Category: Links

Categories
Links Writing

BlackBerry DTEK50 Review: Secure, reasonably priced but light on battery life

BlackBerry DTEK50 Review: Secure, reasonably priced but light on battery life:

But the software on the DTEK50 is the same as the Priv’s – hardened Android 6.0.1 (Marshmallow), FIPS 140-2 compliant full disk encryption, hardware root of trust, and BlackBerry Integrity Detection that monitors for compromises, with BlackBerry extras like the Hub (a unified inbox for all communications), calendar, contacts, password keeper, device search, launcher, and the DTEK security app for which the phone was named. Once you’ve used the BlackBerry software, most other offerings seem severely wanting. DTEK deserves special mention. It evaluates the device’s security posture, recommends changes, and allows you to see exactly what rights each app is using, and how often. You can also revoke individual privileges for an app if, for example, you see no reason why a flashlight app should have access to your contacts.

On what possible grounds can the reviewer – or the editor, who presumably assigned the title to this article – assert that the new Blackberry device is ‘secure’? We know that Blackberry’s consumer-grade options do not encrypt messaging data. We know that other implementations of Android, such as CopperheadOS, actually contribute code to the Android Open Source Project that is meant to reduce vulnerabilities.

We also know that Blackberry refuses to disclose how often they receive, and respond to, government requests for assistance. And we don’t know which countries Blackberry provides assistance to, under what specific terms, or the types of data that the company discloses. But all of this speaks to Blackberry being able to access consumers’ data…which is the definition of a service being insecure insofar as non-authorized actors can read or copy the data in question.

Before journalists or editors make assertions regarding security of mobile devices (or any other product for that matter) they should be obligated to contact experts in the field of mobile security. And preferably they’d actually contact people who actively test the security of mobile devices. Or, you know, at the very least they’d read the news and realize that the security afforded by Blackberry to its retail customers if more like propoganda than based in reality.

Categories
Links

Linux bug leaves 1.4 billion Android users vulnerable to hijacking attacks

Linux bug leaves 1.4 billion Android users vulnerable to hijacking attacks:

“The tl;dr is for Android users to ensure they are encrypting their communications by using VPNs, [or] ensuring the sites they go to are encrypted,” Lookout researcher Andrew Blaich told Ars. “If there’s somewhere they’re going to that they don’t want tracked, always ensure they’re encrypted.”

The vulnerability makes it possible for anyone with an Internet connection to determine whether any two parties are communicating over a long-lived transport control protocol connection, such as those that serve Web mail, news feeds, or direct messages. In the event the connections aren’t encrypted, attackers can then inject malicious code or content into the traffic. Even when the connection is encrypted, the attacker may still be able to determine a channel exists and terminate it. The vulnerability is classified as CVE-2016-5696.

One of the more likely ways exploits might target Android users is for them to insert JavaScript into otherwise legitimate Internet traffic that isn’t protected by the HTTPS cryptographic scheme. The JavaScript could display a message that falsely claims the user has been logged out of her account and instruct her to re-enter her user name and password. The login credentials would then be sent to the attacker. Similar injection attacks might also attempt to exploit unpatched vulnerabilities in the browser or e-mail or chat app the targeted Android user is using.

Another day, and another massive vulnerability disclosed about Android.

Categories
Links

Edmonton Police Say They Didn’t Mean It When They Said They Own a Stingray

Edmonton Police Say They Didn’t Mean It When They Said They Own a Stingray:

“Earlier this week, Media Relations Unit received an inquiry from Motherboard (VICE) asking if the [Edmonton Police Service] owns a Stingray device, or has ever used one from the RCMP. There was some miscommunication/misunderstanding internally surrounding the information obtained on whether the EPS owns a Stingray , and in fact, the EPS does not own a Stingray device. Police agencies do not comment on equipment used in electronic surveillance or on investigative techniques, therefore the EPS cannot provide any further information on this topic.”

Edmonton police are walking back their assertion that they did have, and use, an IMSI Catcher. Money says that the walk back is correct (it’s likely the RCMP that owns the device that EPS has used or had access to) while also misleading (because EPS would be working with the RCMP to investigate whatever the crim happens to be, while using the IMSI Catcher).

