Insecure IoT

Vulnerabilities in Brink’s Smart Safe
https://www.schneier.com/blog/archives/2015/08/vulnerabilities_4.html

This is far from shocking to anyone who has studied infosec. More of a total yawn, actually. Clueless people racing to claim market segments are naturally going to trip over complex things like security. Anything meant to be secure only has a chance of being such if the only way to change configuration is to properly authenticate. Customers hate that, though, because when they forget their password then they have an expensive brick on their hands. I experienced that myself: I bought a solid state computer I was intending at the time to use for hosting my web sites (my provider, at the time, was being incredibly unresponsive to my complaints). I chose a password that would be trivial to remember so naturally didn’t write it down. Over a year later I remember the thing is sitting in the basement and lo and behold, I have no idea what the damn password is. I believe I was eventually able to reset the box and get back onto it (I can’t remember, it was many months ago when I tried for a couple of days), but anyone else who had physical possession of the box could also do that. I quite doubt that the drive was encrypted such that it became a incomprehensible mess upon reset, I expect all the data would be there plain as day. Since I only paid a couple of hundred for the box I was frustrated, but it wasn’t a big deal. What if you had paid 100’s of thousands or millions? In that case you would demand that there be a back door (but only a ‘secure one’, whatever the hell that means!) so if the gewgaw was unable to be reached for some reason you could get around it and still get your money’s worth.

Real security is expensive and hard and is still steeped with vulnerabilities. Anything else is just window dressing advertising to a credulous customer designed to improve profit margins at the expense of ignorance.

Beware Pita!

TEMPEST Attack
https://www.schneier.com/blog/archives/2015/06/tempest_attack.html

As usual for Schneier’s blog, the comments are at least as interesting as the article.

I haven’t blogged on infosec in a while (true, I haven’t blogged in a while, but I was out all last week on ‘vacation’ sweating my ass off in preparation for our July 4th party (which went very well indeed!)), because of my job I have to be careful and decided it would be better to avoid the topic. However, this one appears safe. It is interesting that these sorts of emanations are detectable at even this distance, I would think there would be so much inadvertent shielding and noise that you would have to put a detector directly on the laptop to get the data. TEMPEST has always been interesting to me, though I only discovered it by accident when I was looking around for the Tempest video game (one of my favorites, by far; I have avoided trying to purchase a refurbished unit because I would probably spend all day playing and have other things I need to do). In the old CRT days you could have a van parked in a parking lot a goodly distance away and be able to recreate the screen image (with appropriate equipment, of course) and it was interesting when people created fonts that would defeat such attempts. I am sure TEMPEST is alive and well, but defense against these sorts of things is relatively easy: just put a bunch of distance between yourself and any potential adversaries. The inverse square law is unyielding in its power and, as the above article shows, inches matter.

Outlaw paper shredders!

Congressman Warns of Encrypted “Dark Spaces”; Another Says: “Ooooh It Sounds Really Scary”
https://firstlook.org/theintercept/2015/06/03/one-congressman-warns-encrypted-dark-spaces-another-says-ooooh-sounds-really-scary/

“The notion that encryption is somehow different than other forms of destroying and hiding things is simply not true,” Lieu told The Intercept. “Forty years ago, you could make the statement that paper shredders are one of the most damaging things to national security because they destroy documents that law enforcement might want to see.”

It is almost (almost) amusing to me how clueless these people who claim to represent us are (of course, they actually represent the elite 0.001%). I don’t recall the specifics, but fairly recently (couple of years ago) some idiot senator or representative endlessly championed our governments ‘need’ to read everyone’s mail, that is, until she found out that the govt was reading _her_ mail. Suddenly she was against it. What the hell did she think? Oh yeah, she didn’t…

And the idea that somehow the government can have a backdoor that only the government, under a court order (like that has been working so far!) can access. Even in the unbelievably unlikely situation where the backdoor created is unhackable (vanishingly small, so small it is unrealistic in a real world to consider possible, let alone probable), how long until corrupt members of our law enforcement start to use the access without going through proper channels (which, naturally, themselves are subject to abuse).

Shhh! Your TV is listening…

Samsung Privacy Policy: Watch What You Say Around Your Smart TV
http://abcnews.go.com/Technology/samsung-privacy-policy-watch-smart-tv/story?id=28829387

Not terribly surprising to me given that with the proper malware installed on your phone anyone can listen to any nearby conversation and that people can also turn on your video camera on your computers to see what there is to see (increasingly, TVs are also coming with cameras!). ‘Tis the new world order, us paranoid people just have to adjust…

Wow! Email encryption relies on just ONE guy!

The World’s Email Encryption Software Relies on One Guy, Who is Going Broke
Werner Koch’s code powers the email encryption programs around the world. If only somebody would pay him for the work.
http://www.propublica.org/article/the-worlds-email-encryption-software-relies-on-one-guy-who-is-going-broke

Also interesting comments here.

