A Geek With Guns

Chronicling the depravities of the State.

Archive for the ‘Technology’ Category

Uncontrolled Release of Energy

with one comment

Your smartphone has a rather sizable appetite for energy. To keep it running just for one day it needs a battery that is capable of storing a rather notable amount of energy. The same is true for your laptop, tablet, smartwatch, and any other sophisticated portable electronic device. For the most part we never think about the batteries that power our portable electronics until they degrade to such a point that we find ourselves recharging them more often than we’re comfortable with. But what happens when something besides the usual wear and tear goes wrong with our batteries? What happens if a battery decides to release its stored energy all at once? This is a problem plaguing companies that specialize in recycling electronics:

MADISON, Wis. — What happens to gadgets when you’re done with them? Too often, they explode.

As we enter new-gadget buying season, spare a moment to meet the people who end up handling your old stuff. Isauro Flores-Hernandez, who takes apart used smartphones and tablets for a living, keeps thick gloves, metal tongs and a red fireproof bin by his desk here at Cascade Asset Management, an electronics scrap processor. He uses them to whisk away devices with batteries that burst into flames when he opens them for recycling.

One corner of his desk is charred from an Apple iPhone that began smoking and then exploded after he opened it in 2016. Last year, his co-worker had to slide away an exploding iPad battery and evacuate the area while it burned out.

Due to their popularity, lithium-ion batteries are receiving a lot of attention at the moment but the problem of uncontrolled energy release isn’t unique to them. Anything capable of storing energy so that it can be released in a controlled manner can suffer a failure that causes the energy to be released in an uncontrolled manner. Consider the gas tank in your vehicle. Under normal operating conditions the energy stored in your gas tank is released in a controlled manner by your engine. But a crash can cause the energy to be released in an uncontrolled manner, which results in a fire or explosion.

Anything that can store a large quantity of energy should be treated with respect. If you’re repairing your smartphone or laptop, be careful around the battery. If you smell something odd coming from one of your battery-powered devices, put some distance between it and yourself (and anything that can catch fire and burn).

Written by Christopher Burg

September 14th, 2018 at 10:30 am

Posted in Technology

Tagged with ,

You Are Responsible for Your Own Security

without comments

One of the advertised advantages of Apple’s iOS platform is that all software loaded onto iOS devices has to be verified by Apple. This so-called walled garden is meant to keep the bad guys out. However, anybody who studies military history quickly learns that sitting behind a wall is usually a death sentence. Eventually the enemy breaches the wall. Enemies have breached Apple’s walls before and they continue to do so:

In a blog post entitled “Location Monetization in iOS Apps,” the Guardian team detailed 24 applications from the Apple iOS App Store that pushed data to 12 different “location-data monetization firms”—companies that collect precise location data from application users for profit. The 24 identified applications were found in a random sampling of the App Store’s top free applications, so there are likely many more apps for iOS surreptitiously selling user location data. Additionally, the Guardian team confirmed that one data-mining service was connected with apps from over 100 local broadcasters owned by companies such as Sinclair, Tribune Broadcasting, Fox, and Nexstar Media.

iOS has a good permission system and users can prevent apps from accessing location information but far too many people are willing to grant access to their location information to any application that asks. If a walled garden were perfectly secure, users wouldn’t have to worry about granting unnecessary permissions because the wall guards wouldn’t allow anything malicious inside. Unfortunately, the wall guards aren’t perfect and malicious stuff does get through, which brings me to my second point.

What happens when a malicious app manages to breach Apple’s walled garden? Ideally it should be immediately removed but the universe isn’t ideal:

Adware Doctor is a top app in Apple’s Mac App Store, sitting at number five in the list of top paid apps and leading the list of top utilities apps, as of writing. It says it’s meant to prevent “malware and malicious files from infecting your Mac” and claims to be one of the best apps to do so, but unbeknownst to its users, it’s also stealing their browser history and downloading it to servers in China.

