Author: Christopher Parsons

Policy wonk. Torontonian. Photographer. Not necessarily in that order.

Categories
Links

Secure Boot snafu: Microsoft leaks backdoor key, firmware flung wide open

Secure Boot snafu: Microsoft leaks backdoor key, firmware flung wide open:

Microsoft has inadvertently demonstrated the intrinsic security problem of including a universal backdoor in its software after it accidentally leaked its so-called “golden key”—which allows users to unlock any device that’s supposedly protected by Secure Boot, such as phones and tablets.

The key basically allows anyone to bypass the provisions Microsoft has put in place ostensibly to prevent malicious versions of Windows from being installed, on any device running Windows 8.1 and upwards with Secure Boot enabled.

And while this means that enterprising users will be able to install any operating system—Linux, for instance—on their Windows tablet, it also allows bad actors with physical access to a machine to install bootkits and rootkits at deep levels. Worse, according to the security researchers who found the keys, this is a decision Microsoft may be unable to reverse.

There’s a lot that can be said about this absolute debacle. I’ll restrain myself to two things:

  1. This is the exact kind of problem that crops up when you include backdoors in software: eventually the information required to exploit the backdoors emerge.
  2. Microsoft’s own leakage of the key is one of the most amazing ‘own goals’ in recent security history. It’s going to be one for the history books.

Also: remember when Apple said they didn’t, and would vigorously fight, any effort to backdoor their operating systems? Microsoft’s absolutely failure to secure the cryptographic material is just one rationale behind Apple’s security posture.

Categories
Links

Netflix Adopts Efficient HTTPS Encryption For Its Video Streams

Netflix Adopts Efficient HTTPS Encryption For Its Video Streams:

Netflix has been reluctant to adopt HTTPS for its video streams so far because delivering video is already a bandwidth-heavy task, and adding encryption on top of that risked adding too much overhead. To solve this problem, the company searched for the ideal cipher and its fastest implementation.

Encrypting everything matters because third-parties can use our unique ‘tells’, be they video watching, online reading, music listening, website browsing, or other human behaviours to track us across the Internet. Some of these trackers are other companies, some of them are governments, and some are just questionable groups of hackers.

Netflix’s adoption of HTTPS for their entire service line is a good thing but, now, it’ll be important to actually test the implementations of HTTPS. Unfortunately, most implementations suffer some kind of deficiency and it’s more likely than not that Netflix’s initial deployment will be similarly flawed.

Categories
Links

Chrome starts retiring Flash in favor of HTML5

Thank god that this absolute blight on computer security is finally starting to be fully deprecated. Which means it should only continue to be a problem until the mid- to late-2020s as people gradually upgrade their devices to those which will not run Flash content by default…

Categories
Aside Quotations

2016.8.10

We have never had absolute privacy in this country. Cars, safe deposit boxes, our apartments, our houses, even the contents of our minds—any one of us, in appropriate circumstances, can be compelled to say what we saw. We have never lived with large swaths of our life off limits, where judicial authority is ineffective. That is something we need to talk about. I don’t think the FBI should tell people what to do. I don’t think tech companies should tell people what to do. The American people need to decide.

James Comey, Director of the FBI

The problem is that Comey is simply wrong: the state has never held absolute power over citizens. The 5th Amendment in the United States guarantees a right to avoid testifying against oneself. Our devices are now so personalized with our communciations, thoughts, banking, business, and life that they are functionally a self-testamonial about our lives.

Moreover, even when some evidence is unavailable – be it because authorities don’t know to look for it, or cannot find it – that doesn’t immediately mean that a case is terminated. Instead, a range of powers as well as alternate charges can be brought to bear. And the price of a democracy is that, sometimes, authorities cannot bring charges against people they suspect but cannot prove may have broken the law. This restraint on state power is a core feature of liberal democratic governance and is a restraint that needs to be maintained so that we can all enjoy our freedoms.

Categories
Links

Jawbone reportedly tried to sell itself

Jawbone reportedly tried to sell itself:

Jawbone’s hunger to sell itself is evidence of how dire the situation has become for one of leading wearable tech companies in the industry. Competitor Fitbit has managed to increase sales of its fitness trackers even with Apple participating. Jawbone, on the other hand, has seen its relevance in the market wither with time, as it’s transitioned from bluetooth audio products to wrist-worn fitness bands. Many other wearable makers, including Misfit and Basis, have sold themselves to large tech or apparel companies, and even giants like Nike have gotten out of the wearable hardware business. Jawbone’s fate may be similar, but it’s running out of time. According to The Information, Jawbone delayed payment to one of its business partners this month.

Jawbone is sitting on a lot of user information. While they sell physical things, I’m mostly interested in knowing the value of all the fitness information that will presumably be sold as part of the business.

Categories
Links

Saudi Millennials Don’t Use Their Phones Like We Do

Saudi Millennials Don’t Use Their Phones Like We Do:

… the problem lies in [the branding/marketing companies’] intent: Instead of entering new markets with an open mind, they approach with a strategy in place and then look for the people who prove their theories right. “The only thing worse than not asking the questions, is not paying attention to the answers that don’t fit into their world view, because it’s inconvenient,” says Chipchase.

Set aside the headline. This longish read does a good job of explaining why it makes sense to hire an ethnographer before developing (to say nothing of launching) a product and, simultaneously, the intense amount of work that goes into launch a new product with a unique brand identity.