It is amazing how many fundamental pieces of open source software are dependent on a handful (or just one) person. There are a few that are supported by large groups, for instance Linux, Apache, gcc, but so many are hanging by a thread. It would be nice to see some process whereby these people could be compensated, but I am not holding my breath.

Steadily chipping away…

The Most Important Trial in America
The federal government’s case against the proprietor of a ‘darknet’ website could forever alter how we all use the Internet.
http://www.thedailybeast.com/articles/2015/01/14/the-most-important-trial-in-america.html

This is something that deserves higher visibility, so I will do my small (tiny (infinitesimal)) part to widen the scope. I agree with this statement:

I have no idea if he is innocent or guilty of all or some of the charges against him, but the manner in which his prosecution is playing out should disturb anyone who cares about justice.

When the government is allowed to break laws willy nilly and the justice department stands idly by, we are no longer a nation of laws. Of course, this has been a reality for quite a while, but sometimes it is hard to convince the sheeple that these things are important. Perhaps one day the government will finally reach a point where they take on someone who isn’t successfully demonized and the sheeple will rally. Or perhaps not…

When things worked as planned…

The Astonishing Story of the Federal Reserve on 9-11
http://www.dailykos.com/story/2014/09/10/1328813/-The-Astonishing-Story-of-the-Federal-Reserve-on-9-11

Yes, I know that the Fed really isn’t part of the govt, so this really isn’t praise for the govt, but it is an amazing read and remarkably gripping considering it is about banking and mundane things like check clearing. Give it a read, I think you will be surprised, perhaps even shocked, how James Bondian it reads.

I never really gave it much thought, but 9/11 really was a worst-case scenario for the banking system. So much banking is in NYC and in and surrounding the Trade Center that in retrospect the fact that our economy didn’t melt down is a tribute to the largely unseen people making things work. A little sad to me that the heroic work of these unsung heros is tarnished (to put it mildly) by the greedy ‘capitalists’ in Wall Street out to make a buck.

On an unrelated issue I am too lazy to make as a separate blog entry for, anyone notice that Ebola is about to become a huge deal?

Ebola outbreak: Experts warn cases could number one million by January as ‘window closes’ to stop disease becoming endemic

It becomes increasingly hard to avoid the tin-hat thinking that, given the number of companies developing an Ebola Vaccine (my dear wife works at the NIH Vaccine Research Center and is in the midst of testing one such vaccine), this is entirely coincidental. It is amazing timing that just as a couple of vaccines are ready for human testing there is an outbreak that looks like it will become an epidemic. No doubt these companies have already seen their stock skyrocket; presuming their vaccines show efficacy (the preliminaries are very encouraging) no doubt many countries will stockpile huge amounts of their vaccine even further inflating their value. I wonder, though, if any of that money will translate to vaccines given to the at-risk population, given that most of those countries have little or no hard currency and some barely have governments.

Also, with the massive increase in the number of people infected, we are performing a giant experiment to increase the transmissibility of the disease, much like that done to ferrets (for those of you who missed it, this paper was briefly censored because people were worried about terrorists using the same technique; here we are doing it ‘naturally’ instead). If you were lacking for reasons to lie awake at night, this should help fill the need.

Where there is money, a will and a way will follow

I found this on Bruce Schneier’s blog:

Fingerprinting Computers By Making Them Draw Images

Here’s a new way to identify individual computers over the Internet. The page instructs the browser to draw an image. Because each computer draws the image slightly differently, this can be used to uniquely identify each computer. This is a big deal, because there’s no way to block this right now.

I glanced at the paper and it is a bit interesting. By getting your computer’s hardware to produce an image they can identify the machine with a high degree of accuracy. Of course, one would presume that that level of hardware access would be blocked by the browser sandbox, but they found a clever way to step around that limitation. This approach will, of course, be quickly blocked by many of the browser writers (I am sure that the Firefox developers are almost done with a patch), but there is a HUGE amount of money out there for products such as these and I have no doubt that variations on a theme will be blasting out soon. It is interesting to me, though, that the very success with tools such as these puts a hard lifetime on their success. There are quite a few groups out there that are ultra paranoid about every byte that traverses their networks and they work to identify the source for each and every one, so something that becomes successful will rapidly rise into the targeting aperture of these organizations and be stomped on. It is interesting to observe the cat and mouse game (where ‘cat’ and ‘mouse’ switch roles from time to time) from the sidelines, I am quite happy to not put in 36 hour days figuring out some of these things.

