Month: March 2016

On Dormant Cyber Pathogens and Unicorns zdziarski.com

Jonathan Zdziarski:

In information security, we have many widely accepted terms for network based threats. These include worms, viruses, backdoors; we have penetration tools, fuzzers, scanners, sniffers, etc. These are all very specific terms and they have a general consensus about their meaning. We don’t use dramatic and generalized terms like “pathogen”, and most people in information security even hate the term “cyber”. In fact, CSI: Cyber is not even bold enough to use wildly nonexistent terms like “cyber pathogen” in their scripts. Why? Because terms like this have no technical substance whatsoever, and will incite either fear or eye rolling (often the latter).

Ramos’s statements are not only misleading to the court, but amount to blatant fear mongering. They are designed to manipulate the court into making a ruling for the FBI, and in my opinion are egregious enough that Ramos should be held in contempt just for filing what amounts to a crazy apocalypse story.

A lot of dumb stuff has been said during and about this trial; I’m pretty sure I’ve misinterpreted some things as well. But this cyber pathogen thing is — by far — the most ridiculous thing I’ve read so far.

Amazon Drops Encryption Support From Its Fire Products motherboard.vice.com

Lorenzo Franceschi-Bicchierai, Vice:

[Amazon] has recently deprecated support for device encryption on the latest version of Fire OS, Amazon’s custom Android operating system, which powers its tablets and phones. In the past, privacy-minded users could protect data stored inside their devices, such as their emails, by scrambling it with a password, which made it unreadable in case the device got lost or stolen. With this change, users who had encryption on in their Fire devices are left with two bad choices: either decline to install the update, leaving their devices with outdated software, or give up and keep their data unencrypted.

Amazon claims that their users simply didn’t use the encryption features, but all iPhone and iPad users who use a passcode have encryption enabled automatically. Why doesn’t Amazon do that instead of regressing? They might be supporting Apple (PDF) in the latter’s case against the FBI, but their behaviour implies that they don’t really care.

Update: Amazon says they’re going to bring back full-device encryption with a software update later this year.

All These Straws and So Few People to Grasp at Them arstechnica.com

David Kravets, Ars Technica:

The San Bernardino District Attorney told a federal judge late Thursday that Apple must assist the authorities in unlocking the iPhone used by Syed Farook, one of the two San Bernardino shooters that killed 14 people in a killing rampage in December. The phone, which was a county work phone issued to Farook as part of his Health Department duties, may have been the trigger to unleash a “cyber pathogen,” county prosecutors said in a brief court filing.

“The iPhone is a county owned telephone that may have connected to the San Bernardino County computer network. The seized iPhone may contain evidence that can only be found on the seized phone that it was used as a weapon to introduce a lying dormant cyber pathogen that endangers San Bernardino’s infrastructure,” according to a court filing (PDF) by Michael Ramos, the San Bernardino County District Attorney.

Is that really the best Ramos can come up with?

Also, if there really is a “cyber pathogen” on the device that would endanger San Bernardino’s infrastructure should it be released, wouldn’t it be best to leave the iPhone turned off and encrypted? It certainly doesn’t sound like they have the technical expertise to reverse-engineer it or come up with a solution for it should it be released.

Older OS X Installers Are Affected by App Store Certificate Expiration tidbits.com

Josh Centers, TidBits:

The Apple Worldwide Developer Relations Intermediate Certificate is required for all apps in the Mac App Store, including OS X installers. When used to sign an app, the certificate enables OS X to confirm that the app has not been corrupted or modified by an attacker. This certificate expired on 14 February 2016, causing error dialogs and preventing some apps from launching. Most apps affected have already been updated with the new certificate. But if you downloaded an OS X installer in case of trouble, you may be in for a surprise the next time you try to use it.

If you previously downloaded an OS X installer as a safeguard, be sure to re-download it soon — before you need it.

The Mickey Mouse Club arstechnica.com

Joe Mullin, Ars Technica:

The Walt Disney Company has a reputation for lobbying hard on copyright issues. The 1998 copyright extension has even been dubbed the “Mickey Mouse Protection Act” by activists like Lawrence Lessig that have worked to reform copyright laws.

