Category: Links

Categories
Links

Secure Boot snafu: Microsoft leaks backdoor key, firmware flung wide open

Secure Boot snafu: Microsoft leaks backdoor key, firmware flung wide open:

Microsoft has inadvertently demonstrated the intrinsic security problem of including a universal backdoor in its software after it accidentally leaked its so-called “golden key”—which allows users to unlock any device that’s supposedly protected by Secure Boot, such as phones and tablets.

The key basically allows anyone to bypass the provisions Microsoft has put in place ostensibly to prevent malicious versions of Windows from being installed, on any device running Windows 8.1 and upwards with Secure Boot enabled.

And while this means that enterprising users will be able to install any operating system—Linux, for instance—on their Windows tablet, it also allows bad actors with physical access to a machine to install bootkits and rootkits at deep levels. Worse, according to the security researchers who found the keys, this is a decision Microsoft may be unable to reverse.

There’s a lot that can be said about this absolute debacle. I’ll restrain myself to two things:

  1. This is the exact kind of problem that crops up when you include backdoors in software: eventually the information required to exploit the backdoors emerge.
  2. Microsoft’s own leakage of the key is one of the most amazing ‘own goals’ in recent security history. It’s going to be one for the history books.

Also: remember when Apple said they didn’t, and would vigorously fight, any effort to backdoor their operating systems? Microsoft’s absolutely failure to secure the cryptographic material is just one rationale behind Apple’s security posture.

Categories
Links

Netflix Adopts Efficient HTTPS Encryption For Its Video Streams

Netflix Adopts Efficient HTTPS Encryption For Its Video Streams:

Netflix has been reluctant to adopt HTTPS for its video streams so far because delivering video is already a bandwidth-heavy task, and adding encryption on top of that risked adding too much overhead. To solve this problem, the company searched for the ideal cipher and its fastest implementation.

Encrypting everything matters because third-parties can use our unique ‘tells’, be they video watching, online reading, music listening, website browsing, or other human behaviours to track us across the Internet. Some of these trackers are other companies, some of them are governments, and some are just questionable groups of hackers.

Netflix’s adoption of HTTPS for their entire service line is a good thing but, now, it’ll be important to actually test the implementations of HTTPS. Unfortunately, most implementations suffer some kind of deficiency and it’s more likely than not that Netflix’s initial deployment will be similarly flawed.

Categories
Links

Chrome starts retiring Flash in favor of HTML5

Thank god that this absolute blight on computer security is finally starting to be fully deprecated. Which means it should only continue to be a problem until the mid- to late-2020s as people gradually upgrade their devices to those which will not run Flash content by default…

Categories
Links

Jawbone reportedly tried to sell itself

Jawbone reportedly tried to sell itself:

Jawbone’s hunger to sell itself is evidence of how dire the situation has become for one of leading wearable tech companies in the industry. Competitor Fitbit has managed to increase sales of its fitness trackers even with Apple participating. Jawbone, on the other hand, has seen its relevance in the market wither with time, as it’s transitioned from bluetooth audio products to wrist-worn fitness bands. Many other wearable makers, including Misfit and Basis, have sold themselves to large tech or apparel companies, and even giants like Nike have gotten out of the wearable hardware business. Jawbone’s fate may be similar, but it’s running out of time. According to The Information, Jawbone delayed payment to one of its business partners this month.

Jawbone is sitting on a lot of user information. While they sell physical things, I’m mostly interested in knowing the value of all the fitness information that will presumably be sold as part of the business.

Categories
Links

Saudi Millennials Don’t Use Their Phones Like We Do

Saudi Millennials Don’t Use Their Phones Like We Do:

… the problem lies in [the branding/marketing companies’] intent: Instead of entering new markets with an open mind, they approach with a strategy in place and then look for the people who prove their theories right. “The only thing worse than not asking the questions, is not paying attention to the answers that don’t fit into their world view, because it’s inconvenient,” says Chipchase.

Set aside the headline. This longish read does a good job of explaining why it makes sense to hire an ethnographer before developing (to say nothing of launching) a product and, simultaneously, the intense amount of work that goes into launch a new product with a unique brand identity.

