 Comments/in , /by

Somebody out there knows what this tune means in my household. For our purposes this Monday morning, it’s a reminder to take a look around — all the way around. Something might be gaining on you.

Let’s look…

Android users: Be more vigilant about apps from Google Play
Better check your data usage and outbound traffic. Seems +300 “porn clicker” apps worked their way around Google Play’s app checking process. The apps rack up traffic, fraudulently earning advertising income; they persist because of users’ negligence in vetting and monitoring downloaded apps (because Pr0N!) and weakness in Google’s vetting. If this stuff gets on your Android device, what else is on it?

IRS’ data breach bigger than first reported
This may also depend on when first reporting occurred. The number of taxpayers affected is now ~700,000 according to the IRS this past Friday, which is considerably larger than the ~464,000 estimated in January this year. But the number of taxpayers affected has grown steadily since May 15th last year and earlier.

Did we miss the ‘push for exotic new weapons’?
Nope. Those of us paying attention haven’t missed the Defense Department’s long-running efforts developing new tools and weapons based on robotics and artificial intelligence. If anything, folks paying attention notice how little the investment in DARPA has yielded in payoff, noting non-defense development moving faster, further, cheaper — a la SuitX’s $40K exoskeleton, versus decades-plus investment by DARPA in exoskeleton vaporware. But apparently last Tuesday’s op-ed by David Ignatius in WaPo on the development of “new exotic weapons” that may be deployed against China and Russia spawned fresh discussion to draw our attention to this work. THAT is the new development — not the weapons, but the chatter, beginning with the Pentagon and eager beaver reporter-repeaters. This bit here, emphasis mine:

Pentagon officials have started talking openly about using the latest tools of artificial intelligence and machine learning to create robot weapons, “human-machine teams” and enhanced, super-powered soldiers. It may sound like science fiction, but Pentagon officials say they have concluded that such high-tech systems are the best way to combat rapid improvements by the Russian and Chinese militaries.

Breathless, much? Come the feck on. We’ve been waiting decades for these tools and weapons after throwing billions of dollars down this dark rathole called DARPA, and we’ve yet to see anything commercially viable in the way of an exoskeleton in the field. And don’t point to SKYNET and ask us to marvel at machine learning, because the targeting failure rate is so high, it’s proven humans behind it aren’t learning more and faster than the machines are.

Speaking of faster development outside DARPA: Disney deploying anti-drones?
The Star Wars franchise represents huge bank — multiple billions — to its owner Disney. Control of intellectual property during production is paramount, to ensure fan interest remains high until the next film is released. It’s rumored Disney has taken measures to reduce IP poaching by fan drones, possibly including anti-drones managed by a security firm protecting the current production location in Croatia. I give this rumor more weight than the Pentagon’s buzz about exoskeletons on the battlefield.

Lickety-split quickies

That’s a wrap — keep your eyes peeled. To quote Ferris Bueller, “Life moves pretty fast. If you don’t stop and look around once in a while, you could miss it.”

Wednesday Morning: If It Ain’t Baseball, It’s Winter

/8 Comments/in , , /by

It may be sunny and 90F degrees where you are, but it’s still winter here. A winter storm warning was issued here based on a forecast 12 inches of snow and 35 mph winds out of the northeast off Lake Huron. For once, Marcy’s on the lee side of this storm and won’t be blessed with the worst of this system.

I’ll cozy up in front of the fireplace and catch up on reading today, provided we don’t have a power outage. Think I’ll nap and dream of baseball season starting in roughly five weeks.

Before the snow drifts cover the driveway, let’s take a look around.

Hey Asus: Don’t do as we do, just do as we say
Taiwanese computer and network equipment manufacturer Asus settled a suit brought by the Federal Trade Commission over Asus leaky routers. The devices’ insecurities were exposed when white hat hacker/s planted a text message routers informing their owners the devices were open to anyone who cared to look. Terms of the settlement included submitting to security auditing for 20 years.

What a ridiculous double standard: demand one manufacturer produce and sell secure products,while another government department demands another manufacturer build an insecurity.

Ads served to Android mobile devices leak like a sieve
Researchers with the School of Computer Science at the Georgia Institute of Technology presented their work yesterday at 2016 Network and Distributed System Security Symposium, showing that a majority of ads not only matched the mobile user but revealed personal details:

• gender with 75 percent accuracy,
• parental status with 66 percent accuracy,
• age group with 54 percent accuracy, and
• could also predict income, political affiliation, marital status, with higher accuracy than random guesses.

Still some interesting work to be presented today before NDSS16 wraps, especially on Android security and social media user identity authentication.

RICO – not-so-suave – Volkswagen
Automotive magazine Wards Auto straps on the kneepads for VW; just check this headline:

Diesel Reigns in Korea as Volkswagen Scandal Ebbs

“Ebbs”? Really? Au contraire, mon frère. This mess is just getting started. Note the latest class-action lawsuit filed in California, this time accusing VW and its subsidiaries Audi and Porsche as well as part supplier Bosch of racketeering. Bosch has denied its role in the emissions controls defeat mechanism:

…The company has denied any involvement in the alleged fraud, saying it sold an engine control unit to Volkswagen, but that Volkswagen was responsible for calibrating the unit.

