Monday Morning: Get a Pick and Shovel

Mississippi John Hurt’s lyrics seem appropriate this morning — get a pick and shovel to dig your way out of all that snow and ice this Monday morning.

Getting a late start here because I stayed up watching the X-Files revival.

Apple iMessage users’ content at risk if backed up to iCloud
While iMessages themselves use end-to-end encryption, the same content when backed up to iCloud is encrypted by an Apple-controlled key. As many as 500 million users have data in iCloud services, at risk of exposure. You’d think after The Fappening, Apple users would be more leery about enabling iCloud backup.

Network problems affect NFL’s Microsoft Surface tablets, left New England Patriots in the dark
Wow, right down to the “last defensive possession” and *blip* — nothing on the Surface tablets for Pats’ coaches to show their players. Not the first time there’ve been problems with this technology, either. NFL’s network problems are blamed for the loss of play information, but Microsoft’s tablets are taking the brunt of it. Have to wonder why there wasn’t adequate redundancy to ensure network burps would not affect the game. Can’t fault the tablets or the network outage for the delay of X-Files on FOX, though, since the Patriots vs. Broncos were on CBS.

Donald Rumsfeld, video game designer
One of the last things I ever expected to see in my feed: Donald Rumsfeld, former Secretary of Defense under George W. Bush, designed a video game. It’s an obscure form of solitaire attributed to Winston Churchill. “…I’ve signed off on something they call ‘UX’,” Rumsfeld said. Heaven help us.

I’m deferring my date with a shovel for later today and crawling back into bed. Stay safe and warm, gang.

Friday Morning: Thank a Goddess

[image: Frigg Spinning Clouds, c. 1900, by John Charles Dollman via Wikimedia.org]

[image: Frigg Spinning Clouds, c. 1900, by John Charles Dollman via Wikimedia.org]

Yeah, you can thank Frīġe for her dæġ — Friday is her day. Frigg, Frea, or Freyja, has been lumped into sky-and-weather-goddesses category though I don’t recall running across a folktale about her actually doing weather-y stuff.

Hope you were prepared for snow if you live in eastern U.S.; Frigg won’t be as much help to you as a decent snow shovel. Same with keeping the kids busy on a snow day. Maybe you could coax them into writing a story about Frigg calling up a snow storm, replete with drawings?

Speaking of weather…and climate…
These news stories suggest snowpocalyptic events here in the U.S. aren’t the only unusual conditions affecting the way we do business today.

  • South African’s wine production will be affected by recent wildfires. Wonder if Australia’s will be, too? Oh definitely, by too much rain as well as drought and bushfires.
  • Milder than usual weather hurt retail spending in UK. Lucky for our former British overlords we’ve exported our Black Friday to give them a temporary boost in sales.
  • The worst drought in two decades spurs Zimbabwe to seed clouds. Ugh. Not good. If they’re seeding there, what happens to rainfall in Mozambique, Malawi, and Madagascar?

Note: My spell check app offers “snowpocalypse” and “snowpocalypses” after I wrote “snowpocalyptic” — even spell check insists mega-sized snowstorms are now a regular occurrence.

Dutch tech firm Philips’ sale of Lumileds division halted
No specific details were shared, but the Senate Committee on Foreign Investment in the United States (CFIUS) blocked the sale of Philips’ California-based lighting component manufacturing subsidiary. Note the article refers to “Asian buyers,” and mentions further down the story that Chinese firms were involved in the buyers’ consortium.

Seems odd this sale was blocked by CFIUS, but not that of chipmaker OmniVision Technologies last May, or Freescale Semiconductor in March (though perhaps the previous owners of Freescale may have been a factor).

Military vendor for AV and building systems sold devices with backdoor
Not only a hidden backdoor, but packet sniffing capabilities found in the AMX brand NX-1200 model building controls device.

But backdoors are a good thing, right? No?

That’s a wrap on this week. Hope those of you along the east coast expecting heavy snow are prepared with ample alcoholic beverages for what appears to be a long weekend. Make an offering to Frigg and see if it helps. Offer another to the person who shoveled your snow.

Thursday Morning: Trouble, We Haz It

[screensnap: José James at AllSaints Basement Session (video not available for embed)]

[screensnap: Jose James at AllSaints Basement Session (video not available for embed)]

Quite literally I went looking for Trouble, and I found this video by José James from the AllSaints Basement Sessions. Might be the first time looking for trouble paid off.

Drug makers struggle with ‘supply and demand’ concept
Speaking of trouble, the World Economic Forum meets at Davos, Switzerland this week to engage in its annual circus of the wealthy. Big Pharma piped up and said it wants money to develop antibiotics to replace/augment their current lineup to which bugs have become resistant. Extortion, much?

