Wednesday Morning: Quelle couleur est-ce?

I think vestigially there’s a synesthete in me, but not like a real one who immediately knows what colour Wednesday is. — A. S. Byatt

A lot of people will ask what day it is today, but few will ask what color.

Ed Walker put up a great post late last evening, one that deserves more oxygen. Do check it out.

Hospital held hostage for millions by ransomware
Hey Hollywood! A hospital in your backyard has been “infected” with ransomware, their enterprise system tied up until administration coughs up $3.6 million.* Didn’t see that coming, huh? Law enforcement is involved, though if they haven’t managed to resolve other smaller ransomware attacks, they won’t solve this before it critically affects patients’ care.

This is a pretty good (if unfortunate) example of business continuity crisis. Remember Y2K and all the hullaballoo about drills and testing for enterprise failure? We still need that kind of effort on a regular basis; how do you run your biz if all electronics go dark, for any reason?

(* US articles say $3.6M; CAN article linked says $5M. Currency difference, or an increase in the demand?)

Google found critical vulnerability in GNU C Library
CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow” Huh? What? If you read Google’s blog post about this yesterday, you were probably scratching your head. Some Googlers struggle with writing in plain English. Here’s what tech news outlets interpreted from that google-degook:

Ars Technica: “Extremely severe bug leaves dizzying number of software and devices vulnerable
BBC: “Glibc: Mega bug may hit thousands of devices
Threatpost: “Critical glibc Vulnerability Puts All Linux Machines at Risk

In a nutshell, if you’re running Linux, patch your systems, stat.

Petroleum’s still a problem

  • Iran’s not going along with Saudi-Russia-OPEC agreement on oil production limits. Iran wants to return to pre-sanction production levels before it makes any concessions.
  • Oil glut and tanked prices creates secondary challenges. Saudi’s youth now have entirely different prospects for employment now that oil cannot guarantee national wealth or careers with good pay. Will this cause political volatility in RSA? Wonder what will happen in smaller oil-producing countries like Venezuela and Ecuador?
  • Weird outliers buck trend: Indian oil producer Chennai had a strong Q3, and First American Bank more than doubled its stake in oil development firm Anadarko. Neither of these stories make sense when oil prices have and are plummeting and show no solid sign of improvement in the next year-plus.

TBTF is still too TBTF
Neel Kashkari, Minneapolis Fed Reserve president, called for the breakup of Too-Big-to-Fail banks yesterday, as they are still a risk to the economy. Didn’t see that coming from a fed president, especially Kashkari.

Biggest tech story today: Judge ordered Apple to help hack San Bernadino gunman’s phone
Apple’s been fighting government pressure on backdoors to its products. The fight intensified after federal judge Sheri Pym ordered Apple to cooperate with the FBI to unlock encryption on a county-owned phone used by San Bernadino gunman Syed Farook. Begs the question why any government agency — local, state, or federal — would ever issue a phone with encryption the government could not crack in the first place. Seems like one answer is a government- and/or business-specific encryption patch to iOS: [IF phone = government-issued, THEN unlock with government-issued key]. Same for business-issued phones. Your own personal phone, not issued by a government agency or business? No key, period.

Phew. That’s enough for a Wednesday. Hope we can coast downhill from here.

Blogger since 2002, political activist since 2003, geek since birth. Opinions informed by mixed-race, multi-ethnic, cis-female condition, further shaped by kind friends of all persuasions. Sci-tech frenemy, wannabe artist, decent cook, determined author, successful troublemaker. Mother of invention and two excessively smart-assed young adult kids. Attended School of Hard Knocks; Rather Unfortunate Smallish Private Business School in Midwest; Affordable Mid-State Community College w/evening classes. Self-employed at Tiny Consulting Business; previously at Large-ish Chemical Company with HQ in Midwest in multiple marginalizing corporate drone roles, and at Rather Big IT Service Provider as a project manager, preceded by a motley assortment of gigs before the gig economy was a thing. Blogging experience includes a personal blog at the original blogs.salon.com, managing editor for a state-based news site, and a stint at Firedoglake before landing here at emptywheel as technology’s less-virginal-but-still-accursed Cassandra.
20 replies
  1. bloopie2 says:

