- Last hundred days?. “The last hundred days of the Trump presidency—if that’s the period we’re in—thus gives rise to a number of distinct concerns about the excesses of an involuntarily lame-duck president of, shall we say, an unconventional disposition. These concerns often get blended together, but they are worth separating into four broad categories. The most alarming of the set, but probably the least likely, relate to the possibility of a contested election. A far more likely possibility involves the president’s delegitimization of an election that he cannot fruitfully contest. A third set of concerns involve self-dealing and other abuses of power during the transition. The final category involves simple mishandling of the transition itself.” // Here’s hoping that things don’t turn as badly under that last dregs of the Trump presidency as some fear. But I wouldn’t personally bet a lot on hope right now.
- The trump presidency is ending. So is Maggie Haberman’s wild ride. // A great contemporaneous profile of Maggie Haberman, one of the best journalists who’s covered Trump to date.
- Deep-freeze challenge makes pfizer’s shot a vaccine for the rich. “Even for rich countries that have pre-ordered doses, including Japan, the U.S. and the U.K., delivering Pfizer’s vaccine will involve considerable hurdles as long as trucks break down, electricity cuts out, essential workers get sick and ice melts.” // It’s going to be miserable to keep hearing about possible vaccines and then, after the initial euphoria of media, realize just how incredibly hard it is going to be to distribute them. Hopefully with a competent America returning to the world scene we’ll see the various superpowers of the world work together on this issue to coordinate probably the most significant logistics campaign in humanity’s history.
- The brouhaha over google photos. “[Google] has decided that the photos uploaded to its system have trained its visual algorithms enough that it doesn’t have to eat the cost of “free storage.” // Om definitely has one of the best assessments for why Google is no longer offering unlimited (non-premium) photo storage. The company has done the training it needed to do, and now it’s time to monetize what it’s learned from the data which was entrusted to it.
- ‘Are we getting invaded?’ U.S. Boats faced Russian aggression near Alaska. “As Russia has ramped up its presence in the region, U.S. officials have accelerated their own efforts. The Coast Guard has long complained that its lone pair of aging icebreakers are struggling to stay in service but may now have the opportunity to build six new ones. (Russia has dozens.) The United States is also discussing a northern deepwater port, perhaps around Nome. Currently, the nearest strategic port is 1,300 nautical miles away in Anchorage.” // It’s increasingly becoming evident that the Arctic, long a place where ice kept the different major powers from seriously competing for territory and resources, is going to heat up as a result of a warming climate. It’s truly worrying that Canada and the United States seem to be utterly lacking in preparation for what is coming.
New research from Google:
In this paper, we present the first longitudinal measurement study of the underground ecosystem fueling credential theft and assess the risk it poses to millions of users. Over the course of March, 2016–March, 2017, we identify 788,000 potential victims of off-the-shelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on blackmarket forums. Using this dataset, we explore to what degree the stolen passwords—which originate from thousands of online services—enable an attacker to obtain a victim’s valid email credentials—and thus complete control of their online identity due to transitive trust. Drawing upon Google as a case study, we find 7–25% of exposed passwords match a victim’s Google account. For these accounts, we show how hardening authentication mechanisms to include additional risk signals such as a user’s historical geolocations and device profiles helps to mitigate the risk of hijacking. Beyond these risk metrics, we delve into the global reach of the miscreants involved in credential theft and the blackhat tools they rely on. We observe a remarkable lack of external pressure on bad actors, with phishing kit playbooks and keylogger capabilities remaining largely unchanged since the mid-2000s.
In 2012, Google unveiled a cloud-based scanner dubbed bouncer that was billed as a way for the company to detect malicious apps before they were made available in Play. Five years later, discovery of malicious apps like Charger are a regular occurrence. Google makes little reference to the tool these days.
Android: a new bag of hurt found each week.
Amazon’s Echo and Alphabet’s Home cost less than $200 today, and that price will likely drop. So who will pay our butler’s salary, especially as it offers additional services? Advertisers, most likely. Our butler may recommend services and products that further the super-platform’s financial interests, rather than our own interests. By serving its true masters—the platforms—it may distort our view of the market and lead us to services and products that its masters wish to promote.
But the potential harm transcends the search bias issue, which Google is currently defending in Europe. The increase in the super-platform’s economic power can translate into political power. As we increasingly rely on one or two head butlers, the super-platform will learn about our political beliefs and have the power to affect our views and the public debate.
The discussions about algorithmic bias often have an almost science fiction feel to them. But as personal assistant platforms are monetized by platforms by inking deals with advertisers and designing secretive business practices designed to extract value from users, the threat of attitude shaping will become even more important. Why did your assistant recommend a particular route? (Answer: because it took you past businesses the platform owner believes you are predisposed to spend money at.) Why did your assistant present a particular piece of news? (Answer: because the piece in question conformed with your existing views and thus increased time you spent on the site, during which you were exposed to the platform’s associated advertising partners’ content.)
We are shifting to a world where algorithms are functionally what we call magic. A type of magic that can be used to exploit us while we think that algorithmically-designed digital assistants are markedly changing our lives for the better.
From Ars Technica:
Researchers say they’ve uncovered a family of Android-based malware that has compromised more than 1 million Google accounts, hundreds of them associated with enterprise users.
