Posts

Wednesday Morning: If It Ain’t Baseball, It’s Winter

It may be sunny and 90F degrees where you are, but it’s still winter here. A winter storm warning was issued here based on a forecast 12 inches of snow and 35 mph winds out of the northeast off Lake Huron. For once, Marcy’s on the lee side of this storm and won’t be blessed with the worst of this system.

I’ll cozy up in front of the fireplace and catch up on reading today, provided we don’t have a power outage. Think I’ll nap and dream of baseball season starting in roughly five weeks.

Before the snow drifts cover the driveway, let’s take a look around.

Hey Asus: Don’t do as we do, just do as we say
Taiwanese computer and network equipment manufacturer Asus settled a suit brought by the Federal Trade Commission over Asus leaky routers. The devices’ insecurities were exposed when white hat hacker/s planted a text message routers informing their owners the devices were open to anyone who cared to look. Terms of the settlement included submitting to security auditing for 20 years.

What a ridiculous double standard: demand one manufacturer produce and sell secure products,while another government department demands another manufacturer build an insecurity.

Ads served to Android mobile devices leak like a sieve
Researchers with the School of Computer Science at the Georgia Institute of Technology presented their work yesterday at 2016 Network and Distributed System Security Symposium, showing that a majority of ads not only matched the mobile user but revealed personal details:

• gender with 75 percent accuracy,
• parental status with 66 percent accuracy,
• age group with 54 percent accuracy, and
• could also predict income, political affiliation, marital status, with higher accuracy than random guesses.

Still some interesting work to be presented today before NDSS16 wraps, especially on Android security and social media user identity authentication.

RICO – not-so-suave – Volkswagen
Automotive magazine Wards Auto straps on the kneepads for VW; just check this headline:

Diesel Reigns in Korea as Volkswagen Scandal Ebbs

“Ebbs”? Really? Au contraire, mon frère. This mess is just getting started. Note the latest class-action lawsuit filed in California, this time accusing VW and its subsidiaries Audi and Porsche as well as part supplier Bosch of racketeering. Bosch has denied its role in the emissions controls defeat mechanism:

…The company has denied any involvement in the alleged fraud, saying it sold an engine control unit to Volkswagen, but that Volkswagen was responsible for calibrating the unit.

The scandal’s only just getting going when we don’t know who did what and when.

Worth noting Wards’ breathless excitement about VW passenger diesel sales uptick in South Korea. But then Wards ignores South Korea’s completely different emissions standards as well as the specifics in promotions for that market. Details, details…

Splash and dash

Don’t miss Ed Walker’s latest in his series on totalitarianism and Marcy’s fresh exasperation with polling on FBI vs Apple. Wind’s brisk out of the north, bringing the first wave of flurries. I’m off to check the gasoline in the snowblower and wax my snow shovels.

Sony, the White House, and 10 Downing Street: What’s the Quid Pro Quo?

BrokenHollywoodLots of ugly things crawled out of Sony Pictures Entertainment’s emails leaked by hackers this past autumn.

The leak of emails and intellectual property, including then-unreleased film The Interview, was labeled “a serious national security matter” by the White House. In January this year, President Obama issued an executive order increasing sanctions against North Korea, the purported origin of the hack on SPE’s network and computers.

Sony Pictures Entertainment (SPE) is a wholly-owned subsidiary of Sony Corporation, a Japanese multinational conglomerate. In offering retaliation on behalf of SPE, the White House placed SPE on par with critical U.S. infrastructure, though no one will be physically injured or die should SPE be hacked again, and the market won’t collapse if SPE loses money on all its movies this year.

If SPE, a foreign-owned, information security-challenged entertainment firm, is now entitled to military protection against cyberattack, what is it the White House and the U.S. will receive or has received in exchange?

What’s the exchange in this quid pro quo?

Which brings us to the matter of STARZ’ cable series, Outlander, and UK Prime Minister David Cameron‘s government.

In 2013, STARZ network ordered the 16-episode adaptation of bestselling historical fiction novel, Outlander by author Diana Gabaldon, from production companies Tall Ship Productions, Story Mining & Supply Co., and Left Bank Productions, in association with Sony Pictures Television.

While STARZ was the U.S. distributor, offering the series on its own cable network, SPE’s TV arm appears to have handled overseas distribution to broadcast, cable, and video streaming services.