Hello? Your drugs don’t work any longer, which means sales will go down. They don’t work because you oversold them, jackasses. You don’t get to change ‘supply and demand’. Your incentive is and always has been profits, which only happen if you sell a working product. Too bad you screwed your golden goose — and us.

Here’s an idea: in the meantime, the U.S. government should fund a competing government-owned drug research and manufacturing facility the way it funds DARPA. The public will benefit directly from the research it bought, and if private drug companies can do better, even using freely available public research, they can knock themselves out.

Still want incentives? Sure. We get a chunk of the company in exchange for a handout, just like General Motors. Now beat it and get back to research or bean counting, whatever it is you really do.

Speaking of drugs, Chinese caught spying on pharmaceutical firm GlaxoSmithKline
Along with four others, a senior-level manager and biotechnology expert based at Glaxo’s Pennsylvania facility was charged with conspiracy, wire fraud, money laundering, and theft of trade secrets. An interesting spin on this story is the involvement of a twin sibling used in money laundering. Glaxo has been at the heart of a couple other corruption stories in China, including reports of bribery and industrial espionage. These Glaxo-related stories all read like telenovela scripts.

Hey, look! A leaky backdoor built into encrypted phone calls
Shocking, just SHOCKING, that a backdoor might be so flawed that a single master key could allow the holder access to ALL phone calls in an encrypted system. It’s not shocking that GCHQ is pushing this system’s security protocol it developed in-house.

Android phones used for banking may be infected with two-factor defeating malware
Wow. This is pretty creepy. You’d think your voice would be your bond in banking, but it can be used to access your account even though your voice is part of a two-factor authentication system. Android.bankosy is the bug in question; better read this article because it’s pretty complex stuff.

Internet of Things via search engine — including your Things?
You want more creepy trouble? Here you go — but I sure hope your home doesn’t appear in these webcam feeds.

That’s enough trouble for now. Make some of your own.

Wednesday Morning: Whac-A-Mole

Can’t bop them on the head fast enough. There are just too many issues popping up. See which ones you can nail.

And GO!

Video popularity in Facebook’s ‘walled garden’ means change for news outlets
This is not good. This is AOL’s model come full circle. Increasingly Facebook is shutting down access from outside, forcing news outlets to move inside, and to produce video instead of text content in order to fight for attention. Numerous outlets are affected by this trend, including the former AOL (now Huffington Post). The capper is Facebook’s persistent tracking of any users, including those who click on Facebook links. What will this do to general election coverage? Facebook really needs effective competition — stat.

Weather and bad flu season raised French deaths above WWII’s rate
Wow. I knew the flu was bad last year, but this bad? Ditto for Europe’s weather, though the heat wave last summer was really ugly. Combined, both killed more French in one year than any year since the end of World War II, while reducing overall life expectancy.

FDA issues guidelines on ‘Postmarket Management of Cybersecurity in Medical Devices’ for comment
Sure hope infosec professionals jump all over this opportunity to shape policy and regulation. Imagine pacemakers being hacked like a Chrysler 300, or reprogrammed without customer knowledge like a VW diesel, or surveilling user like a Samsung smart TV…

UK’s Cameron says one thing, UK’s arms dealers another with sales of £1Bn arms to Saudi Arabia
Can’t. Even. *mumbles something about pig porker*

“The day after the prime minister [David Cameron] claimed to be ‘trying to encourage a political process in Yemen’ and declared ‘there is no military solution in Yemen’, official figures reveal that in just the three months July to September, the government approved the sale of over £1bn worth of bombs for the use of the Royal Saudi Air Force. …

[Source: The Guardian]

Lack of transparency problematic in fatal French drug trial
Like talking to a brick wall to get answers about the drug involved in one death and five hospitalizations after 94 subjects were given an experimental drug. On the face of it, simultaneous rather than staggered administration may have led to multiple simultaneous reactions.

Canadian immigrant helped two Chinese soldiers attempt theft of U.S. military aircraft plans
You want to know how ‘chaining’ works? Here’s a simple real world example allegedly used to spy on U.S. military aircraft: Identify a key node in a network; identify the node’s key relationships; sniff those connections for content and more key nodes. A Chinese immigrant in aircraft biz, located in Vancouver, shares email addresses of key individuals in the industry with Chinese officers. They, in turn, attempt to hack accounts to mine for plans, which their contact in Vancouver vets.

Now ask yourself whether these key individuals are in or related to anyone in the Office of Personnel Management database.

Ugh. Keep whacking those moles.