Categories
Links

Major Qualcomm chip security flaws expose 900M Android users

Major Qualcomm chip security flaws expose 900M Android users:

Qualcomm makes chips for the majority of the world’s phones, holding a 65 percent share of the market. Most of the major recent Android devices are expected to be affected by the flaw, including:

  • BlackBerry Priv
  • Blackphone 1 and Blackphone 2
  • Google Nexus 5X, Nexus 6, and Nexus 6P
  • HTC One, HTC M9, and HTC 10
  • LG G4, LG G5, and LG V10
  • New Moto X by Motorola
  • OnePlus One, OnePlus 2, and OnePlus 3
  • Samsung Galaxy S7 and Samsung S7 Edge
  • Sony Xperia Z Ultra

Three of the four holes have already been patched, with a solution for the fourth on the way. However, most users are at the mercy of their handset manufacturers if they want these patches applied. Owners of Google’s Nexus devices have already had patches pushed to their phones, but other manufacturers have historically been less interested in patching flaws found in their devices after release.

In many cases these updates will never be released, leaving people permanently vulnerable to this very, very, very serious vulnerability. But hey: at least it only affects around 12-13% of the world’s population. Maybe phone manufacturers and cellular carriers will actually promptly act to protect their users when closer to 20-35% of the world population is affected by the next Android vulnerability…

Categories
Links

‘It feels like theft’: Ontario wineries frustrated by government obstacles

‘It feels like theft’: Ontario wineries frustrated by government obstacles:

The LCBO is a major cash cow for the much-indebted Ontario government. Last year, it returned $1.9 billion in dividends to provincial coffers – on top of the approximately $280 million in HST it makes off the sales. It’s not hard to see how it makes that much. When a consumer buys a bottle of alcohol, the LCBO takes:

  • 52 per cent of the cost of wine
  • 59 per cent of the cost of spirits
  • 39 per cent of the cost of beer

An LCBO spokeswoman says those markups fund Ontario’s social programs as well as the LCBO’s operating costs.

I’m not opposed to the LCBO’s existence but that is a lot of markup on a bottle of wine.

Categories
Links

I Ran the C.I.A. Now I’m Endorsing Hillary Clinton.

I Ran the C.I.A. Now I’m Endorsing Hillary Clinton:

During a 33-year career at the Central Intelligence Agency, I served presidents of both parties — three Republicans and three Democrats. I was at President George W. Bush’s side when we were attacked on Sept. 11; as deputy director of the agency, I was with President Obama when we killed Osama bin Laden in 2011.

I am neither a registered Democrat nor a registered Republican. In my 40 years of voting, I have pulled the lever for candidates of both parties. As a government official, I have always been silent about my preference for president.

No longer. On Nov. 8, I will vote for Hillary Clinton. Between now and then, I will do everything I can to ensure that she is elected as our 45th president.

The securocrats are increasingly throwing their hats in the Clinton camp. And I suspect that Trump will use this to fire up his own base by discounting those same securocrats as democratic patsies, despite many democrats having railed against the heads of the CIA, NSA, and other agencies over the years following 9/11.

Categories
Aside Links

With Remote Hacking, the Government’s Particularity Problem Isn’t Going Away

Crocker’s article is a defining summary of the legal problems associated with the U.S. Government’s attempts to use malware to conduct lawful surveillance of persons suspected of breaking the law. He explores how even after the law is shifted to authorize magistrates to issue warrants pertaining to persons outside of their jurisdictions, broader precedent concerning wiretaps may prevent the FBI or other actors from using currently-drafted warrants to deploy malware en masse. Specifically, the current framework adopted might violate basic constitutional guarantees that have been defined in caselaw over the past century, to the effect of rendering mass issuance of malware an unlawful means of surveillance.

Categories
Links

Dear activists, please stop telling everyone Telegram is secure

Dear activists, please stop telling everyone Telegram is secure:

Telegram was not wrong in promoting its security features back in 2013 – end-to-end encryption in mobile chat apps was rare back then. Since then, however, other chat apps have caught up and in many cases surpassed its security features. This isn’t to say Telegram doesn’t have its merits – neither Whatsapp nor Signal have support for channels (public groups) or bots, and Telegram does have a handy, Snapchat-like, self-destruct feature for conversations. But to recommend Telegram, without reservation, to protesters and activists is simply irresponsible. Dear activists: please stop telling people Telegram is more secure – either stick with WhatsApp or direct people to Telegram’s “Secret Chat” feature.

A good, and quick, piece written to explain the deficiencies of Telegram as opposed to its competing – and more secure and equally usable – chat applications.