    That ransomware story is a “thrilling”, don’t you think? I’ve read about this in the past, where if you click on a bad link your home PC is frozen and you need to send them $300 and hope you get unlocked (it often doesn’t happen). And if a hospital working with the FBI can’t get itself unlocked, what hope does the average person have? But you’re right, the answer is backup. Which leads me to ask – what’s the recommended cheap and easy way to completely back up my home PC? Cloud? Extra removable hard drive (flash drive)?

  2. P J Evans says:

    I think the FBI needs to talk to NSA about hacking into that phone. Or they need to learn why users don’t want phones that can easily be hacked. (Also, I’d expect that those two would have used a burner phone, rather than one that was that obvious.)

  3. bloopie2 says:

    My Presidential town hall questions: Do you believe that an American citizen should have the right to own a smartphone that the government cannot crack into? If not, then what aspects of an American’s life, if any, should be closed to the government?

  4. bloopie2 says:

    The Apple letter (link below) is well worth reading. Cook makes two arguments. First, making the backdoor would be dangerous, exposing our information to who knows who. The standard techie response, and a good one. Second, what I would call “personal rights vs. the government (quoted below). Love it. Thank you, Tim Cook. Thank you for this sentence: “We fear that this demand would undermine the very freedoms and liberty our government is meant to protect.”
    .
    The implications of the government’s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.
    .
    Opposing this order is not something we take lightly. We feel we must speak up in the face of what we see as an overreach by the U.S. government.
    .
    We are challenging the FBI’s demands with the deepest respect for American democracy and a love of our country. We believe it would be in the best interest of everyone to step back and consider the implications.
    .
    While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect.
    .
    http://www.apple.com/customer-letter/

  5. Rayne says:

    bloopie2 (9:53) — WRT backup: Remember yesterday’s story about the teacher who put sex tape in Dropbox? That’s why you don’t backup to cloud. Always an offline backup. You can buy a 1TB flash drive for well under $100 now. (Back in the day I ran server farms with less storage than that. What I would have given for a 1TB drive. ~smh~)

    P J Evans (10:40) — Guessing FBI already has metadata suggesting content in messages is critical. My guess is that shooter got sloppy and forgot to use a burner, or FBI chasing a material witness based on metadata who may have content about additional risks not directly chained to shooter. Maybe the iPhone called a chained burner, and FBI needs to know more to fill a gap with now-lost burner…not certain NSA could necessarily pants itself to reveal anything it might have, if it does.

    bloopie2 (11:43) — The fact that information is contained in a particular digital device is irrelevant, IMO, only a different medium. Medium could be a safe, a diary, a notebook, letters encrypted using codes like those employed during WWII. The question is: Do citizens have rights to preserve information in a manner government cannot access? Under what circumstances are citizens’ rights to privacy ever violable by government? Can encrypted media like a diary containing content created by citizens be subject to seizure and search if the creator does not grant access before death?

    bloopie2 (11:51) — Thanks for posting that. :-)

    • bloopie2 says:

      Rayne, thanks for the backup info, and for your cogent questions about American’s privacy rights. As to the San Bernardino situation, and just so I understand, is the following scenario, the snail mail equivalent? Badgirl #1 corresponds with Badgirl #2 via postal mail. #1 is caught and they perfectly legally find her letter stash, including references to #2. So they want #2’s mail now, obviously. I think under current law there’s enough of a smoking gun there that that they can go to a judge and get a warrant to search for #2’s mail, and if they find it, they can read it. But then: It turns out that #2 keeps her mail in a safe which is uncrackable and which, if forced open, will self-destruct its contents (anyone remember Jim Phelps?). So the FBI instead goes to the safe manufacturer with a court order that says “crack this safe open for us” without losing its contents.
      .
      I just don’t see why we should allow that to happen, in the land of the free.