Tuesday Morning: Flip Off

Flip off a few caps; Death came for a few more well-loved artists. Rest well, Glenn Frey, Dale Griffin, Dallas Taylor. Gonna’ be one heck of a band on the other side. [Edit: Mic Gillette, too? Stop already, Grim Reaper, check your targeting.]

Hope the cull is done because obituaries are not my thing. Hard to type and sniffle copiously at the same time.

GM Opel dealers may be altering emissions control software on Zafira diesel cars
Great, just great. Like GM didn’t have enough on its plate with the ignition switch debacle. A Belgian news outlet reports GM Opel dealers have been changing the software on the 2014 Zafira 1.6l diesel engine passenger vehicles in what looks like a soft recall. This comes on the heels of an EU-mandated recall of Zafira B models due to fires caused by bad electronics repairs. Sorry, I don’t speak Dutch, can’t make out everything in this video report. What little I can see and read doesn’t look good. Wouldn’t be surprised if the EU puts the hurt on GM Opel diesel sales until all are fixed to meet EU emissions regulations. Should also note that a different electronics manufacturer may be involved; images online of ECUs for late model Zafiras appear to be made by Siemens — unlike Volkswagen’s passenger diesel ECUs, which are made by Bosch.

Texas manufacturer swindled out of cash by fraudulent email request, sues cyber insurer
AFGlobal, based in Houston, lost $480,000 in May 2014 after staff wired funds based on orders in emails faked by crooks overseas. The manufacturing company had a cyber insurance policy with a subsidiary of the Chubb Group, and filed a claim against it. The claim was denied and AFGlobal filed suit. This isn’t the first such loss nor the first such lawsuit. Companies need to create and publish policies documenting procedures for authorizing any online payments, including two-step authentication of identities, and review overall spending authorization processes with an eye on audit trails.

Ukrainian officials say Kiev’s main airport hacked
Hackers who attacked Ukrainian power companies in late December are believed to be responsible for the malware launched on Kiev’s airport servers. There are very few details — okay, none, zero details — about the attack and its affect on airport operations. A military spokesman only said “the malware had been detected early in the airport’s system and no damage had been done,” and that the malware’s point of origin was in Russia. Among the details missing are the date the attack was discovered and how it was detected as well as the means of removal.

Hold this thought: FBI still looking for info on cable cuts, with eye to Super Bowl link
Remember the post last summer about the 11 communications cable cuts in the greater San Francisco Bay Area near Silicon Valley? This is a hot issue again, given the impending Super Bowl 50 to be held at Levi’s Stadium in Santa Clara. But reports now mention 15 or 16 cuts, not 11 — have there been more since last summer, or were there more not included in the FBI’s request for information? I’ll do some digging and post about this in the near term.

All right, carry on, and don’t drink all the añejo at once.

Monday Morning: So Good to Me

Yeah, Mondays start off well as we emerge from the safe warm cocoon of our beds to begin our day. But Monday evenings are a different kettle of fish.

Like this Monday — we’ve enjoyed a weekend’s cozy glow from soft power exercised through diplomacy now that the IAEA kicked off the new Joint Comprehensive Plan of Action (JCPOA). By mid-morning the flying monkey hoard of dissent will saturate media, making a cesspool out of the evening news.

Can hardly wait. Meanwhile…

Un grupo de 66 accionistas de Volkswagen
I admit my command of Spanish is weak, but even at first glance this article didn’t look good for VW. A group of shareholders—again? Let’s translate:

A group of 66 shareholders of Volkswagen (VW) take legal action against the German automaker after the company distorted evidence of greenhouse gas emissions. The complaint will be presented this week, according to the British newspaper Financial Times.

El Pais reports this is the second class-action lawsuit against VW in relation to the emissions controls defeat technology; plaintiffs for this suit are believed to be investment banks. However there were dozens of class action suits in the U.S. as of last fall, including dealerships stuck with rapidly depreciating but unsalable inventory.

A second article in El Pais also noted VW’s Mueller announced additional investment in its Tennessee-based plant after apologizing to the U.S. for the emissions control ‘trick’ (this last word was ‘trucaje‘ in Spanish). VW has now lost marketshare in the EU for the first time in eight years.

USDOT, NHTSA, Automakers agree on Proactive Safety Principles — including improved cybersecurity
Seems rather feel-good in a non-binding sort of way, but USDOT and NHTSA managed to convince automakers to agree to collaborate on vehicle safety and cybersecurity. The agreement announced last week at Detroit’s auto show coordinates with the Obama administration’s proposed $4 billion budget earmark for automated vehicle research and development.

