In the Spring a livelier iris changes on the burnish’d dove;
In the Spring a young man’s fancy lightly turns to thoughts of love.
— excerpt, Locksley Hall by Alfred, Lord Tennyson
Welcome to spring break. And by break, I mean schedules are broken around here. Nothing like waiting up until the wee hours for a young man whose fancy not-so-lightly turned to love, because spring.
While the teenager lies abed yet, mom here will caffeinate and scratch out a post. It may be early afternoon by the time I get over this spring-induced sleep deprivation and hit the publish button.
Apple blossoms — iPhones and iPads, that is
Not much blooming on the #AppleVsFBI front, where Apple now seeks information about the FBI’s method for breaking into the San Bernardino shooter’s iPhone 5C. The chances are slim to none that the FBI will tell Apple anything. Hackday offers a snappy postmortem about this case with an appropriate amount of skepticism.
I wonder what Apple’s disclosure will look like about this entire situation in its next mandatory filing with the SEC? Will iPhone 5C users upgrade to ditch the undisclosed vulnerability?
What if any effect will the iPhone 5C case have on other criminal cases where iPhones are involved — like the drug case Brooklyn? Apple asked for a delay in that case, to assess its position after the iPhone 5C case. We’ll have to wait until April 11 for the next move in this unfolding crypto-chess match.
In the meantime, spring also means baseball, where new business blossoms for Apple. Major League Baseball has now signed with Apple for iPads in the dugout. Did the snafu with Microsoft’s Surface tablets during the NFL’s AFC championship game persuade the MLB to go with Apple?
It’s downhill all the way for VW, which missed last week its court-imposed 30-day deadline to offer a technical solution on its emissions standards cheating “clean diesel” passenger vehicles. If there was such a thing as “clean diesel,” VW would have met the deadline; as I said before, there’s no such thing as “clean diesel” technology. The judge allowed a 30-day extension to April 24, but my money is on another missed deadline. Too bad there’s not a diesel engine equivalent of Cellebrite, willing to offer a quick fix to VW or the court, huh?
Of note: former FBI director Robert Mueller has been named “special master” on this case by Judge Charles Breyer; Mueller has been meeting with all the parties involved. What the heck is a “special master”? We may not have a ready answer, but at least there’s a special website set up for this case, In re: Volkswagen “Clean Diesel” MDL.
The cherry on top of this merde sundae is the Federal Trade Commission’s lawsuit filed yesterday against VW for false advertising promoting its “clean diesel” passenger cars.
With no bottom yet in sight, some are wondering if VW will simply exit the U.S. market.
Automotive odd lot
Did Tennyson write anything about spring spawning naps? Because I feel like I need one. Hope we’re back in the groove soon. See you in the morning.
Hope the cull is done because obituaries are not my thing. Hard to type and sniffle copiously at the same time.
GM Opel dealers may be altering emissions control software on Zafira diesel cars
Great, just great. Like GM didn’t have enough on its plate with the ignition switch debacle. A Belgian news outlet reports GM Opel dealers have been changing the software on the 2014 Zafira 1.6l diesel engine passenger vehicles in what looks like a soft recall. This comes on the heels of an EU-mandated recall of Zafira B models due to fires caused by bad electronics repairs. Sorry, I don’t speak Dutch, can’t make out everything in this video report. What little I can see and read doesn’t look good. Wouldn’t be surprised if the EU puts the hurt on GM Opel diesel sales until all are fixed to meet EU emissions regulations. Should also note that a different electronics manufacturer may be involved; images online of ECUs for late model Zafiras appear to be made by Siemens — unlike Volkswagen’s passenger diesel ECUs, which are made by Bosch.
Texas manufacturer swindled out of cash by fraudulent email request, sues cyber insurer
AFGlobal, based in Houston, lost $480,000 in May 2014 after staff wired funds based on orders in emails faked by crooks overseas. The manufacturing company had a cyber insurance policy with a subsidiary of the Chubb Group, and filed a claim against it. The claim was denied and AFGlobal filed suit. This isn’t the first such loss nor the first such lawsuit. Companies need to create and publish policies documenting procedures for authorizing any online payments, including two-step authentication of identities, and review overall spending authorization processes with an eye on audit trails.
