Posts

Wednesday Morning: Woe, Nelly, Woe

I meant woe, not whoa. I do know the difference.

It’s woe I was thinking of when I wrote this next bit.

What would you do if you were told you wouldn’t be paid for last 2 months of a 9-month job?
Let’s say you have kids to feed, a mortgage/car payment/college loan payments to make, childcare to pay, out-of-pocket healthcare costs — you know, all the expenses the average working person has.

In spite of one or more obligatory college degrees, continuing education requirements and mandatory background checks, your job requires you to work in facilities where ‘mushrooms, black mold, fecal matter, dead rodents, no heat‘ are common. It’s a workplace functioning like Flint’s water crisis, and it’s been this way for more than a decade. Fellow employees have had to bring in paper towels and light bulbs from home or solicit them as donations to the workplace.

Because of your employer’s money woes, you may even have made a concession agreeing to collect your pay over 3-4 months instead of the next six to eight weeks you are actually scheduled to work.

And then your employer’s employer says they aren’t going to pay, and you might have to work without pay for the next six weeks. Unpaid, as in violation of labor laws unpaid.

And your employer’s employer has a history of acting both in bad faith and with prejudice. Your workplace hasn’t improved for years; children were permanently poisoned and adults died as a result of their awful handiwork on this and other projects.

What would you do? Quietly stay at your desk working and hope for the best, or walk out in protest to demand action?

The employer’s employer accuses you of all manner of bad things, and is actively undermining your rights to organize, by the way.

Welcome to Detroit Public School system, and welcome to more of Michigan’s obnoxious and toxic GOP-led legislating. Pretty sure the jerks who are causing this latest crisis by grandstanding on teachers’ backs don’t care if the president arrives here in Michigan today.

Dude caught on video sprinkling substance on food arrested by FBI
As if we didn’t have enough to worry about in Michigan, some whackjob has been sprinkling a mixture of hand sanitizer and rodent poison on food in stores, including salad buffets. He was caught on security camera in Ann Arbor, but he is alleged to have sprinkled this mix in multiple stores in Ypsilanti, Saline, Birch Run, and Midland. The mixture is not supposed to be toxic, but who wants to eat remnants of isopropyl alcohol and an anticoagulant? What the hell was this all about anyhow?

Canadian city of 80,000 forced to evacuate overnight due to massive wildfire
Mind-boggling to think of an urban center this size forced to flee on such short notice, but Fort McMurray did just that beginning late afternoon yesterday. Even the local hospital was emptied as fire leaped from undeveloped to developed areas, consuming neighborhoods. 80% of homes in the Beacon Hill neighborhood are ash. Conditions have been unusually warm and dry in the region; the local temperature was 83F degrees before the evacuation notice was issued. Weather conditions today are expected to be hotter (32C/90F) and WSW winds stronger ahead of a cold front, likely spreading the fire even farther to the northeast.

The area around Fort McMurray has only been in moderate drought conditions, yet the fire was explosive, doubling in size in a matter of hours. Can’t begin to imagine what might happen in areas where conditions are drier while this climate-enhanced super El Nino continues.

Volkswagen’s former head of engine and transmission development exits company
Wolfgang Hatz, suspended by VW for his role in Dieselgate, chose voluntarily to leave the company. This bit in NYT’s article is choice:

In 2007, shortly after being named head of engine and transmission development at Volkswagen, Mr. Hatz complained at an event in San Francisco that new rules on tailpipe emissions in California were unrealistic.

“I see it as nearly impossible for us,” Mr. Hatz said of a proposed regulation during the event, which was filmed by an auto website.

In other words, Hatz didn’t see the purpose of the regulation, didn’t perceive a challenge to design truly clean diesel — he saw an obstruction he needed to bypass. Auf wiedersehn, Herr Hatz.

Odds and sods

  • Middle Eastern drought worst in 900 years (NASA) — Drought map of Cyprus, Israel, Jordan, Lebanon, Palestine, Syria, and Turkey looks awful, but Egypt — wow.
  • Wars might be caused by lack of water (Scientific American) — I sense a theme developing…hey, guess when the Crusades were? 900 years ago.
  • Study shows stocks overvalued often, too long (Phys.org) — Huh. Interleaves with economic social theory of reflexivity, that.
  • Third leading cause of death in U.S.: medical errors (Science Daily) — Grok this: 250,000 deaths a year. You’d think insurance companies and policy makers would look into this, considering annual death toll is like ten times that on 9/11. Imagine if we spend tax dollars on fixing this and improving health care instead of militarizing against the rare-to-non-existent domestic terror attack.
  • Tesla’s residential battery, Powerwall, now for sale (Bloomberg) — Residential solar may now explode with growth. We can only hope.

It’s supposedly downhill from the top of this hump. Race you to the bottom!

Tesla Patches Faster than Chrysler … and than Android [UPDATED]

Wired’s hack-of-the-day story reports that researchers hacked a Tesla (unlike the Chrysler hack, it required access to the vehicle once, though the Tesla also has a browser vulnerability that might not require direct access).

Two researchers have found that they could plug their laptop into a network cable behind a Model S’ driver’s-side dashboard, start the car with a software command, and drive it. They could also plant a remote-access Trojan on the Model S’ network while they had physical access, then later remotely cut its engine while someone else was driving.

The story notes how much more proactive Tesla was in patching this problem than Chrysler was.

The researchers found six vulnerabilities in the Tesla car and worked with the company for several weeks to develop fixes for some of them. Tesla distributed a patch to every Model S on the road on Wednesday. Unlike Fiat Chrysler, which recently had to issue a recall for 1.4 million cars and mail updates to users on a USB stick to fix vulnerabilities found in its cars, Tesla has the ability to quickly and remotely deliver software updates to its vehicles. Car owners only have to click “yes” when they see a prompt asking if they want to install the upgrade.