Outlander’s cross-genre narrative is set mainly in 1740s Scotland; the story is sympathetic to a Scottish protagonist and his time-traveling English wife who are caught between the British and Jacobites in the ramp up to the 1746 Battle at Culloden. The Scottish people and countryside are treated favorably in the series’ production.

The program debuted on STARZ in the U.S. on August 9 last year — a little less than six weeks before Scotland’s independence referendum (“IndyRef”). Outlander began airing in Canada and Australia in August also, and in October in Ireland after the IndyRef vote.

Distribution deals in other countries including Germany, Hungary, Japan, and the Netherlands led to wider release overseas last year.

But Outlander never received a distribution deal in 2014 in the UK, in spite of its many Scottish and British fans’ clamor and the source book’s status as a renewed bestseller in advance of the show’s U.S. debut. To date the series has only released on Amazon Prime Instant Video in the UK, for paid video-on-demand streaming — not on broadcast or cable.

At least one email leaked by hackers revealed that SPE personnel had a meeting or meetings with Cameron’s government. In an internal email from Keith E. Weaver, executive vice president, SPE executives were told,

“Your meeting with Prime Minister Cameron on Monday will likely focus on our overall investment in the U.K. – with special emphasis on the jobs created by Tommy Cooper [the ITV show], the importance of Outlander (i.e., particularly vis-a-vis the political issues in the U.K. as Scotland contemplates detachment this Fall), and the growth of our channels business…”

The implication is that SPE would suppress any effort to distribute Outlander to the benefit of Cameron’s anti-independence position, in exchange for “growth of our channels business…”

What exactly does this mean?

And is the pursuit of growth confined to SPE, or did “channels business” mean something else? Were Sony executives also looking for opportunities for Sony Corporation, which includes Sony Computer Entertainment, Sony Music Entertainment, Sony Mobile Communications (once known as Sony Ericsson), and Sony Financial?

Did SPE executives and the Prime Minister agree not to seek broadcast or cable distribution Outlander in the UK before this month’s election? Read more

President Obama Declares the Threat to Crappy Sony Movies a National Emergency

President Obama just issued an Executive Order that directs Department of Treasury to impose sanctions on people who engage in “significant malicious cyber-enabled activities.” The move has been reported as a means to use the same kind of sanctions against significant hackers as we currently used against terrorists, proliferators, drug cartels, and other organized crime.

Regardless of whether you think this will do any good to combat hacking, I have several concerns about this.

First, at one level, the EO targets those who “harm[], or otherwise significantly compromis[e] the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector.” But remember, our definition of critical infrastructure is absurdly broad, including things like a Commercial Facilities sector that includes things like motion picture studios — which is how Sony Pictures came to be regarded as critical infrastructure — and even things like campgrounds.

And it’s actually not just critical infrastructure. It also targets people who “caus[e] a significant disruption to the availability of a computer” and those who “caus[e] a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.” I can envision how this EO might be ripe for abuse.

But it gets worse. The EO targets not just the hackers themselves, but also those who benefit from or materially support hacks. The targeting of those who are “responsible for or complicit in … the receipt or use for commercial or competitive advantage … by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled means, … where the misappropriation of such trade secrets is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States” could be used to target journalism abroad. Does WikiLeaks’ publication of secret Trans-Pacific Partnership negotiations qualify? Does Guardian’s publication of contractors’ involvement in NSA hacking?

And the EO creates a “material support” category similar to the one that, in the terrorism context, has been ripe for abuse. Its targets include those who have “provided … material, or technological support for, or goods or services in support of” such significant hacks. Does that include encryption providers? Does it include other privacy protections?

Finally, I’m generally concerned about this EO because of the way National Emergencies have served as the justification for a lot of secret spying decisions. Just about every application to the FISC for some crazy interpretation of surveillance laws in the name of counterterrorism founds their justification neither in the September 17, 2001 Finding authorizing covert actions against al Qaeda nor the September 18, 2001 AUMF, but instead in President Bush’s declaration of a National Emergency on September 14, 2001. I’m not sure precisely why, but that’s what the Executive has long used to convince FISC that it should rubber stamp expansive interpretations of surveillance law. So I assume this declaration could be too.

In other words, the sanctions regime may well be the least of this EO.