  6. Rayne says:

    bloopie2 (12:31) — wrt “snail mail” meaning USPS — whole different ball of wax, already a mess of laws in place. Warrant being key. But cracking info in either snail mail or a safe does not compromise the privacy of all other’s snail mail or safe, yes? Retrieval is discrete, limited. This is the problem. FBI wants access to a single user’s info but at the expense of compromising ALL users’ privacy. They would not have to make this request had not San Bernadino govt screwed up in issuing an Apple phone to employee w/o ensuring device was crackable/had an override.

    Now I ask again: Under what circumstances are citizens’ rights to privacy ever violable by government?

    • jerryy says:

      .
      I am not wanting to be contrarian, but the US government has, through the sges, always held that citizen’s rights to privacy is a low bar for them to violate. Examples, in no way comphrehensive:
      .
      The Trail of Tears, the internment camps, the civil rights era; whether you agree that right to choice exists for women or not, it being ‘legal’ is based on a notion of privacy that a court had to force on the government, that notion is under constant attack. Try crossing the border back into the US, as a US citizen, and see how much right to privacy you are afforded.
      .
      Good for you, Apple, Inc.

    • Evangelista says:

      Rayne, (No. 7, 12:48pm)

      Your question:
      “Under what circumstances are citizens’ rights to privacy ever violable by government?”
      Answer:
      Constitutionally, None, ever. The Preamble to the United States Constitution defines the hierarchy of People and Government for the United States Republic to be constituted by the United States Constitution, and subsequently constituted by its ratification. In that Preamble the People are defined the producers of the Constitution and the producers and defined beneficiaries of the Republic to be, and subsequently created by the Constitution, and the owners of the government created by the Constitution, and the masters of the persons employed in the governing required to maintain the Constitutionally defined government,for whom the law incorporate in the Constitution was incorporated and whose actions the law of the Constitution was constituted to control, who were, and are, therefore, servants to the people.

      All of this means that those in government in the United States are the servants to the people of the United States (who are individualized as people, rather than collectivized, as in socialisms, by the English Law Principle, which requires the individual to be presumed able to , and to, administer himself, and for himself, and govern himself and for himself, and define and obey law himself, and for himself, all of which is incorporated in the common term “presumption of innocence”, which innocence is innocence from any and all wrongdoing,error and unreasoned action). The requirement that each individual person in the Constitutional United States be recognized capable of controlling and ruling himself, and herself, individually, and be recognized to in all cases do so, except when, and until, a failure to do so is proved beyond reasonable doubt, is what makes the Constitutionally constituted United States Republic’s form of government unique, and is what requires those in its government to recognize themselves truly Republican in their authorities, meaning responsible to use the authorities vested in them to maintain the benefits assigned in the Constitution’s Preamble for the individual poeple, who their first and primary authority, as public servants, is to serve.

      It is the People who are responsible for their neighbors in the Constitutional United States System, meaning to not oppress, suppress,swindle, cheat, abuse or take advantages of them. This nefarious constituent, painful to so many who set opportunism over all else in interpersonal relationships, is also product of ‘presumption of innocence’, which permits the innocent to be innocent, and those who could take advantages of them to refrain from doing so, since the taking advantage would violate the innocents’ right to be innocent (it is for this that presumed contracts, for example, are illegal in United States Public Law [the law that applies to the people at large], who presumption of innocence protects from being presumed to know, or be wise, and for it that commercial law, law for use between merchants, who presume themselves wise in the ways of the market, is a parochial system of law in the United States Republic, as club laws, canon laws, sharia laws, etc.. all laws of parochial systems, are, applicable only to persons in the United States who have knowingly, voluntarily and intentionally joined the ‘club’ and so agreed to accept and abide by the applicable-to-members non-public law system [the ‘knowingly, voluntarily and intentionally’ part noted here is for ‘presumption of innocence’, which requires proof of “non-innocence”]).