Ukrainian officials say Kiev’s main airport hacked
Hackers who attacked Ukrainian power companies in late December are believed to be responsible for the malware launched on Kiev’s airport servers. There are very few details — okay, none, zero details — about the attack and its affect on airport operations. A military spokesman only said “the malware had been detected early in the airport’s system and no damage had been done,” and that the malware’s point of origin was in Russia. Among the details missing are the date the attack was discovered and how it was detected as well as the means of removal.
Hold this thought: FBI still looking for info on cable cuts, with eye to Super Bowl link
Remember the post last summer about the 11 communications cable cuts in the greater San Francisco Bay Area near Silicon Valley? This is a hot issue again, given the impending Super Bowl 50 to be held at Levi’s Stadium in Santa Clara. But reports now mention 15 or 16 cuts, not 11 — have there been more since last summer, or were there more not included in the FBI’s request for information? I’ll do some digging and post about this in the near term.
All right, carry on, and don’t drink all the añejo at once.
I debated about posting Jonny Lang’s Lie to Me. Nah, we’re lied to every day, might as well ask for the truth for once, even if it’s ugly. The truth is that nothing’s okay though we wish like hell it were otherwise.
That said, let’s forge on into the fraught and frothing fjords…
‘Nope.’ That’s what California Air Resources Board said
Huh-uh, no way, nada — CARB told Volkswagen in response to VW’s proposed recall plans for emissions standard-cheating 2.0L vehicles sold into California. Because:
Wonder if CARB’s response will be different with regard to VW’s 3.0L vehicles? Shall we take bets?
Fugly, in multiples — cybersec edition
Ebay’s got bugs, and not just at auction.
Need more than tape to fix this problem with cheap web cameras.
Popular antivirus may pose a hacking threat, patch has been issued. Same antivirus manufacturer has a nifty relationship with INTERPOL, too, to share information about cyberthreats. Wonder if they phoned INTERPOL and said, “Cyberthreat. It me!”
(BTW, I love it when spell check helpfully says, “‘Cybersec’ is wrong, don’t you mean ‘cybersex’?”…um, no.)
Big of you, GM. Way to protect your intellectual property and brand at the same time.
The biggest threat to nation’s power grid is S_______
Beady-eyed and focused, slips beneath our radar, gnaws into our electricity transport with annoying frequency, causing hundreds of hours of power outages. Stuxnet? No. Bloody squirrels.
In short, it’s all wonderful this Wednesday. Just wonderful. Pass the Glenmorangie, please.
Back in August, I wrote a post wondering whether the following clause in the Cyber Intelligence Sharing Act would provide a way for corporations to avoid any government action punishing them for their negligence on cybersecurity.
(D) FEDERAL REGULATORY AUTHORITY.—
(i) IN GENERAL.—Except as provided in clause (ii), cyber threat indicators and defensive measures provided to the Federal Government under this Act shall not be directly used by any Federal, State, tribal, or local government to regulate, including an enforcement action, the lawful activities of any entity, including activities relating to monitoring, operating defensive measures, or sharing cyber threat indicators.
(I) REGULATORY AUTHORITY SPECIFICALLY RELATING TO PREVENTION OR MITIGATION OF CYBERSECURITY THREATS.—Cyber threat indicators and defensive measures provided to the Federal Government under this Act may, consistent with Federal or State regulatory authority specifically relating to the prevention or mitigation of cybersecurity threats to information systems, inform the development or implementation of regulations relating to such information systems.
(II) PROCEDURES DEVELOPED AND IMPLEMENTED UNDER THIS ACT.—Clause (i) shall not apply to procedures developed and implemented under this Act.