In fairness to Apple, the company did eventually remove Adware Doctor from its app store. Eventually is the keyword though. How many other malicious apps have breached Apple’s walled garden? How long do they manage to hide inside of the garden until they are discovered and how quickly do the guards remove them once they are discovered? Apparently Apple’s guards can be a bit slow to react.

Even in a walled garden you are responsible for your own security. You need to know how to defend yourself in case a bad guy manages to get inside of the defensive walls.

Written by Christopher Burg

September 11th, 2018 at 10:30 am

Posted in Technology

Tagged with , ,

Why Connecting Things to the Internet Doesn’t Give Me Warm Fuzzies

without comments

The tend in seemingly every market is to take features that function perfectly well without an Internet connection and make them dependent on an Internet connection. Let’s consider two old automobile features: remote door unlocking and engine starting. Most modern vehicles have the former and many now come equipped with the latter. These features are usually activated by a remote control that is attached to your key chain and have a decent range (the remote for my very basic vehicle can reliably start the engine through several walls). Tesla decided that such a basic feature wasn’t good enough for its high-tech cars and instead tied those features to the Internet. Needless to say, the inevitable happened:

Tesla’s fleet network connection is currently down, which means that owners of the EV brand of cars aren’t able to sign into the mobile app. Unfortunately, this means that they can’t remote start or remote unlock their cars, and they’re also unable to monitor their car’s charging status.

In all fairness, this isn’t an issue unique to Tesla. Any product that makes features dependent on an Internet connection will run into a service outages at one point or another. Your “smart” coffee maker’s service will eventually go down, which will force you to walk over and press the brew button like a goddamn barbarian instead of kicking off the brew cycle from an app as you continue lying in bed.

When these Internet dependent features really bite you in the ass though is when the service provider goes out of business, especially if the product itself cannot operate without the Internet service. There are a lot of current “smart” devices that will soon end up in a landfill not because they mechanically failed but because their service provider went bankrupt. While the features that became unavailable when Tesla’s service went down weren’t critical for the functionality of the vehicle, no longer being able to remotely unlock doors, start the engine, or check the charging status would really degrade the overall user experience of the company’s vehicles.

Written by Christopher Burg

August 31st, 2018 at 10:30 am

Going the Way of Cable

without comments

Cable companies have been feeling pressure from Internet streaming services. Every day more people appear to be waking up to the fact that paying money to watch a bit of interesting content between commercials isn’t a great proposition. The glory days of ad-free subscription streaming services may be coming to and end though. Last week Netflix began experimenting with display ads to customers:

Now Netflix users might start to see ads for other shows during those countdown seconds, as the streaming giant has said it is testing out recommendations.

“We are testing whether surfacing recommendations between episodes helps members discover stories they will enjoy faster,” it said in a statement given to the website Cord Cutters.

Following in Netflix’s footsteps is Twitch, which announced that it will soon be stripping paying subscribers of their ad-free experience:

As we have continued to add value to Twitch Prime, we have also re-evaluated some of the existing Twitch Prime benefits. As a result, universal ad-free viewing will no longer be part of Twitch Prime for new members, starting on September 14.

Twitch Prime members with monthly subscriptions will continue to get ad-free viewing until October 15. If you already have an annual subscription, or if you upgrade to an annual subscription before September 14, you will continue with ad-free viewing until your next renewal date.

I’m always amused by how marketing departments try to spin the fact that their customers will be paying the same amount and receiving less. Netflix’s department has the easier task because at the moment the ads are house ads, not for third-party products. But if the company’s subscribers don’t revolt over this those house ads will begin to feature “favored partners” and if subscribers don’t revolt after that, anybody with some money in hand will be able to buy ads.

Twitch Prime’s marketing department had to justify its company’s actions by claiming that its move is good for streamers, err, creators (goddamn I love marketing speak) and then pointing out that all of the other benefits will remain as they were… until they’re eventually stripped or watered down as well.

The only solace to the cablefication of Internet streaming services is that a competitor will likely arise that will provide content without ads to paying customers, at least long enough to steal a bunch of disgruntled Netflix and Twitch customers. Then, of course, the cycle will begin anew.