      And so, as a public service entity, administered by public servants, government must have the involved and responsible masters’ knowingly, voluntarily and intentionally given permission to share in an individual’s private affairs. Failing to obtain such permission, for any specific private component, is a violation by the government servant(s) knowingly, voluntarily and intentionally involved in the violating action (this means those acting directly, and the servants in supervising positions who know.

      Complicated to write out in specifics, cases and details, the over-arching law of the United States Republic is easiest stated in an admonition to take Presumption of Innocence seriously, and recognize that the meanest thing it does is politicize the Golden Rule to Treat your neighbor as the Presumption requires you be treated, yourself”.

      The fun part is that everything in law in the United States that today does not conform to the mandate dictated in the United States Constitution’s Preamble is illegal, moot, null and void in all aspects and elements except those of liability, which accrue to those who have perpetrated, and who perpetuate, illegal, moot, null and void “law”, and imposed it on their masters, or suborned ones of the servant-class to do so. This means we can legally hang just about the whole lot operating the current United States’ government machinery, and all of the bankers and brokers and lobbyists and lawyers involved in its perpetration and perpetuation, along with all the ones who have financed, and are financing its take-over and usurpation of the lawful constitutional government of the nation. The catch, that prohibits us from simply hanging the whole lot from light-posts, in addition to that we would have to install a hell of a lot more light-posts to accommodate the flood, is that the Constitution requires we give them fair trials first, beginning from presumptions of them being innocent. What I suspect is that if an attempt to try and hang the responsible were undertaken the effort would shoal up on our law-schools, with all the perpetrators not in law-school teaching positions (or judiciary, who could be assigned to ‘have reason to know’, pleading “I was just following my teachers’ teachings.”

  7. bloopie2 says:

    Here’s a thought on the hospital ransomware lockdown: The transfer of medical records from paper to an electronic records system, which everyone seems to be pushing, has created an opportunity that hackers are proving eager to exploit. What to do – stop all new electronic information storage (“progress”) until these issues are solved? That will be … when?

  8. bevin says:

    “Wonder what will happen in smaller oil-producing countries like Venezuela and Ecuador?”

    That will depend upon them. Their governments can diversify and substitute for imports, re-distribute wealth and property- land in particular- and ensure decent living standards for all. Or they can agonise over markets and wait for financier backed intervention to bring them down and reverse the achievements of decades.

  9. Rayne says:

    bloopie2 (12:55) — Hah. IT companies have been working on networked health care IT for more than 20 years, have yet to develop a user-adopted unified standard framework to make data readily portable between health care providers. When they get their shit together long enough to do that, then I’ll panic. In the meantime, attacks will be on single providers. This individual hospital is a warning to much larger networked facilities like Kaiser Permanente or HCA to ratchet up their security. I’ll bet you right now it’s going to take a really big health care network to be attacked before the rest clue in.

  10. Rayne says:

    jerryy (1:21) — What do these things have in common: The Trail of Tears, the internment camps, civil rights era, women & choice — ??

    The rights of white straight Christian men — the same folk who are represented by a majority as leaders of largest U.S. businesses and Congress — weren’t affected by them.

    In the question Apple iPhones and encryption, the rights of white straight Christian men to personal information privacy is in question.

    Funny how a gay guy is the figurehead fighting for their rights.

    • jerryy says:

      Neither of the alleged terrorists whom this order would apply to look like w.a.s.p.s to me.
      .
      To respond to your first question, brutal aggression as a means of suppression of minorities be it racial, gender or economic is what they have in common. When I wrote the list was ‘not comphrehensive’ I did not include treatment of ethnic groups such as Italian or Irish (nominally white and Christian) because I saw no need to fill Ms. empywheel’s page with recitations found in many decent US herstory books. I just listed a few examples to address the question of what regard the Us government gives to privacy, such as when you cross over the border into the US, expect them to give your privacy little regard even if your are whire and Christian.
      .
      Why should it be funny that Mr. Cook is standing up for his principles?
      .