I still can’t see the benefit in individual autonomous cars over public mass transit. My gut says this White House-driven effort at coordination is really aimed at cybersecurity — and surveillance. And no mention of the Three Laws of Robotics, either.

Formic acid fuel cell to power Dutch students’ car
Now this is a great bit of automotive and alternative energy news. Students at Eindhoven University of Technology in the Netherlands are working on automotive fuel cells powered by formic acid instead of hydrogen. Much of the fuel cell technology to date relies on hydrogen, but the problem has been hydrogen generation and storage. This challenge has stymied fuel cell-powered cars for nearly two decades. Formic acid could be handled like gasoline; it is fairly easy to produce from wood pulp and other fibrous plant mass, or by catalysis, and is low in toxicity, though care must still be used in its handling.

Given the potential application beyond vehicles, I’d rather see investment in this line of automotive research.

U.S.-China Economic and Security Review Commission looking into China’s military robots
Since the 1990s there have been a number of organized cyber attacks originating in China which seek out military and industrial content. China’s recently-developed military robots look an awful lot like those developed by QinetiQ. USCESRC is hiring researchers to assess China’s current robotics capabilities, and how much of this capability arose from U.S. sources.

The article in NextGov about USCESRC’s effort characterizes QinetiQ as a “Pentagon contractor.” Funny, that.

Enjoy your peaceful Monday morning while it lasts.

Friday Morning: Damned Long Week Done

If another artist of note has died, don’t tell me. After losing David Bowie and now Alan Rickman this week, I can’t deal. We should have had another 20 years with these guys. I can think of some people I’d trade to have them back, can’t you?

JetBlue had a boo-boo: temporary data center service outage for airline
At least, that’s what was reported — JetBlue’s data center provided through Verizon went down yesterday for a couple of hours. I’m having a really tough time believing there wasn’t adequate fail-over. Hope the FAA is all over this. JetBlue’s customers must have been very angry, frustrated, and worried.

Microsoft ended support for Windows 8 on Tuesday
Yikes! Somehow in all the discussion about Microsoft ending support for all of its Internet Explorer versions except for the most current edition, I missed the end of support for the original Windows 8 as of this week’s Patch Tuesday.

If you updated your system to Windows 8.1, it’s all good. That version is still supported.

App uses wearables to identify love interest based on heartbeat
I am shaking my head as I type this. There’s no hope for humans when we turn over one of the most fundamental human processes over to machines. Is this really even human? Slap on your FitBit, check out your one curated candidate, check your heart rate. If it’s elevated, you reach out to see if they are interested.

Absolutely pathetic. Riddled with flaws. What if a user consumed too much caffeine, or had a stressful day at work, resulting in a tetchy heartbeat? What about all the other non-visual clues we use to identify candidates worth approaching? Ugh. This brave new world sucks.

Make mine with Svedka. Skip the olives, don’t bother with the vermouth. Skål!

Thursday Morning: Fast and Furious Edition

[image (modified): Adam Wilson via Flickr]

[image (modified): Adam Wilson via Flickr]

Insane amount of overseas news overnight. Clearly did not include me winning $1.5B Powerball lottery. Attacks in Jakarta and Turkey are no joke.

Let’s move on.

Some U.S. utilities’ still wide open to hacking
Dudes, how many times do you need to be told your cheese is still hanging out in the wind? Some heads should roll at this point. US government’s Industrial Control Systems Cyber Emergency Response Team’s Marty Edwards sounded pretty torqued about this situation at the S4 ICS Security Conference this week. I don’t blame him; if a utility gets hacked, it’s not like your grandmother’s PC getting held ransom. It means the public’s health and safety are at risk. Get on it.

Your cellphone is listening to your TV — and you
Bruce Schneier wrote about the Internet of Things’ expansive monitoring of consumers, citing the example of SilverPush — an application which listens to your television to determine your consumption habits. Bet some folks thought this was an app still in the offing. Nope. In use now, to determine current TV program listings and ratings. Listening-to-your-consumption apps have now been around for years.

Wonder if our pets can hear all this racket inaudible to humans? Will pet food companies embed ads shouting out to our pets?

But you may be able to hide from devices
…depending on whether you are using location-based services, and if you can use the app developed by Binghamton University. A paper on this technology was presented last month at the Institute of Electrical and Electronics Engineers (IEEE) GLOBECOM Conference, Symposium on Communication & Information System Security. The lead researcher explained the purpose of the app:

“With Facebook, Twitter, LinkedIn and others we provide a huge amount of data to the service providers everyday. In particular, we upload personal photos, location information, daily updates, to the Internet without any protection,” Guo said. “There is such a chance for tragedy if that information is used to in a bad way.”