The scandal’s only just getting going when we don’t know who did what and when.

Worth noting Wards’ breathless excitement about VW passenger diesel sales uptick in South Korea. But then Wards ignores South Korea’s completely different emissions standards as well as the specifics in promotions for that market. Details, details…

Splash and dash

Don’t miss Ed Walker’s latest in his series on totalitarianism and Marcy’s fresh exasperation with polling on FBI vs Apple. Wind’s brisk out of the north, bringing the first wave of flurries. I’m off to check the gasoline in the snowblower and wax my snow shovels.

Tuesday Morning: Don’t Drive Angry

/10 Comments/in , , /by

Okay, campers, rise and shine! It’s Groundhog Day! Like that genius film Groundhog Day we are stuck in an unending, repeating hell — like the dark circus that is our general election cycle in the U.S.

The lesson: it’s hell by choice. Let’s choose better. What’ll we choose today?

BPS, replacement for plastic additive BPA, not so safe after all
Here’s a questionable choice we could examine: using BPS in “BPA-free” plastics. A study by Geffen School of Medicine at UCLA found that BPS negatively affects reproductive organs and increased the likelihood of “premature birth” in zebrafish, accelerating development of the embryos. Relatively small amounts and short exposures produced effects.

As disturbing as this finding may be, the FDA’s approach to BPA is worrisome. Unchanged since 2014 in spite of the many studies on BPA, the FDA’s website says BPA is safe. Wonder how long it will be before the FDA’s site says BPS is likewise safe?

Exoskeleton assists paraplegic for only $40,000
Adjustable to its wearer’s body, SuitX’s exoskeleton helps paraplegic users to walk, though crutches are still needed. It’s not a perfect answer to mobility given the amount of time it takes to put on the gear, but it could help paraplegics avoid injuries due to sitting for too long in wheelchairs. It’s much less expensive than a competing exoskeleton at $70K; the price is expected to fall over time.

SuitX received an NSF grant of $750,000 last April for its exoskeleton work. Seems like a ridiculous bargain considering how much we’ve already invested in DARPA and other MIC-development of exoskeletons with nothing commercial to show for it. Perhaps we should choose to fund more NSF grants instead of DOD research?

Patches and more patches — Cisco, Android, Microsoft

Dudes behaving badly

  • Former Secret Service agent involved in the Silk Road investigation and later charged with theft of $800K in Bitcoins has been arrested just one day before he was to begin serving his sentence for theft. This Silk Road stuff is a movie or cable series waiting to happen.
  • Massachusett’s Rep. Katherine Clark, who proposed the Interstate Swatting Hoax Act last November, was swatted this weekend. Fortunately, the local police used a low-key approach to the hoax call. Way to make the case for the bill‘s passage, swatters, let alone increased law enforcement surveillance.

I know I’ve missed something I meant to post, but I’ll choose to post it tomorrow and crawl back into my nest this morning to avoid my shadow. In the meantime, don’t drive angry!

Tesla Patches Faster than Chrysler … and than Android [UPDATED]

/17 Comments/in , /by

Wired’s hack-of-the-day story reports that researchers hacked a Tesla (unlike the Chrysler hack, it required access to the vehicle once, though the Tesla also has a browser vulnerability that might not require direct access).

Two researchers have found that they could plug their laptop into a network cable behind a Model S’ driver’s-side dashboard, start the car with a software command, and drive it. They could also plant a remote-access Trojan on the Model S’ network while they had physical access, then later remotely cut its engine while someone else was driving.

The story notes how much more proactive Tesla was in patching this problem than Chrysler was.

The researchers found six vulnerabilities in the Tesla car and worked with the company for several weeks to develop fixes for some of them. Tesla distributed a patch to every Model S on the road on Wednesday. Unlike Fiat Chrysler, which recently had to issue a recall for 1.4 million cars and mail updates to users on a USB stick to fix vulnerabilities found in its cars, Tesla has the ability to quickly and remotely deliver software updates to its vehicles. Car owners only have to click “yes” when they see a prompt asking if they want to install the upgrade.

In my understanding, Tesla was able to do this both because it responded right away to implement the fix, and because it had the technical ability to distribute the update in such a way that was usable for end users. Chrysler deserves criticism for the former (though at least according to Chrysler, it did start to work on a fix right away, it just didn’t implement it), but the latter is a problem that will take some effort to fix.

Which is one reason I think a better comparison with Tesla’s quick fix is Google’s delayed fix for the Stagefright vulnerability. As the researcher who found it explained, Google address the vulnerability internally immediately, just like Tesla did.

Google has moved quickly to reassure Android users following the announcement of a number of serious vulnerabilities.

The Google Stagefright Media Playback Engine Multiple Remote Code Execution Vulnerabilitiesallow an attacker to send a media file over a MMS message targeting the device’s media playback engine, Stagefright, which is responsible for processing several popular media formats.