Written by Christopher Burg

August 21st, 2018 at 11:00 am

Posted in Technology

Tagged with ,

Another Day, Another Exploit Discovered in Intel Processors

without comments

The last couple of years have not been kind to processor manufacturers. Ever since the Meltdown and Specter attacks were discovered, the speculative execution feature that is present on most modern processors has opened the door to a world of new exploits. However, Intel has been hit especially hard. The latest attack, given the fancy name Foreshadow, exploits the speculative execution feature on Intel processors to bypass security features meant to keep sensitive data out of the hands of unauthorized processes:

Foreshadow is a speculative execution attack on Intel processors which allows an attacker to steal sensitive information stored inside personal computers or third party clouds. Foreshadow has two versions, the original attack designed to extract data from SGX enclaves and a Next-Generation version which affects Virtual Machines (VMs), hypervisors (VMM), operating system (OS) kernel memory, and System Management Mode (SMM) memory.

It should be noted that, as the site says, this exploit is not known to work against ARM or AMD processors. However, it would be wise to keep an eye on this site. The researchers are still performing research on other processors and it may turn out that this attack works on processors not made by Intel as well.

As annoying as these hardware attacks are, I’m glad that the security industry is focusing more heavily on hardware. Software exploits can be devastating but if you can’t trust the hardware that the software is running on, no amount of effort to secure the software matters.

Written by Christopher Burg

August 15th, 2018 at 10:30 am

Posted in Technology

Tagged with ,

Nothing But the Best

with one comment

What’s the worst that could happen if the programmer for your pacemaker accepts software updates that aren’t digitally signed or delivered via a security connection? It could accept a malicious software update that when pushed to your pacemaker could literally kill you. With stakes so high you might expect the manufacturer of such a device to have a vested interest in fixing it. After all, people keeling over dead because you didn’t implement basic security features on your product isn’t going to make for good headlines. But it turns out that that isn’t the case:

At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device maker Medtronic to the hacking vulnerabilities in January 2017. So far, they said, the proof-of-concept attacks they developed still work. The duo on Thursday demonstrated one hack that compromised a CareLink 2090 programmer, a device doctors use to control pacemakers after they’re implanted in patients.

Because updates for the programmer aren’t delivered over an encrypted HTTPS connection and firmware isn’t digitally signed, the researchers were able to force it to run malicious firmware that would be hard for most doctors to detect. From there, the researchers said, the compromised machine could cause implanted pacemakers to make life-threatening changes in therapies, such as increasing the number of shocks delivered to patients.

Killing people through computer hacks has been a mainstay of Hollywood for a long time. When Hollywood first used that plot point, it was unlikely. Today software is integrated into so many critical systems that that plot point is feasible. Security needs to be taken far more seriously, especially by manufacturers to develop such critical products.

Written by Christopher Burg

August 10th, 2018 at 10:00 am


without comments

The American Civil Liberties Union (ACLU), which finds its spine from time to time, is pointing out what it believes are limitations of Amazon’s facial recognition system:

The American Civil Liberties Union of Northern California said Thursday that in its new test of Amazon’s facial recognition system known as Rekognition, the software erroneously identified 28 members of Congress as people who have been arrested for a crime.

Emphasis mine.

The only flaw I see in Amazon’s facial recognition system is that it’s too optimistic. As the identified members of Congress are members of Congress they deserve to be arrested.

Written by Christopher Burg

July 26th, 2018 at 10:30 am

Don’t Be Evil

with one comment

There seems to be a rule that startups appeal to and play by standards while those at the top disregard standards in order to toss wrenches into their competitors’ machinery. In Google’s early days it was a fan of standards. Now that it’s at the top of the pyramid, it seems like enthusiastic about them and has demonstrated a willingness to disregard them, usually when doing so appears to cause some issues for its competitors:

YouTube page load is 5x slower in Firefox and Edge than in Chrome because YouTube’s Polymer redesign relies on the deprecated Shadow DOM v0 API only implemented in Chrome.

