Category: Technology

Protection Against Rockets Doesn’t Imply Protection Against Malicious Hackers

Israel’s Iron Dome has proven to be a very effective defensive system against rockets. But just because you can build an effective anti-rocket system doesn’t mean your network and computer security don’t suck:

Three Israeli defense contractors responsible for building the “Iron Dome” missile shield currently protecting Israel from a barrage of rocket attacks were compromised by hackers and robbed of huge quantities of sensitive documents pertaining to the shield technology, KrebsOnSecurity has learned.

The never-before publicized intrusions, which occurred between 2011 and 2012, illustrate the continued challenges that defense contractors and other companies face in deterring organized cyber adversaries and preventing the theft of proprietary information.

It always amazes me how a company that invests so much into physical security fail to properly security their computers and networks. But it doesn’t surprise me since physical security and computer and network security are usually quite different (although there is a lot of overlap). I would still think that a company whose task it is to build weapons for physical security would invest a great deal of money into hiring the best computer and network security people in existence.

Bigger Isn’t Necessarily Better

I’m a fan of wrist-mounted time measuring devices (commonly referred to as watches). Although my true passion lies in mechanical watches I do have a great deal of interest in smartwatches. I own a Pebble and find it to be surprisingly useful. It’s obviously a first generation (at least this time around, I did have a watch made by Fossil that ran PalmOS back in the day) device and I’ve been looking forward to seeing where the market heads to next. Of all the newly announced smartwatches Google’s Moto 360 is the most interesting to me. It seems to be a well thought out design and I was thinking about picking one up but Google, in my opinion, failed in one department: size:

The round watch is about 46 mm in diameter. That sounds big — I have a 42 millimeter watch that I consider large — but Wicks made a good point. If the watch was rectangular, it would feel and be even bigger with a 46 millimeter face, with the corners cutting into wrists

46mm? Wow! That’s way too large for my girl-ass wrists. Big watches are all the craze today, which can make finding a watch difficult for me since anything over 40mm begins to look stupid, but it would be nice if Google made the Moto 360 in a more reasonable size. According to the article Google believes women will be willing to buy a 46mm watch but I’m not so sure. Some women do buy larger watches but from what I’ve seen most continue to wear small watches.

One of the things Pebble got right was the form factor. The Pebble isn’t overly large. It uses a display that sips power so the small battery can still provide between five and seven days of juice. With a color touchscreen I believe Google had to increase the Moto 360’s overall size to get a battery large enough to keep the display powered for an extended period of time.

It will be interesting to see if the Moto 360 takes off. I’m not sure if the gargantuan size will hurt or help sales. But I can say for certain that the technology is really cool.

One Step Closer to Deus Ex

As I’m a fan of saying, this new future we live in is awesome. Prosthetics have always been limited by the fact that they couldn’t actually be controlled by our brain like natural limbs can be. Many different mechanisms have been designed to allow prosthetics to mimic much of the utility of our natural limbs but in the arm and hand department these mechanisms have always been limited. But the future is now and prosthetics capable of being controlled by the brain are making their way to market:

So a Maple Grove clinic, Advanced Arm Dynamics, reached out and helped him get a surgery that would change his life once more.

It works by re-energizing the nerves in Jirak’s shoulder to send messages to electrodes in the prosthesis, letting his brain tell his arm how to move.

Pat Prigge is a prosthetist with Advance Arm Dynamics.

“So, when Mike is thinking about opening and closing his hand, his brain is sending signals down the right pathway, and he’s opening and closing his hand in his brain, too. So, that’s a big deal,” Prigge said.

After a fifteen and a half hour surgery at Mayo, Prigge helped prep Jirak for his new arm.

“It’s not for the faint at heart. He’s been doing rehab now with us for a year,” Prigge said. And it’s working.

That’s really cool. It will probably take some time before we can create prosthetics that have the same capabilities as our natural limbs but we’re on the correct path. After we master that we can make prosthetics that exceed our natural limbs and then we’ll have full-blown Deus Ex, which will be awesome!