In my understanding, Tesla was able to do this both because it responded right away to implement the fix, and because it had the technical ability to distribute the update in such a way that was usable for end users. Chrysler deserves criticism for the former (though at least according to Chrysler, it did start to work on a fix right away, it just didn’t implement it), but the latter is a problem that will take some effort to fix.

Which is one reason I think a better comparison with Tesla’s quick fix is Google’s delayed fix for the Stagefright vulnerability. As the researcher who found it explained, Google address the vulnerability internally immediately, just like Tesla did.

Google has moved quickly to reassure Android users following the announcement of a number of serious vulnerabilities.

The Google Stagefright Media Playback Engine Multiple Remote Code Execution Vulnerabilitiesallow an attacker to send a media file over a MMS message targeting the device’s media playback engine, Stagefright, which is responsible for processing several popular media formats.

Attackers can steal data from infected phones, as well as hijacking the microphone and camera.

Android is currently the most popular mobile operating system in the world — meaning that hundreds of millions of people with a smartphone running Android 2.2 or newer could be at risk.

Joshua Drake, mobile security expert with Zimperium, reports

A fully weaponized successful attack could even delete the message before you see it. You will only see the notification…Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.

Zimperium say that “Google acted promptly and applied the patches to internal code branches within 48 hours, but unfortunately that’s only the beginning of what will be a very lengthy process of update deployment.”

But with Android the updates need to go through manufacturers, which creates a delay — especially given fairly crummy updating regimes by a number of top manufacturers.

The experience with this particular vulnerability may finally be pushing Android-based manufacturers to fix their update process.

It’s been 10 days since Zimperium’s Joshua Drake revealed a new Android vulnerabilitycalled Stagefright — and Android is just starting to recover. The bug allows an attacker to remotely execute code through a phony multimedia text message, in many cases without the user even seeing the message itself. Google has had months to write a patch and already had one ready when the bug was announced, but as expected, getting the patch through manufacturers and carriers was complicated and difficult.

But then, something unexpected happened: the much-maligned Android update system started to work. Samsung, HTC, LG, Sony and Android One have already announced pending patches for the bug, along with a device-specific patch for the Alcatel Idol 3. In Samsung’s case, the shift has kicked off an aggressive new security policy that will deploy patches month by month, an example that’s expected to inspire other manufacturers to follow suit. Google has announced a similar program for its own Nexus phones. Stagefright seems to have scared manufacturers and carriers into action, and as it turns out, this fragmented ecosystem still has lots of ways to protect itself.

I make this comparison for two reasons. One, if Google — the customers of which have the hypothetical ability to send out remote patches, even if they’ve long neglected that ability — still doesn’t have this fixed, it’s unsurprising that Chrysler doesn’t yet.

But some of the additional challenges that Chrysler has that Tesla has fewer of stem from the fragmented industry. Chrysler’s own timeline of its vulnerability describes a “third party” discovering the vulnerability (not the hackers), and a “supplier” fixing it.

In January 2014, through a penetration test conducted by a third party, FCA US LLC (“FCA US”) identified a potential security vulnerability pertaining to certain vehicles equipped with RA3 or RA4 radios.

A communications port was unintentionally left in an open condition allowing it to listen to and accept commands from unauthenticated sources. Additionally, the radio firewall rules were widely open by default which allowed external devices to communicate with the radio. To date, no instances related to this vulnerability have been reported or observed, except in a research setting.

The supplier began to work on security improvements immediately after the penetration testing results were known in January 2014.

But it’s completely unclear whether that “third party” is the “supplier” in question. Which means it’s unclear whether this was found in the supplier’s normal testing process or in something else.

One reason cars are particularly difficult to test are because so many different suppliers provide parts which don’t get tested (or even adequately specced) in an integrated fashion.

Then, if you need to fix something you can’t send out over a satellite or Internet network, you’re dealing with the — in many cases — archaic relationships car makers have with dealers, not to mention the limitations of dealer staff and equipment to make the fix.

I don’t mean to excuse the automotive industry — they’re going to have to fix these problems (and the same problems lie behind fixing some of the defects tied to code that doesn’t stem from hacks, too, such as Toyota’s sudden acceleration problem).

It’s worth noting, however, how simplified supply and delivery chains make fixing a problem a lot easier for Tesla than it is for a number of other entities, both in and outside of the tech industry.

UPDATE — 4:30 PM EDT —

Hey, it’s Rayne here, adding my countervailing two cents (bitcoins?) to the topic after Marcy and I exchanged a few emails about this topic. I have a slightly different take on the situation since I’ve done competitive intelligence work in software, including open source models like Android.

Comparing Fiat Chrysler’s and Google’s Android risks, the size and scale of the exposures are a hell of a lot different. There are far more Android devices exposed than Chrysler car models at risk — +1 billion Android devices shipped annually around the globe as of 4Q2014.

Hell, daily activations of Android devices in 2013 were 1.2 million devices per day — roughly the same number as all the exposed Chrysler vehicles on the road, subject to recall.

Google should have a much greater sense of urgency here due to the size of the problem.

Yet chances of a malware attack on an Android device actually causing immediate mortal threat to one or more persons is very low, compared to severity of Chrysler hack. Could a hacker tinker with household appliances attached via Android? It’s possible — but any outcome now is very different from a hacker taking over and shutting down a vehicle operating at high speed in heavy traffic, versus shutting off a Phillips remote-controlled Hue lamp or a Google Nest thermostat, operating in the Internet of Things. The disparity in annoyance versus potential lethality may explain why Google hasn’t acted as fast as Tesla — but it doesn’t explain at all why Chrysler didn’t handle announcing their vulnerability differently. Why did they wait nearly a year to discuss it in public? Read more