This year, the company is turning to its employees to fund some of that battle. Disney CEO Bob Iger has sent a letter to the company’s employees, asking for them to open their hearts—and their wallets—to the company’s political action committee, DisneyPAC.

In the letter, which was provided to Ars by a Disney employee, Iger tells workers about his company’s recent intellectual property victories, including stronger IP protections in the Trans-Pacific Partnership, a Supreme Court victory that destroyed Aereo, and continued vigilance about the “state of copyright law in the digital environment.” It also mentions that Disney is seeking an opening to lower the corporate tax rate.

As Mullin notes, it’s not unheard-of for a company to solicit contributions to political campaigns or lobbyists in order to further the company’s business goals. But Disney is especially notable for lobbying hard for extensions in copyright laws, and they’re ramping up for a big push over the next couple of years.

Cory Doctorow, in a series of tweets:

The reality of Mickey Mouse & copyright term-extension is much more complicated than Steamboat Willie, FWIW … The significant issue isn’t Mickey, it’s everything else made after 1928. … If Disney fails to secure copyright term extension in 2018, then by 2028, it will also lose Snow White. … Five years later, it will lose Pinocchio, Fantasia, Dumbo, Bambi, and Saludos Amigos. … By the time we get to works from 1950, Disney starts to lose 1 major film/year.

Disney wants their intellectual property to be perpetually theirs, at great detriment to the public domain. Lawmakers need to have the courage to say that these term extensions have gone on for long enough. It’s time, Disney, for you to let it go.

Let it go.

Can’t hold it back any more.

The FBI’s Tragic Mistakes in San Bernardino zdziarski.com

Jonathan Zdziarski:

The fact that the device appears to have been found on, but later turned off (or allowed to die) is the second, and much bigger mistake made by the FBI. As I wrote in yet another post, allowing the phone to be powered down eliminated five more ways the FBI could have gotten data off of the device […]

Congress did not ask Comey about this, nor did they challenge Comey’s misleading statements about the iCloud backup being irrelevant to their investigation. Quite the contrary, both mistakes put together have now interfered with six different techniques the FBI had at their disposal to obtain evidence off of the device.

Just how much evidence tampering is required before Congress or the courts will throw this case out of court? Should we be setting a precedent to breathe such a dangerous forensics tool into existence for reasons that only exist because the FBI proved incompetent?

The FBI’s handling of the technological evidence they collected — and did not collect1 — betrays a mix of poor judgement and ignorance. They had six different opportunities to get the data they’re after, and they blew them all.

  1. “The Apple executive told reporters that the company’s engineers had first suggested to the government that it take the phone to the suspect’s apartment to connect it to the Wi-FI there. But since reporters and members of the public had swarmed that crime scene shortly after the shootings occurred, it was likely that any Wi-Fi there had been disconnected.” ↥︎

More on Digital Textbooks mfeldstein.com

Phil Hill1 (via D’Arcy Norman):

The market for textbooks is distorted – there is absolutely no reason that a digital textbook rental should cost five times what a physical textbook rental costs. This is not a market where you can make otherwise common sense assumptions such as digital being lower cost, or assumptions that a decrease in adoption means that students do not want more digital options.

As most students are now required — either by implication or by school policy — to have a laptop by high school, the hardware cost of technology is becoming baked into the cost of education. Not everyone can bear this financial burden, but that’s a longer discussion requiring a more comprehensive solution.

At any rate, an iPad could potentially present a better investment considering its typically longer upgrade cycle. That, combined with a greater focus from Apple could place the iPad in a much better position in an educational context. But the cost of textbooks remains an enormous issue. An iPad Mini is about $300, but the cost of textbooks for a full course load every academic year can be far greater, and those prices haven’t gone down for digital books.