HFT

A nice explanation for how high frequency trading makes its outsized gains:

Trading in Milliseconds: When Correlations Break Down
http://jaredbernsteinblog.com/trading-in-milliseconds-when-correlations-break-down/

In the comments (most of the comments on his blog are intelligent) is another nice analogy:

http://jaredbernsteinblog.com/trading-in-milliseconds-when-correlations-break-down/#comment-2146150:

It would be like someone standing between you and the cashier. Anytime they see that the price tag on your can of beans is higher than what the cash register expects (the stock boy hadn’t gotten that far with new price tags) they step in the middle and take the difference. They pay the cashier the 95cents the store is now charging and then take your 98cents. Except not just anyone can set themselves up to stand between customers and cashiers. It takes having many billions of dollars of capital to back up those brief moments of holding the product. So only people who are already extremely fat and happy can get into this no-lose skimming position.

This week I am promised feedback on two positions I have interviewed for, one back in Columbia, MD another in Vienna, VA. Both unclassified, I haven’t had the slightest nibble for an IC job. The push-back on the IC pay rates has been very aggressive: I am looking at a $30K per year cut on most of the positions I have looked at, yet on the outside I might only need to take additional $5-10K cut. I suspect I am not the only one deciding now is the perfect time to get out from the ‘golden handcuffs’ and the intelligence community is going to have a very substantial brain drain over the next year or so.

Because of the rather draconian pay cut I am looking at when (increasingly ‘if’) I get a job, we have been forced into some rather depressing calculations. We are increasingly unlikely to be able to continue to afford our two houses (that we never intended to have). About a week ago my beautiful wife came up with a rather astounding idea: rather than sell our house in Virginia, where we have invested so much sweat, tears and blood (mostly mine), not to mention lots and lots of money, lets sell our house in MD and she can make the insane 4 hours a day commute from Shenandoah. If I shift my job search to Virginia, she can drop me off and pick me up on her too-ing and fro-ing, so I don’t have to drive at all (except those odd days when she is sick or whatever). Since I married her because I want to be with her, sitting in a car 4 hours a day, as long as it is with her, is a reasonable alternative to selling the house we have worked so hard on.

Yesterday my beautiful genius came up with an even more intriquing alternative: sell our place here in MD and then rent a basement appt. That eliminates the commute and she insists she has seen places for well under a grand. I figure it costs us around $3,300 a month to keep this place (I estimate at least $50K in pre-tax dollars), so saving 2/3 of that is a substantial amount of money. If I take a pay cut _less_ than that amount, it is as if I got a net pay _increase_, thus making the search for unclass jobs so much easier to contemplate. Of course, I might get lucky now that I have shifted my job search to the NOVA area and find an IC job that pays a nice premium over unclass, but it won’t matter so much.

Of course, if I don’t get an offer from either company this week (one has me very hopful, the other not so much) then I would shift my focus to prepping our MD house for sale (not that it will really eat in to my job search efforts, last week was nearly a total zero based on the job ads) and hope we can have it sold by the end of summer. My wife would start that insane commute, but then I would have each day to work on the greenhouse construction, so there is still a reasonable chance we could be doing aquaponics by this fall. Lots of options by moving to Shen (and making that insane commute, why we haven’t considered it to this point), according to my budget spreadsheet, we could be ‘bleeding’ around $2K a month (as opposed to bleeding by about $6,500 a month at the moment; knocking that extra grand off would be by giving up such things as satellite TV) so it wouldn’t take much for me to make up that shortfall. Indeed, if our house sells for what Zillow thinks it is worth, we could net around $40K out of the deal which would easily pay for me to be out of a regular job for a couple of years, more than enough time to get something going.

My DNA efforts are surprisingly going quite well. I have a company that has expressed genuine interest in paying for the test chip fabrication (not a working prototype, but a test for the element most critical to overall success), though they want me to pony up for the testing. I got quotes from my fab guy and testing guy at the end of last week (just as I was suffering from some sort of virus that had me on the toilet 20+ times a day), now I have to put everything together and send it to the interested parties and see if they will indeed cut a check. I would be a lot more excited about this if I had a job, right now it is a bit difficult to get enthusiastic.

Interesting idea, I think

EU project to build lie detector for social media
http://www.sheffield.ac.uk/news/nr/lie-detector-social-media-sheffield-twitter-facebook-1.354715

I am not sure how practical this is, technically, as I see it as necessary to record the first occurrence of any new trend and there has to be many, many first occurrences that never turn into a trend. Also, they would have to record the origin of each occurrence, somehow classify its truthiness, _then_ track how it trends. An interesting technical challenge, something I think would be cool to try, but there are so many sources of nonsense you would have to monitor them all (for instance, how many times has some story made up on the Onion wound up being taken seriously by some nimrod who couldn’t be bothered with actually checking the source?) and to do so even when the networks get clogged with people pinging one another back and forth on the very same nonsense.

I would love to see it successful, though I have to say since I started responding to my relatives who spam me with nonsense by sending them a link to Snopes I have got a lot less of that type of spam. It is possible that they are now checking Snopes, but perhaps they just leave me off their distro list.