My worry was that a serial hacking target like Wyndam — or even just a company with sloppy security like GM — could immediately share information on a hack (or even a vulnerability identified by security researcher that technically violated a company’s DMCA rights) with the government, and in doing so avoid any further action from the government on that point.
Something similar appears to happen with the Bank Secrecy Act: banks share information and therefore limit their liability for money laundering or supporting terrorists or what have you.
If my concern is correct, it would provide companies that chose not to fix vulnerabilities a way to avoid NHTSA required recalls or FTC lawsuits.
At Computers Freedom and Privacy, I asked the author of CISA, Senate Intelligence staffer Josh Alexander, about the clause.
His only response was to point to this language permitting disclosure of information.
(a) Otherwise Lawful Disclosures.—Nothing in this Act shall be construed—
(1) to limit or prohibit otherwise lawful disclosures of communications, records, or other information, including reporting of known or suspected criminal activity, by an entity to any other entity or the Federal Government under this Act; or
(2) to limit or prohibit otherwise lawful use of such disclosures by any Federal entity, even when such otherwise lawful disclosures duplicate or replicate disclosures made under this Act.
He emphasized that the government could still respond to unlawful activity. But bad security is not unlawful.
In other words, he had no response to my concerns. Which leads me to believe CISA guts the government’s ability to punish companies that don’t fix their security issues.
I guess that explains why the Chamber of Commerce is so excited about the bill.
Last week, Wired had a story about a hack of GM vehicles that the car company took 5 years to fix. As the story explains, while GM tried to fix the vulnerability right away, their efforts didn’t completely fix the problem until GM quietly sent a fix to its vehicles over their Verizon network earlier this year.
GM did, in fact, make real efforts between 2010 and late 2014 to shield its vehicles from that attack method, and patched the flaws it used in later versions of OnStar. But until the surreptitious over-the-air patch it finished rolling out this year, none of its security measures fully prevented the exploit in vehicles using the vulnerable eighth generation OnStar units.
The article uses this is a lesson in how ill-equipped car companies were in 2010 (notably, right after they had been put through bankruptcy) to fix such things, and how much more attentive they’ve gotten in the interim.
GM tells WIRED that it has since developed the ability to push so-called “over-the-air” updates to its vehicles. The company eventually used that technique to patch the software in its OnStar computers via the same cellular Internet connection the UCSD and UW researchers exploited to hack the Impala. Starting in November of 2014, through the first months of 2015, the company says it silently pushed out a software update over its Verizon network to millions of vehicle with the vulnerable Generation 8 OnStar computer.
Aside from the strangely delayed timing of that patch, even the existence of any cellular update feature comes as a surprise to the UCSD and UW researchers. They had believed that the OnStar computers could be patched only by driving them one-by-one to a dealership, a cumbersome and expensive fix that would have likely required a recall.
GM chief product cybersecurity officer Jeff Massimilla hints to WIRED that performing the cellular update on five-year-old OnStar computers required some sort of clever hack, though he refused to share details. “We provided a software update over the air that allowed us to remediate the vulnerability,” Massimilla writes in an email. “We were able to find a way to deliver over-the-air updates on a system that was not necessarily designed to do so.”
What Wired doesn’t note is that GM was in the thick of recall hell by November 2014 because of its delay, during the same period, in fixing ignition problems. It’s not just the network problem GM wasn’t fixing, it was more traditional problems as well. Whatever hack GM pulled off, starting in November 2014 as a kluge to fix a long-running problem, GM did so while under great pressure for having sat on other (more obviously dangerous) problems with their cars. GM also did so knowing their recognizable Impala would be shown on 60 Minutes exhibiting this problem.
In late 2014, they demonstrated it yet again for a 60 Minutes episode that would air in February of 2015. (For both shows they carefully masking-taped the car’s logos to prevent it from being identified, though car blog Jalopnik nonetheless identified the Impala from the 60 Minutes demo.)
So GM had a lot more urgency to find curious hacks in November 2014 than they did in 2010.
Dianne Feinstein just gave a long speech on the Senate floor supporting the Cyber Information Sharing Act.