Police do not engender trust when they dogmatically try to stop the public from knowing what kinds of surveillance tools they use. Or the numbers of innocent people affected by such surveillance. Sadly, the logics of policing seem to run counter to developing this kind of generalized trust.

Categories
Links

How to market Justin Trudeau

How to market Justin Trudeau:

In academic terms, the coziness built by these efforts is called parasocial interaction—it’s the one-sided attachment people develop for media figures, and the reason why, when we meet a celebrity, we feel like we already know them. The big problem with this in a political context is the bread-and-circuses effect, where citizens get distracted by a personality they like and stop paying attention to issues and policies. But Marland and Goodyear-Grant both point out, with resigned ruefulness, that reams of research in their shared discipline suggests very few people think about those things anyway. Citizens generally form broad impressions of their political leaders, decide whether they like and trust them, and then leave them to handle the details if they do. “Most people are just not paying attention to this stuff. They just don’t care,” Marland says. “So it gives them probably a sense of pride that their Prime Minister seems to be well respected on the international stage.”

The entire article is excellent: Shannon Proudfoot has masterfully accounted for how the Trudeau campaign (and Prime Minister’s Office) has branded and marketed him. But the part that I quoted from the article is something that more people need to appreciate and understand, especially those who are involved in politics. Canadians generally are removed from politics and simply don’t care about them. This isn’t to say that political parties’ positions and actions don’t matter. But few people are actually paying attention to the minutia or day-to-day of federal, provincial, or municipal politics.

Categories
Links

Almost every Volkswagen sold since 1995 can be unlocked with an Arduino

Almost every Volkswagen sold since 1995 can be unlocked with an Arduino:

… security researchers have discovered how to use software defined radio (SDR) to remotely unlock hundreds of millions of cars. The findings are to be presented at a security conference later this week, and detail two different vulnerabilities.

The first affects almost every car Volkswagen has sold since 1995, with only the latest Golf-based models in the clear. Led by Flavio Garcia at the University of Birmingham in the UK, the group of hackers reverse-engineered an undisclosed Volkswagen component to extract a cryptographic key value that is common to many of the company’s vehicles.

Alone, the value won’t do anything, but when combined with the unique value encoded on an individual vehicle’s remote key fob—obtained with a little electronic eavesdropping, say—you have a functional clone that will lock or unlock that car.

Just implement the research by dropping some Raspberry Pi’s in a mid- to high-income condo parking garage and you’ve got an easy way to profit pretty handsomely from Volkswagen’s security FUBAR.

Categories
Links

How do young people afford a house? They find roommates.

How do young people afford a house? They find roommates:

“When you look at the home market for first-time buyers, to get in can seem like an insurmountable task,” says Aaron Zifkin, Airbnb’s country director for Canada. “In a lot of our host community meet-ups, we’re seeing a lot of people who are really excited being able to bridge that pay point by earning a little extra income from a nanny suite.” Or, if no nanny suite exists, the pullout couch in the living room might do.

In Vancouver, for example, more than half of the money taken in by the 4,200 Airbnb hosts went to pay for necessities like the rent, mortgage or groceries, according to a company report released in July. With the typical host earning $6,500 each year, more than half of them said the extra cash was a reason they could afford to stay in their home. Seven per cent said the money helped them avoid foreclosure.

But don’t worry: there isn’t really a housing crisis in major metropolitan areas when people have to rent (parts of) their home in order to avoid forclosure. And the fact that roommates are a requirement for many 30-somethings to purchase 850ft condos in Toronto is entirely appropriate.

Categories
Links

Waiting for Android’s inevitable security Armageddon

Waiting for Android’s inevitable security Armageddon:

Android has around 75-80 percent of the worldwide smartphone market—making it not just the world’s most popular mobile operating system but arguably the most popular operating system, period. As such, security has become a big issue. Android still uses a software update chain-of-command designed back when the Android ecosystem had zero devices to update, and it just doesn’t work. There are just too many cooks in the kitchen: Google releases Android to OEMs, OEMs can change things and release code to carriers, carriers can change things and release code to consumers. It’s been broken for years.