The app isn’t yet available, but when it is, it should prevent personally identifying location-based data from being used by the wrong folks.

VW emissions scandal: Well, this is blunt
I think you can kiss the idea of nuance goodbye, gang.

“Volkswagen made a decision to cheat on emissions tests and then tried to cover it up,” said CARB chair Mary Nichols in a statement.
“They continued and compounded the lie, and when they were caught they tried to deny it. The result is thousands of tons of nitrogen oxide that have harmed the health of Californians.”

Yeah. That.

The last bits
Nest thermostats froze out consumers after a botched update. (Do you really need internet-mediated temperature controls?)
Phone numbers may become a thing of the past if Facebook has its way. (Um, hell no to the Facebook. Just no.)
Senator Al Franken quizzes Google about data collection and usage on K-12 students. (Hope he checks toy manufacturers like Mattel and VTech, too.)

That’s a wrap, hope your day passes at a comfortable speed.

Wednesday Morning: Wonderful, Just Wonderful

I debated about posting Jonny Lang’s Lie to Me. Nah, we’re lied to every day, might as well ask for the truth for once, even if it’s ugly. The truth is that nothing’s okay though we wish like hell it were otherwise.

That said, let’s forge on into the fraught and frothing fjords…

‘Nope.’ That’s what California Air Resources Board said
Huh-uh, no way, nada — CARB told Volkswagen in response to VW’s proposed recall plans for emissions standard-cheating 2.0L vehicles sold into California. Because:

  • The proposed plans contain gaps and lack sufficient detail.
  • The descriptions of proposed repairs lack enough information for a technical evaluation; and
  • The proposals do not adequately address overall impacts on vehicle performance, emissions and safety

Wonder if CARB’s response will be different with regard to VW’s 3.0L vehicles? Shall we take bets?

Fugly, in multiples — cybersec edition
Ebay’s got bugs, and not just at auction.

Need more than tape to fix this problem with cheap web cameras.

Popular antivirus may pose a hacking threat, patch has been issued. Same antivirus manufacturer has a nifty relationship with INTERPOL, too, to share information about cyberthreats. Wonder if they phoned INTERPOL and said, “Cyberthreat. It me!”

(BTW, I love it when spell check helpfully says, “‘Cybersec’ is wrong, don’t you mean ‘cybersex’?”…um, no.)

General Motors: We won’t sue white hats doing our work for us!
No lawsuits, but don’t expect any rewards for finding vulnerabilities (unlike competitor Tesla’s bug report program).

Big of you, GM. Way to protect your intellectual property and brand at the same time.

The biggest threat to nation’s power grid is S_______
Beady-eyed and focused, slips beneath our radar, gnaws into our electricity transport with annoying frequency, causing hundreds of hours of power outages. Stuxnet? No. Bloody squirrels.

In short, it’s all wonderful this Wednesday. Just wonderful. Pass the Glenmorangie, please.

Will James Clapper Be the First Known Victim of OmniCISA’s Regulatory Immunity?

According to Medium, Crackas With Attitude just hacked James Clapper and his wife.

One of the group’s hackers, who’s known as “Cracka,” contacted me on Monday, claiming to have broken into a series of accounts connected to Clapper, including his home telephone and internet, his personal email, and his wife’s Yahoo email. While in control of Clapper’s Verizon FiOS account, Cracka claimed to have changed the settings so that every call to his house number would get forwarded to the Free Palestine Movement.

[snip]

The hacker also sent me a list of call logs to Clapper’s home number. In the log, there was a number listed as belonging to Vonna Heaton, an executive at Ball Aerospace and a former senior executive at the National Geospatial-Intelligence Agency. When I called that number, the woman who picked up identified as Vonna Heaton. When I told her who I was, she declined to answer any questions.

Viscerally, I’m laughing my ass off that Verizon (among others) has shared Clapper’s metadata without his authority. “Not wittingly,” they might say if he asks them about that. But I recognize that it’s actually not a good thing for someone in such a sensitive position to have his metadata exposed (I mean, to the extent that it wasn’t already exposed in the OPM hack).

I would also find some amusement if Clapper ends up being the first public victim of OmniCISA’s regulatory immunity for corporations.

Yahoo and Verizon can self-report this cyber intrusion to DHS, and if they do then the government can’t initiate regulatory action against them for giving inadequate protection from hacking for the Director of National Intelligence’s data.

And whether or not Clapper is the first victim of OmniCISA’s regulatory immunity, he is among the first Americans that the passage of OmniCISA failed to protect from hacking.

 

image_print