She listed off a list of shocking hacks that happened in the last year or so — though made no effort (or even claim) that CISA would have prevented any of them.
She listed some of the 56 corporations and business organizations that support the bill.
Most interestingly, she boasted that yesterday she received a letter from GM supporting the bill. We should pass CISA, Feinstein suggests, because General Motors, on August 4, 2015, decided to support the bill.
I actually think that’s reason to oppose the bill.
As I have written elsewhere — most recently this column at the DailyDot — one of my concerns about the bill is the possibility that by sharing data under the immunity afforded by the bill, corporations might dodge liability where it otherwise might serve as necessary safety and security leverage.
Immunizing corporations may make it harder for the government to push companies to improve their security. As Wyden explained, while the bill would let the government use data shared to prosecute crimes, the government couldn’t use it to demand security improvements at those companies. “The bill creates what I consider to be a double standard—really a bizarre double standard in that private information that is shared about individuals can be used for a variety of non-cyber security purposes, including law enforcement action against these individuals,” Wyden said, “but information about the companies supplying that information generally may not be used to police those companies.”
Financial information-sharing laws may illustrate why Wyden is concerned. Under that model, banks and other financial institutions are obligated to report suspicious transactions to the Treasury Department, but, as in CISA, they receive in return immunity from civil suits as well as consideration in case of sanctions, for self-reporting. “Consideration,” meaning that enforcement authorities take into account a financial institution’s cooperation with the legally mandated disclosures when considering whether to sanction them for any revealed wrongdoing. Perhaps as a result, in spite of abundant evidence that banks have facilitated crimes—such as money laundering for drug cartels and terrorists—the Department of Justice has not managed to prosecute them. When asked during her confirmation hearing why she had not prosecuted HSBC for facilitating money laundering when she presided over an investigation of the company as U.S. Attorney for the Eastern District of New York, Attorney General Loretta Lynch said there was not sufficient “admissible” evidence to indict, suggesting they had information they could not use.
In the same column, I pointed out the different approach to cybersecurity — for cars at least — of the SPY Act — introduced by Ed Markey and Richard Blumenthal — which affirmatively requires certain cybersecurity and privacy protections.
Increased attention on the susceptibility of networked cars—heightened by but not actually precipitated by the report of a successful remote hack of a Jeep Cherokee—led two other senators, Ed Markey and Richard Blumenthal, to adopt a different approach. They introduced the Security and Privacy in Your Car Act, which would require privacy disclosures, adequate cybersecurity defenses, and additional reporting from companies making networked cars and also require that customers be allowed to opt out of letting the companies collect data from their cars.
The SPY Car Act adopts a radically different approach to cybersecurity than CISA in that it requires basic defenses from corporations selling networked products. Whereas CISA supersedes privacy protections for consumers like the Electronic Communications Privacy Act, the SPY Car Act would enhance privacy for those using networked cars. Additionally, while CISA gives corporations immunity so long as they share information, SPY Car emphasizes corporate liability and regulatory compliance.
I’m actually not sure how you could have both CISA and SPY Act, because the former’s immunity would undercut the regulatory limits on the latter. (And I asked both Markey and Blumenthal’s offices, but they blew off repeated requests for an answer on this point.)
Which brings me back to GM’s decision — yesterday!!! — to support CISA.
The hackers that remotely hacked a car used a Jeep Cherokee. But analysis they did last year found the Cadillac Escalade to be the second most hackable car among those they reviewed (and I have reason to believe there are other GM products that are probably even more hackable).
So … hackers reveal they can remotely hack cars on July 21; Markey introduced his bill on the same day. And then on August 4, GM for the first time signs up for a bill that would give them immunity if they start sharing data with the government in the name of cybersecurity.
Now maybe I’m wrong in my suspicion that CISA’s immunity would provide corporations a way to limit their other liability for cybersecurity so long as they had handed over a bunch of data to the government, even if it incriminated them.
But we sure ought to answer that question before we go immunizing corporations whose negligence might leave us more open to attack.