  1. Not that Phil Hill. ↥︎

Textbooks on the iPad 512pixels.net

Excellent article from Stephen Hackett, making the case that Apple’s investment in education — particularly on the iPad — has wavered in the past few years:

With iOS 9.3, Apple is firing back, adding to its tools to make the iPad a better citizen in schools. I believe education is still near to the heart of Apple, and I’m sure they’ll keep working to improve their offerings in the space. They’ve come a long way since 2012, that’s for sure, but I’m not sure their dream of digital textbooks will ever come true.

Never say “never”, but there’s a long way to go before lugging textbooks from class-to-class is replaced by a glass and aluminum unibody. Perhaps that’s a role for the iPad Mini.

Eric Schmidt Goes to the Pentagon reuters.com

Eric Schmidt, 2009:

If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.

Andrea Shalal, reporting for Reuters:

Eric Schmidt, the former chief executive officer of Google, has agreed to head a new Pentagon advisory board aimed at bringing Silicon Valley innovation and best practices to the U.S. military, Defense Secretary Ash Carter said on Wednesday.

Carter is due to discuss the new Defense Innovation Advisory Board with Schmidt during the annual RSA cybersecurity conference in San Francisco. Schmidt is now the executive chairman of Alphabet Inc, the parent company of Google.

The new board is Carter’s latest effort to kick-start innovation across the U.S. military by building bridges to the U.S. technology industry. The U.S. defense chief announced the board’s creation on Wednesday during his third trip to Silicon Valley since taking office just over a year ago.

I’m not really sure I want bridges to be built between the U.S. Department of Defense and tech companies, and I definitely don’t want Schmidt building them.

Apple and the FBI Testify Before Congress ft.com

The FBI’s James Comey, Apple’s Bruce Sewell, New York District Attorney Cyrus Vance, and noted security and encryption expert Dr. Susan Landau testified before a congressional committee today about concerns surrounding the encryption built into smartphones — and, more specifically, the iPhone.

I listened to most of the hearing today, so I have some thoughts; but, first, Geoff Dyer and Tim Bradshaw report for the Financial Times:

James Comey, director of the FBI, said that the introduction of enhanced encryption on smartphones was creating a new area of communication and information “that nobody else can get into”, even with a court order.

“Our job is simply to tell people there is a problem,” Mr Comey said. “If there are warrant-proof spaces in American life, what does that mean and what are the costs of that?” He added: “The tools we use to keep you safe are becoming less and less effective.”

Bruce Sewell, Apple’s chief counsel, said the company was “in an arms race with criminals, cyberterrorists and hackers”.

“There is probably more information stored on that iPhone than a thief could steal by breaking into your house,” he said. “The only way we know to protect that data is through strong encryption.”

He also angrily rebutted the FBI’s claim that stronger encryption on iPhones was part of a marketing strategy, a suggestion he said “makes my blood boil”.

“We don’t take out billboards for our security. We don’t take out ads for our encryption,” he said. “We’re doing this because we think it’s the right thing to do.”

This is a pretty good summary.

Both sides of this debate — Comey and Vance on one; Sewell and Landau on the other — framed this not as an issue of privacy vs. security, but as security vs. security. Similarly, this was not a partisan issue — supporters and detractors from both sides came from both parties, almost in equal numbers. I found this common ground very intriguing, especially with how divisive the present American political landscape is.

It was also surprising to see how many pointed questions Comey received today. Usually, intelligence agencies are treated gently at these kinds of hearings, but the questioning committee was openly skeptical of the FBI’s motives, their capability to restrict backdoor access to law enforcement only, and their transparency with lawmakers of their existing activities. The only exceptions to this came from Sen. Luis Gutierrez of Illinois, and Sen. Trey Gowdy of South Carolina.

Gowdy, by the way, got pretty testy when Sewell attempted to clarify a question from him pertaining to a hypothetical scenario wherein Apple would feel compelled to comply with a similar court order. Sewell repeatedly stated that it was not the content of the phone that mattered; rather, they would comply with the law. Sewell implied that Apple does not believe this is a case where the order is in the best interests of its users or the national security of the country.