Now that Google’s browser owns the market, it appears to be pulling the same stunt Microsoft when Internet Explorer was the dominant browser. By redesigning YouTube and having it rely on a deprecated API that is only currently supported in Chrome, Google has effectively made its browser appear faster than Firefox or Edge. Ends users who know nothing about such matters will only see that Chrome appears to load YouTube faster and use that criteria to declare it the best browser.

This is just the latest move in a series of moves that Google has taken that demonstrates that its old slogan, “Don’t be evil,” was meant only to develop goodwill with the community long enough to become the top dog. Now that it’s the top dog it’s more than happy to be evil.

Written by Christopher Burg

July 25th, 2018 at 10:30 am

Posted in Technology

Tagged with ,

Another Bang Up Job

with 2 comments

Legacy cellular protocols contained numerous gaping security holes, which is why attention was paid to security when Long-Term Evolution (LTE) was being designed. Unfortunately, one can pay attention to something and still ignore it or fuck it up:

The attacks work because of weaknesses built into the LTE standard itself. The most crucial weakness is a form of encryption that doesn’t protect the integrity of the data. The lack of data authentication makes it possible for an attacker to surreptitiously manipulate the IP addresses within an encrypted packet. Dubbed aLTEr, the researchers’ attack causes mobile devices to use a malicious domain name system server that, in turn, redirects the user to a malicious server masquerading as Hotmail. The other two weaknesses involve the way LTE maps users across a cellular network and leaks sensitive information about the data passing between base stations and end users.

Encrypting data is only one part of the puzzle. Once data is encrypted the integrity of the data must be protected as well. This is because encrypted data looks like gibberish until it is decrypted. The only way to know whether the encrypted data you’ve received hasn’t been tampered with is if some kind of cryptographic integrity verification has been implemented and used.

How can you protect yourself form this kind of attack? Using a Virtual Private Network (VPN) tunnel is probably your best bet. The OpenVPN protocol is used by numerous VPN providers that provide clients for both iOS and Android (as well as other major operating systems such as Windows, Linux, and macOS). OpenVPN, unlike LTE, verifies the integrity of encrypted data and rejects any data that appears to have been tampered with. While using a VPN tunnel may not prevent a malicious attacker from redirecting your LTE traffic, it will ensure that the attacker can’t see your data as a malicious VPN tunnel will fail to provide data that passes your client’s integrity checker and thus your client will cease receiving or transmitting data.

Written by Christopher Burg

July 3rd, 2018 at 11:00 am

Welcome to Postliterate America

with 3 comments

In my opinion the United States shows all the signs of a society beginning a descent into postliteracy. One of the biggest signs is the rapidly declining lack of interest in recreational reading:

The share of Americans who read for pleasure on a given day has fallen by more than 30 percent since 2004, according to the latest American Time Use Survey from the Bureau of Labor Statistics.

In 2004, roughly 28 percent of Americans age 15 and older read for pleasure on a given day. Last year, the figure was about 19 percent.

That steep drop means that aggregate reading time among Americans has fallen, from an average of 23 minutes per person per day in 2004 to 17 minutes per person per day in 2017.

I can’t say that I’m surprised by these results. The idea behind a postliterate society is that multimedia technology has advanced to the point where the ability to read and write is unnecessary. In our age of cheap data storage, data transmission, and devices capable of rendering high-definition sound and video, many of which fit in a pocket, we are less reliant on written information than we once were. Moreover, voice dictation is advancing rapidly. When I first tried voice dictation on a computer I wrote it off as useless because at the time it was. Today my phone’s voice dictation is actually pretty decent. What’s probably more amazing than the improvement of voice dictation software is the fact that it’s not nearly as important as it once was because I can just send the audio clip itself to somebody.

Will literacy go the way of shorthand and cursive? It very well could. The technology is already at a point where literacy isn’t as important as it once was. In a few more years it will probably advance to the point where literacy is almost an entirely unnecessary skill. Once that happens it may take only one or two generations until literacy is a skill held exclusive by a handful of individuals who have an interest in archaic knowledge.

Written by Christopher Burg

July 3rd, 2018 at 10:30 am

Posted in Technology

Tagged with