But I don’t know how anyone thought a bankster–and particularly this bankster–could say this and still wield any credibility.
From Washington’s point of view, divesting its remaining shares will end an uncomfortable and distinctly un-American period of government ownership in a major industrial company.
Sure. Rattner places this sentiment in “Washington’s point of view.” Still, consider the messenger.
After all, he barely mentions here–as he did in his book–that this was not just a bailout of some industrial companies. It was also a bailout of two finance companies, Chrysler Finance and GMAC (he mentions that the government still owns Ally/GMAC, but still calls the scorecard, “nearly complete”). As such, it was also the bailout of the Private Equity firm, Cerberus, that had spent the previous years stripping Chrysler in the hopes of retaining just the finance arms.
He also neglects to mention that the government still pursues the un-American policy of treating banks according to a different set of rules, not only providing them free money, but seemingly exempting them from all laws.
Finally, he shows no self-awareness of his own history, including paying kickbacks so his firm could make big money off of New York State (for which he, like all banksters, got a mere wrist-slap).
I’m not saying the government should hold onto its GM stake forever (though unlike Rattner, executive compensation is the last reason I’d cite to applaud this sale). But having someone like Rattner call government intervention in purportedly capitalist companies un-American only perpetuates the idea that industrial companies should have to abide by so-called rules of capitalism that the titans of capitalism, the banksters, have all but discarded.
[I posted substantially this post yesterday, but the BlogGods ate it along the way. So I’m reposting.]
Along with the deceitful attack on Italians who make better car company owners than GOP Private Equity types and the Lee Iacocca spin, Mitt has rolled out a radio version of attack on the auto bailout. From Greg Sargent, here’s part of the script:
Barack Obama says he saved the auto industry. But for who? Ohio, or China? Under President Obama, GM cut 15,000 American jobs. But they are planning to double the number of cars built in China — which means 15,000 more jobs for China.
And now comes word that Chrysler plans to start making jeeps in — you guessed it — China. What happened to the promises made to autoworkers in Toledo and throughout Ohio — the same hard-working men and women who were told that Obama’s auto bailout would help them?
The ad continues Mitt’s deceptive insinuation that GM and Chrysler aren’t also adding jobs in the US, which they are doing.
But it does something else. It takes a decidedly anti-profit stance.
You see, there are two reasons car companies are so gung-ho to enter (or re-enter, in the case of Jeep) the Chinese market. First, because it’s growing; when I was working in China, auto people considered the rising Chinese middle class to be 300 million–almost an entire US full of population. And most of them were just aspiring to buy their first car. That’s a whole lot of first time car buyers to sell to, as compared to US consumers, who are driving less and replacing their cars at a slower pace given more durable cars.
The other reason to go to China? Profit margins are bigger there than here. When I was in Shanghai in the mid-2000s, the profit margin on Buick Regals was about $2,000, as compared to the roughly $200 profit margin on a similar car here. The margins are closer now (because manufacturing in the US has gotten cheaper and in China has gotten more expensive), but China still offers good profit margins. Selling Buick Regals or Jeeps in China allows GM and Chrysler to accept lower margins on cars here.
By selling high margin cars in China, US companies can be more competitive here, meaning they will be able to expand sales and therefore production here, too.
All this is implicit in Sergio Marchionne’s response to Mitt’s ignorant rantings.
Together, we are working to establish a global enterprise and previously announced our intent to return Jeep production to China, the world’s largest auto market, in order to satisfy local market demand, which would not otherwise be accessible. Chrysler Group is interested in expanding the customer base for our award-winning Jeep vehicles, which can only be done by establishing local production. This will ultimately help bolster the Jeep brand,and solidify the resilience of U.S. jobs.
Marchionne notes 1) you can’t sell in China unless you build in China, 2) selling in China makes the Jeep brand stronger, 3) making the Jeep brand (and its profit margins) stronger makes it easier to keep up US production.