  11. Les says:

    BTW, I got a nasty response from someone who claims to be in the counterterrorism field because I pointed out in a public forum that many of the arrests are a result of stings hatched by the FBI with undercover personnel providing funds, providing training on building bombs and shooting automatic weapons, and supplying transportation and other material support to the extent the plot would not be feasible without FBI control.

    I have an immediate family member who works as an analyst in the field for over 10 years.

    I had a heated argument with him back in 2009 when the pattern of the domestic Al Qaeda plots after 9/11 appeared to be fake since the target of the sting had no means to carry out an attack.

  12. earlofhuntingdon says:

    Good point about govt issued comms devices. One would think the appropriate systems administrator would always be able to gain access to an agency-issued device, whether to fix bugs, recover data, delete data in lost devices, etc. I suspect that’s routine for a corporate employer-issued device.
    One would think that in the context of a criminal prosecution, the feds could have gotten access to the device through a court order and via the county’s IT administrator. What procedural or systemic failings are we not seeing?
    Separately, as for Apple being ordered to help in this case, surely all the govt needed was to obtain a warrant, based on a finding of probable cause. Here, it was a federal magistrate, not a district court judged, who issued the order.

  13. earlofhuntingdon says:

    Federal magistrate Sheri Pym’s order to Apple was not to unlock an individual phone. An order to unlock a single phone, or allowing the feds to obtain access to it via the county agency’s IT administrator, would have seemed the most appropriate course. It would have furthered this investigation at the least cost to individual and societal privacy interests.

    Magistrate Pym seems to have had other things in mind. She ordered Apple to devise a new operating system, one that would allow the govt to break into it using routine “brute force” computer attacks, all without triggering the phone’s defenses, such as shutting down after 10 attempts or erasing its contents.

    Note, this is nominally for use in hacking into a single phone in connection with a public criminal investigation and prosecution. The precedent is alarming. What are the odds of that restriction staying in place?

    Surely Ms. Pym would have been wiser to seek to a means for the feds to break a single phone without generating a new pathway for the feds to break into all similar phones. That risk seems substantial, given the govt’s sustained attempts to bully and persuade device manufacturers to allow the feds unlimited backdoor access. Ms. Pym’s solution would substantially change the playing field without enabling a competing process to balance conflicts between legitimate govt demands for information and the legitimate privacy rights of individuals and society.

  14. lefty665 says:

    Those were the days Rayne, Tb lust, even if spread over a lot of platters:)
    .
    I’d also suggest to Bloopie mirroring to make the backup bootable and thus an easy restore after catastrophe. Also getting two backups and alternating them is a good idea and cheap. Keeping one off site so it takes two disasters to wipe you out is good practice.
    .
    WTF, the county didn’t have an administrative account on the phone? They couldn’t just sign on and unlock it? Are the Feds using this as a cheap way of leaning on Apple? I’d suggest if the county did not want its employees to have phones with unbreakable encryption they shouldn’t have given them to them. It would seem the Feds recourse is to the county, not Apple.
    .
    I GNU this was going to happen eventually (cough). Another WTF, This is 2016 and we’re still getting hacked by buffer overflows? Do programmers have no pride?
    .
    House of Saud is headed for a crash. Between a senile king, a dingbat kid running the military and burning through their money, the outlook is not bright. They picked a fight with Yemen, among the poorest nations on earth and right on their border that they can’t win. Now they’re blustering about going up against the Russians in Syria. Buffer overflow, honk, honk.

  15. P J Evans says:

    The hospital paid 17 or 18K in Bitcoin. They’re now sorting out what might have been damaged.
    I’d suggest they improve network security and train all their employees on computer security basics.

Comments are closed.