Attackers can steal data from infected phones, as well as hijacking the microphone and camera.

Android is currently the most popular mobile operating system in the world — meaning that hundreds of millions of people with a smartphone running Android 2.2 or newer could be at risk.

Joshua Drake, mobile security expert with Zimperium, reports

A fully weaponized successful attack could even delete the message before you see it. You will only see the notification…Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.

Zimperium say that “Google acted promptly and applied the patches to internal code branches within 48 hours, but unfortunately that’s only the beginning of what will be a very lengthy process of update deployment.”

But with Android the updates need to go through manufacturers, which creates a delay — especially given fairly crummy updating regimes by a number of top manufacturers.

The experience with this particular vulnerability may finally be pushing Android-based manufacturers to fix their update process.

It’s been 10 days since Zimperium’s Joshua Drake revealed a new Android vulnerabilitycalled Stagefright — and Android is just starting to recover. The bug allows an attacker to remotely execute code through a phony multimedia text message, in many cases without the user even seeing the message itself. Google has had months to write a patch and already had one ready when the bug was announced, but as expected, getting the patch through manufacturers and carriers was complicated and difficult.

But then, something unexpected happened: the much-maligned Android update system started to work. Samsung, HTC, LG, Sony and Android One have already announced pending patches for the bug, along with a device-specific patch for the Alcatel Idol 3. In Samsung’s case, the shift has kicked off an aggressive new security policy that will deploy patches month by month, an example that’s expected to inspire other manufacturers to follow suit. Google has announced a similar program for its own Nexus phones. Stagefright seems to have scared manufacturers and carriers into action, and as it turns out, this fragmented ecosystem still has lots of ways to protect itself.

I make this comparison for two reasons. One, if Google — the customers of which have the hypothetical ability to send out remote patches, even if they’ve long neglected that ability — still doesn’t have this fixed, it’s unsurprising that Chrysler doesn’t yet.

But some of the additional challenges that Chrysler has that Tesla has fewer of stem from the fragmented industry. Chrysler’s own timeline of its vulnerability describes a “third party” discovering the vulnerability (not the hackers), and a “supplier” fixing it.

In January 2014, through a penetration test conducted by a third party, FCA US LLC (“FCA US”) identified a potential security vulnerability pertaining to certain vehicles equipped with RA3 or RA4 radios.

A communications port was unintentionally left in an open condition allowing it to listen to and accept commands from unauthenticated sources. Additionally, the radio firewall rules were widely open by default which allowed external devices to communicate with the radio. To date, no instances related to this vulnerability have been reported or observed, except in a research setting.

The supplier began to work on security improvements immediately after the penetration testing results were known in January 2014.

But it’s completely unclear whether that “third party” is the “supplier” in question. Which means it’s unclear whether this was found in the supplier’s normal testing process or in something else.

One reason cars are particularly difficult to test are because so many different suppliers provide parts which don’t get tested (or even adequately specced) in an integrated fashion.

Then, if you need to fix something you can’t send out over a satellite or Internet network, you’re dealing with the — in many cases — archaic relationships car makers have with dealers, not to mention the limitations of dealer staff and equipment to make the fix.

I don’t mean to excuse the automotive industry — they’re going to have to fix these problems (and the same problems lie behind fixing some of the defects tied to code that doesn’t stem from hacks, too, such as Toyota’s sudden acceleration problem).

It’s worth noting, however, how simplified supply and delivery chains make fixing a problem a lot easier for Tesla than it is for a number of other entities, both in and outside of the tech industry.

UPDATE — 4:30 PM EDT —

Hey, it’s Rayne here, adding my countervailing two cents (bitcoins?) to the topic after Marcy and I exchanged a few emails about this topic. I have a slightly different take on the situation since I’ve done competitive intelligence work in software, including open source models like Android.

Comparing Fiat Chrysler’s and Google’s Android risks, the size and scale of the exposures are a hell of a lot different. There are far more Android devices exposed than Chrysler car models at risk — +1 billion Android devices shipped annually around the globe as of 4Q2014.

Hell, daily activations of Android devices in 2013 were 1.2 million devices per day — roughly the same number as all the exposed Chrysler vehicles on the road, subject to recall.

Google should have a much greater sense of urgency here due to the size of the problem.

Yet chances of a malware attack on an Android device actually causing immediate mortal threat to one or more persons is very low, compared to severity of Chrysler hack. Could a hacker tinker with household appliances attached via Android? It’s possible — but any outcome now is very different from a hacker taking over and shutting down a vehicle operating at high speed in heavy traffic, versus shutting off a Phillips remote-controlled Hue lamp or a Google Nest thermostat, operating in the Internet of Things. The disparity in annoyance versus potential lethality may explain why Google hasn’t acted as fast as Tesla — but it doesn’t explain at all why Chrysler didn’t handle announcing their vulnerability differently. Why did they wait nearly a year to discuss it in public? Read more