This editorial was written over a year ago. And it’s as true, today, as it was the day it was written. Imagine if car companies just kept releasing the same dangerous, flawed, and fixable devices despite rampant car crashes, accidents, and other mishaps.

That’s Google today, as it continues to push flawed versions of Andrew, and today’s OEMs (e.g. Samsung, HTC) and carriers (e.g. Rogers, AT&T, Vodafone). The insecurity of Android constitutes a basic safety and human rights issue at this point given how states exploit Android vulnerabilities to target dissidents, journalists, academics, writers, and the public more generally. And yet none of the core parties reponsible for these major security failures are making genuine efforts to actually fix the problem because they don’t think they have to care.

Categories
Links

Copperhead OS: The startup that wants to solve Android’s woeful security

Copperhead OS: The startup that wants to solve Android’s woeful security:

Linux device drivers have been the operating system’s Achilles heel since day one, and the Android platform is no exception. Android phones ship with kernels frozen to ensure driver compatibility—which usually means that a new Android device comes with a kernel that’s already a year or two old.

“It’s like if you have a printer and the last printer driver made was for Windows 95, you can never upgrade your computer to a newer version,” Soghoian explains. “Android is bigger than just Google, and when Google’s partners drag their feet it undermines the security of the entire ecosystem.”

As an Android device ages, the kernel may get backported security patches, depending on the OEM’s willingness to push updates, but the handset will miss out on the latest security advances, since upgrading the kernel would break hardware compatibility with the drivers.

There are a lot of great things about Android. Device and data security just aren’t amongst them.

Categories
Links

Secure Boot snafu: Microsoft leaks backdoor key, firmware flung wide open

Secure Boot snafu: Microsoft leaks backdoor key, firmware flung wide open:

Microsoft has inadvertently demonstrated the intrinsic security problem of including a universal backdoor in its software after it accidentally leaked its so-called “golden key”—which allows users to unlock any device that’s supposedly protected by Secure Boot, such as phones and tablets.

The key basically allows anyone to bypass the provisions Microsoft has put in place ostensibly to prevent malicious versions of Windows from being installed, on any device running Windows 8.1 and upwards with Secure Boot enabled.

And while this means that enterprising users will be able to install any operating system—Linux, for instance—on their Windows tablet, it also allows bad actors with physical access to a machine to install bootkits and rootkits at deep levels. Worse, according to the security researchers who found the keys, this is a decision Microsoft may be unable to reverse.

There’s a lot that can be said about this absolute debacle. I’ll restrain myself to two things:

  1. This is the exact kind of problem that crops up when you include backdoors in software: eventually the information required to exploit the backdoors emerge.
  2. Microsoft’s own leakage of the key is one of the most amazing ‘own goals’ in recent security history. It’s going to be one for the history books.

Also: remember when Apple said they didn’t, and would vigorously fight, any effort to backdoor their operating systems? Microsoft’s absolutely failure to secure the cryptographic material is just one rationale behind Apple’s security posture.

Categories
Links

Netflix Adopts Efficient HTTPS Encryption For Its Video Streams

Netflix Adopts Efficient HTTPS Encryption For Its Video Streams:

Netflix has been reluctant to adopt HTTPS for its video streams so far because delivering video is already a bandwidth-heavy task, and adding encryption on top of that risked adding too much overhead. To solve this problem, the company searched for the ideal cipher and its fastest implementation.

Encrypting everything matters because third-parties can use our unique ‘tells’, be they video watching, online reading, music listening, website browsing, or other human behaviours to track us across the Internet. Some of these trackers are other companies, some of them are governments, and some are just questionable groups of hackers.

Netflix’s adoption of HTTPS for their entire service line is a good thing but, now, it’ll be important to actually test the implementations of HTTPS. Unfortunately, most implementations suffer some kind of deficiency and it’s more likely than not that Netflix’s initial deployment will be similarly flawed.