Gowdy also spent quite a lot of time asking both Comey and Sewell to contrast a surgeon being ordered to operate on a subject to acquire evidence — say, a bullet trapped under the skin — against Apple being conscripted by the government to develop a tool against their will to extract data from an iPhone. Gowdy said that this would be constitutional. However, in Winston v. Lee, the U.S. Court of Appeals held that the “proposed surgery would violate respondent’s right to be secure in his person and the search would be ‘unreasonable’ under the Fourth Amendment”. This doesn’t necessarily favour Apple so much as it does Syed Farook as a user, or the San Bernardino County as the phone’s owner.

Dr. Landau, meanwhile, killed it. She was the most direct and comprehensive speaker of the lot, to no great surprise. Over the course of the hearing, it became painfully clear just who was well-versed in encryption and technological limitations, and who was not. Make no mistake: this is a hard subject to understand, but many of the warnings and concerns raised by Landau did not feel adequately addressed. She made factual assertions about why weakening encryption on this one iPhone would weaken them all, and she supported her testimony with clear explanations. But because this is such a challenging topic, most of the Congressional staff seemed mystified as to why something could be technically impossible.

Hesitantly, I feel like the Landau-Sewell tag team was able to make some ground, especially with how much Comey was getting scolded for the information security failings of the Department of Justice and other U.S. government departments.

But, as Sen. Jim Sensenbrenner of Wisconsin noted, Congress’ decision may not be in Apple’s favour, as Sewell did not bring any legislative text with him. And that worries me a little. While I firmly believe laws should be drafted and proposed by lawmakers like Sensenbrenner instead of private companies and lobbyists, it’s also worth noting that Sensenbrenner was one of the primary authors of the USA PATRIOT and USA FREEDOM acts, bad acronyms and all.

For more, you can watch the entire five-hour hearing on C-Span, or read the Guardian’s decent live blog.

Developers Review Apple’s App Review Process macstories.net

Graham Spencer of MacStories interviewed a bunch of developers about Apple’s handling of the review process for the App Store:

Inconsistency from App Review was another major recurring theme in the survey responses. Numerous developers gave examples where App Review had approved an update containing new features, only to reject a subsequent update for those features which had previously been approved. The most frustrating of those examples were when the update was a bug fix – meaning the developer, trying to quickly resolve an issue for their users, would now have to take more time either modifying their app to comply or appeal the decision (which may not succeed).

One such example was when a small bug fix led to App Review rejecting an app because it required registration. But the app, which had been on the App Store for five years, had always required registration and all of their competitors did the same thing. In the end the app was approved, but it took about a month of appeals and several phone calls to Apple from the developer.

This article is big — it’s available as an e-book, no less — but it’s worth your time. There’s a lot of important stuff covered in it, as you might imagine.

But I’ve chosen the excerpt above because I see it — as a layperson — as the most pressing issue facing the app review process. Nearly all of the incidents I’ve covered here and most that I’ve seen elsewhere concern discrepancies in how rejections or admissions are handled on a case-by-case basis. There is little more frustrating for developers than an update being rejected for inconsistent reasons after investing time and effort into building new features, or revising their app to compete with others. It needs be absolutely clear to both reviewers and developers under what conditions an app will be rejected.

Digital Maps Are Inaccurate in China by Design travelandleisure.com

Geoff Manaugh of Travel and Leisure magazine (yeah, seriously):

Lines of traffic snake through the centers of buildings; monuments migrate into the midst of rivers; one’s own position standing in a park or shopping mall appears to be nearly half a kilometer away, as if there is more than one version of you on the loose. Stranger yet, your morning running route didn’t quite go where you thought it did.

It is, in fact, illegal for foreign individuals or organizations to make maps in China without official permission. As stated in the “Surveying and Mapping Law of the People’s Republic of China,” for example, mapping—even casually documenting “the shapes, sizes, space positions, attributes, etc. of man-made surface installations”—is considered a protected activity for reasons of national defense and “progress of the society.” Those who do receive permission must introduce a geographic offset into their products, a kind of preordained cartographic drift. An entire world of spatial glitches is thus deliberately introduced into the resulting map.

Yet another intriguing difference between cartography from within China, and from those outside. Via Allen Tan, who has been on quite a roll lately.