Categories
Links

Major Qualcomm chip security flaws expose 900M Android users

Major Qualcomm chip security flaws expose 900M Android users:

Qualcomm makes chips for the majority of the world’s phones, holding a 65 percent share of the market. Most of the major recent Android devices are expected to be affected by the flaw, including:

  • BlackBerry Priv
  • Blackphone 1 and Blackphone 2
  • Google Nexus 5X, Nexus 6, and Nexus 6P
  • HTC One, HTC M9, and HTC 10
  • LG G4, LG G5, and LG V10
  • New Moto X by Motorola
  • OnePlus One, OnePlus 2, and OnePlus 3
  • Samsung Galaxy S7 and Samsung S7 Edge
  • Sony Xperia Z Ultra

Three of the four holes have already been patched, with a solution for the fourth on the way. However, most users are at the mercy of their handset manufacturers if they want these patches applied. Owners of Google’s Nexus devices have already had patches pushed to their phones, but other manufacturers have historically been less interested in patching flaws found in their devices after release.

In many cases these updates will never be released, leaving people permanently vulnerable to this very, very, very serious vulnerability. But hey: at least it only affects around 12-13% of the world’s population. Maybe phone manufacturers and cellular carriers will actually promptly act to protect their users when closer to 20-35% of the world population is affected by the next Android vulnerability…

Categories
Links

‘It feels like theft’: Ontario wineries frustrated by government obstacles

‘It feels like theft’: Ontario wineries frustrated by government obstacles:

The LCBO is a major cash cow for the much-indebted Ontario government. Last year, it returned $1.9 billion in dividends to provincial coffers – on top of the approximately $280 million in HST it makes off the sales. It’s not hard to see how it makes that much. When a consumer buys a bottle of alcohol, the LCBO takes:

  • 52 per cent of the cost of wine
  • 59 per cent of the cost of spirits
  • 39 per cent of the cost of beer

An LCBO spokeswoman says those markups fund Ontario’s social programs as well as the LCBO’s operating costs.

I’m not opposed to the LCBO’s existence but that is a lot of markup on a bottle of wine.

Categories
Writing

So Hey You Should Stop Using Texts for Two-Factor Authentication

One of the problems with contemporary computer systems is that they rely on login and password information, and both of these kinds of information are routinely either disclosed through data breaches or are configured by users such that it is relatively easy to guess the login and password combination. Two-factor authentication is designed to alleviate these problems by issuing a second code to a user, which they input in order to access the service. This ‘other factor’ is meant to prevent unauthorized third-parties from accessing protected systems (e.g. email, social media accounts).

However, many of these second-factor codes are delivered over text messages. The problem is that there are a litany of ways that texts can be either intercepted or diverted and, thus, reduce the efficacy of the two-factor system. Some companies have moved away, partially, from SMS-based second factors but others such as Twitter have not. The aim of the article is to suggest that it’s important for users to themselves migrate from text-based second factors to a more secure method.

This is entirely accurate…when individuals are being targeted. But when an attacker is unwilling to invest much time or effort — such as running password lists or otherwise just ‘testing’ accounts without seriously attacking them — then even text-based two-factor authentication can suffice. While I agree that ideally individuals will move to a second-factor that isn’t SMS-based there is a significant degree of friction in getting individuals to download new applications and ‘token-based’ modes of authentication can be challenging to deploy because they get lost/damaged/forgotten/etc. In effect: while the call from the author is good I have to ask whether this ‘solution’ is the one that we should be spending years shuffling users towards or if we should instead wait for a superior alternative.

Categories
Writing

The Fourth Amendment in the Information Age

Litt’s article focuses on finding new ways of conceptualizing privacy such that the current activities of intelligence agencies and law enforcement organizations are made legal, and thus shift the means by which their activities are legally and constitutionally evaluated. While his proposal to overturn much of the third-party doctrine coheres with the positions of many contemporary scholars his suggested replacement — that we should no longer focus on collecting data, but on use of collected data — would eviscerate basic privacy protections. In particular, I think that it’s important we not just ignore the ‘search’ aspect of fourth amendment law: we need to recalibrate what a search is within the context of today’s reality. And that doesn’t mean just letting the government collect with fewer baseline restrictions but instead modifying what a ‘search’ is itself.

The core aspects of the article that give a flavour of the entire argument are:

I suggest that—at least in the context of government acquisition of digital data—we should think about eliminating the separate inquiry into whether there was a “reasonable expectation of privacy” as a gatekeeper for Fourth Amendment analysis. In an era in which huge amounts of data are flowing across the Internet; in which people expose previously unimagined quantities and kinds of information through social media; in which private companies monetize information derived from search requests and GPS location; and in which our cars, dishwashers, and even light bulbs are connected to the Internet, trying to parse out the information in which we do and do not have a reasonable expectation of privacy strikes me as a difficult and sterile task of line-drawing. Rather, we should simply accept that any acquisition of digital information by the Government implicates Fourth Amendment interests.

After all, the concept of a “reasonable expectation of privacy” as a talisman of Fourth Amendment protection is not found in the text of the Fourth Amendment itself, which says merely that “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.” It was only in 1967, in Katz, that the Supreme Court defined a search as the invasion of a “reasonable expectation of privacy.” Katz revisited Olmstead v. United States after 40 years; the accelerating pace of modern technological change suggests to me that fifty years is not too soon to revisit Katz. My proposal is that the law should focus on determining what is unreasonable rather than on what is a search.

What I have suggested, however, is that—at least in the area of government collection of digital data—we eliminate the preliminary analysis of whether someone has a reasonable expectation of privacy in the data and proceed directly to the issue of whether the collection is reasonable; that the privacy side of that analysis should be focused on concrete rather than theoretical invasions of privacy; and that courts in evaluating reasonableness should look at the entirety of the government’s activity, including the “back end” use, retention restrictions, and the degree of transparency, not just the “front end” activity of collection.