Marchionne’s implicit point should be where this discussion is heading: free trade hasn’t worked out to be fair trade. China–and Japan and Korea–still protect their markets, meaning if you want to sell there, you’ve got to make cars there.
Mitt has promised to get tough on China. But his series of auto ads have made no mention–not a peep!–of how he’ll reverse this practice and make it possible for Jeep to export cars made in Toledo. Indeed, when Obama launched a trade dispute over auto parts in September, Mitt scoffed at the effort (and ignored Obama’s decent and sustained effort launching trade disputes, one of which pertaining to specialty steel recently won at the WTO).
“The president may think that announcing new trade lawsuits less than two months before the election will distract from his record, but American businesses and workers struggling on an uneven playing field know better,” Mr. Romney said in a speech to the Hispanic Chamber of Commerce in Los Angeles.
Mitt Romney wants to attack American companies for going where profits are. And he’s doing so without discussing why that’s necessary.
That makes him neither a tough guy nor a good businessman.
As part of its effort to pretend that Mitt would be good for the auto industry, the campaign had Lee Iacocca sum up why Mitt would be good for the auto industry.
The first paragraph of specifics reads:
When Mitt Romney is president, he will reduce our nation’s corporate tax rate to 25 percent from 35 percent – currently the highest combined tax rate in the industrial world – so that American car companies can compete on a level playing field at home and abroad. He will also stop the extra tax automakers are forced to pay when they want to bring home their profits to reinvest in the United States. President Obama could have done this the day he took office since his party controlled both houses of Congress, but he chose not to. [my emphasis]
Obama, of course, has a tax credit specifically for manufacturing companies, meaning under Obama the auto companies would pay less than under Mitt.
But the other part–particularly against Mitt’s egregious claims that the auto bailout has helped Chrysler and GM move production overseas–is even more ridiculous.
Iacocca says Mitt would be better for the auto companies because he’d allow the auto companies to repatriate profits from overseas without paying taxes.
But that assumes, of course, they’re making profits overseas. It would mean they were doing precisely the thing Mitt is attacking–moving into new markets, like China.
So on the same day Mitt attacks Chrysler and GM for making and selling cars in China, generating greater profit it can use to support workers here, his campaign sends out a post boasting that Mitt would require Chrysler and GM to contribute less domestically on the profits they made by making and selling cars in China.
So Mitt is still trying to dig himself out of the hole he created when he declared, “Let Detroit go bankrupt”?
I suspect most of the commentary on this ad will focus on the irony that, had Mitt had his way, all of GM’s dealers would have gone under, and without the buyout deals they ultimately got.
Me, I’m a bit surprised that Mitt didn’t choose an IN Chrysler dealer. Not only did Chrysler offer its dealers a much stingier package, but some dealers from IN fought losing their franchises all the way to SCOTUS, and some are still suing over “takings.”
But I’m most surprised by the sparse language used here to portray a dealer closure: “I received a letter from General Motors: they were suspending my credit line.”
Credit lines?!?!? Mitt wants to tug at heart strings and hit Obama with an attack akin to the Bain attacks that are working so well in swing states by invoking credit lines?!?!? Really?
Yes, it is true that at the heart of any car dealer is a credit line. But by including that in this ad, it seems to me, Mitt does several things. It reminds everyone who knows what role a credit line plays in a car dealer that the precipitating cause of the auto crash was the credit crash. It reminds viewers that the banksters, in killing their own industry, also killed the car industry. And not just any banksters, either. In GM’s case, the bankster in question was 51% owned by Cerberus Capital, a bunch of high profile Republicans (Dan Quayle and John Snow, among others) who were trying to do what Mitt got rich off: looting companies (in Cerberus’ case, including Chrysler) while profiting from the financialization that such looting offered. Only they were so bad at it, they effectively had to be bailed out by the taxpayers along with GM and Chrysler.
Thus, the villain in this ad–at least as described by the dealer–is someone just like Mitt, only stupider. The villain in the ad is not Obama–not to people who know how the auto industry works. It’s Mitt’s stupid Republican friends.