Gooligan, as researchers from security firm Check Point Software Technologies have dubbed the malware, has been found in at least 86 apps available in third-party marketplaces. Once installed, it uses a process known as rooting to gain highly privileged system access to devices running version 4 (Ice Cream Sandwich, Jelly Bean, and KitKat) and version 5 (Lollipop) of Google’s Android operating system. Together, the vulnerable versions account for about 74 percent of users.
Update: In a separate blog post also published Wednesday morning, Android security engineer Adrian Ludwig said he and other Google officials have worked closely with Check Point over the past few weeks to investigate Gooligan and to protect users against the threat it poses. He said there’s no evidence data was accessed from compromised accounts or that individual users were targeted. He also said Google has been using a service called Verify Apps to scan individual handsets for signs of Gooligan and other Ghost Push apps. When detected, device owners receive a warning and installations are halted.
“We’ve taken many actions to protect our users and improve the security of the Android ecosystem overall,” Ludwig wrote. “These include: revoking affected users’ Google Account tokens, providing them with clear instructions to sign back in securely, removing apps related to this issue from affected devices, deploying enduring Verify Apps improvements to protect users from these apps in the future and collaborating with ISPs to eliminate this malware altogether.”
While Google is taking this threat seriously – which is a good thing! – there is the problem where handsets shipping without the Google Play Store will remain vulnerable to this and other kinds of malware, unless those other app stores also try to warn users. Even Google’s warning system is, really, some chewing gum to cover up a broader security issue: a huge majority of Android phones have an outdated version of Android installed and will likely never see operating system or security updates. These vulnerabilities will continue, unabated, until Google actually can force updates to its partners. And history says that’s not likely to happen anytime soon.
One malicious app infected with the so-called DressCode malware had been downloaded from 100,000 to 500,000 times before it was removed from the Google-hosted marketplace, Trend Micro researchers said in a post. Known as Mod GTA 5 for Minecraft PE, it was disguised as a benign game, but included in the code was a component that established a persistent connection with an attacker controlled server. The server then had the ability to bypass so-called network address translation protections that shield individual devices inside a network. Trend Micro has found 3,000 such apps in all, 400 of which were available through Play.
“This malware allows threat actors to infiltrate a user’s network environment,” Thursday’s report stated. “If an infected device connects to an enterprise network, the attacker can either bypass the NAT device to attack the internal server or download sensitive data using the infected device as a springboard.”
BYOD: a great cost-saving policy. Until it leads to an attacker compromising your network and potentially exfiltrating business-vital resources.
It’s no secret that Hangouts was poorly supported inside Google, so will Allo be any different? I’ve heard that Google Hangouts was never given resources because Google felt it would never be a money-maker. In instant messaging, you talk to your friends and send pictures back and forth, and an ad-powered Google service is never involved. With Allo, that changes because the Assistant is a gateway to search. Every question to the Assistant is a Google Search, with in-app answers coming for questions and links to generic Web searches for everything else. With search comes the possibility for ads, both from the generic search links and in the carousels that answers often provide. I’ve yet to see an advertisement inside Allo, but since it seems possible for Allo to make money, maybe it will receive more support than Hangouts did.
Setting aside the basic privacy issues of Google having access to unencrypted, plaintext, chats you have with friends and colleagues, the fact that Google is apparently unwilling to support its own products if they can’t be used to empower Google advertising is just gross. Google has impressively wasted the skills and talents of a generation of developers: imagine what might exist, today, if people were empowered to write software absent the need to data mine everything that is said for advertising purposes?
Android’s security team patched the initial bug within weeks, but it inspired a wave of new attacks on the way Android processes audio and video files. The first copycat bugs were reported just days after the first patch, with more serious exploits arriving months later. The most recent Android patch report, released today, patches three separate vulnerabilities in Android’s media-processing function, including one critical flaw that could be used for remote code execution.
Now, Android is rebuilding that system from the ground up. When Android 7.0 Nougat began rolling out to phones last month, it came with a rebuilt media playback system, specifically designed to protect against the Stagefright family of attacks. In a post today, Android’s security team revealed new details on exactly how Nougat security has changed and what the team learned from last year’s string of bugs.
The vulnerability is more fully and truly patched! Hurray!
A shame that few users will ever receive an update to the new version of Android, let alone the patches in the previous (version 6) of Android. The best/easiest way for most users to ‘update’ an Android-based mobile phone is to throw their current phone in the trash and buy a new one…and even then, the phone they buy will likely lack recent patches. Heck, they’ll be lucky if it has the most recent operating system!
This stands directly in contrast to iOS. Apple can push out a global patch and there are remarkably high levels of uptake by end-users. Google’s method of working with handset manufacturers and carriers alike puts end-users are greater and greater risk. They’re simply making available dangerous products. They’re behaving worse than Microsoft in the Windows XP days!
A hardware bug or defect is not the cause of the issue, but rather a specification change made on Google’s end that “exceed the capability of the TV’s hardware.”
Thank god that this absolute blight on computer security is finally starting to be fully deprecated. Which means it should only continue to be a problem until the mid- to late-2020s as people gradually upgrade their devices to those which will not run Flash content by default…