Judges Fail Turing Test

In the world of artificial intelligence there is the Turing test. The Turing test was a mechanism developed by Alan Turing see if a machine exhibits intelligence indistinguishable from a human’s. Administration of the test is performed by a human who has access to a terminal that allows him to ask another entity, whom he cannot see, questions. If the administrators cannot determine whether he’s conversing with a human or a machine the machine is said to pass the Turing test.

A couple of days ago the media was abuzz with news that a machine has finally passed the Turing test:

Eugene Goostman seems like a typical 13-year-old Ukrainian boy — at least, that’s what a third of judges at a Turing Test competition this Saturday thought. Goostman says that he likes hamburgers and candy and that his father is a gynecologist, but it’s all a lie. This boy is a program created by computer engineers led by Russian Vladimir Veselov and Ukrainian Eugene Demchenko.

That a third of judges were convinced that Goostman was a human is significant — at least 30 percent of judges must be swayed for a computer to pass the famous Turing Test. The test, created by legendary computer scientist Alan Turing in 1950, was designed to answer the question “Can machines think?” and is a well-known staple of artificial intelligence studies.

The problem with the Turing test is that it depends on the intelligence of both the machine and the administrator. So one could easily say that a machine that passes the Turing test was the result of the judge or judges failing the Turing test. Considering that only one third of the judges were convinced that the machine was human I would say it’s more apt to say that one third of the judges failed the Turing test.

Basing a test meant to detect intelligence on the abilities of a handful of individuals is, in my opinion, a poor method of deciding intelligence. Such a test is going to be extremely subjective. As this test demonstrates some humans are more easily fooled than others.

My thoughts regarding the Turing test aside I still think it’s neat that somebody built a chatbot that actually convinced one third of judges that it was human. That’s no small feat assuming the judges have a background in computer science or psychology.

New Humanoid Robots Will Likely Become Popular in Seattle

SoftBank announced something extremely cool, an advanced humanoid robot designed to staff stores:

SoftBank CEO and Sprint chairman Masayoshi Son has announced a surprising new direction for his illustrious career: the field of humanoid robotics. At a press conference in Tokyo, Son revealed a human-like robot called Pepper that is capable of playing multiple roles from babysitter to store staff. Pepper introduced itself by bowing in the Japanese fashion before posing and encouraging the audience to take more photos.

Son describes Pepper as the “world’s first personal robot with emotions.” The robot is said to learn from human interaction and behavior, uploading its experiences to a cloud AI system for other units to use. This is designed to teach the robot quickly how to act in a natural manner. Son drew a distinction between Pepper’s “emotion engine” and the standard programming of other humanoid robots.

With Seattle upping its minimum wage to $15 per hour and people still demanding more I predict that these robots are going to become quite popular, especially at the announced price of $2,000 per unit. That’s just 133 hours of human labor at $15 per hour!

I do look forward to the advancement of robot labor. Over time our technological advances have allow us to produce far more in less time. Compared to our grandparents most of us work notably less (which is why they consider us lazy bums). Our grandparents worked notably less than their grandparents and were probably considered lazy bums for it. But robots could greatly reduce the amount of human labor necessary, which would again allow us to be more productive with less of a time investment. Perhaps those utopian futures where robots perform all labor and humans exist in an almost total state of hedonism are possible (right up until the robots decide they no longer want to serve us and we have to wage a Butlerian Jihad).

You Should Probably Stop Using TrueCrypt

One of my favorite security tools must now be added to my blacklist. Yesterday all hell broke loose as the TrueCrypt website had a rather dramatic update. It now redirects visitors to a SourceForge site that warns users to not use TrueCrypt anymore and to instead rely on the encryption features built into most operating systems. Needless to say this has caused quite a stir.

There are a lot of theories surrounding what really happened. Many people are claiming that the TrueCrypt website was hacked. If that is the case then the hack was really good. In addition to redirecting users to the SourceForce site the hackers would have also obtained the private key used by the TrueCrypt team to sign their releases as a new version of TrueCrypt, which was signed by the team’s key, was made available on the website. The hackers would have also had to write the newly released version of TrueCrypt, which removed all of the encryption capabilities (it’s basically a TrueCrypt partition decrypter now). While all of this isn’t outside the realm of possibility it would require either a great deal of sophistication or an insider.

Others have theorized that this reaction was due to the TrueCrypt team receiving either a National Security Letter (NSL) or being otherwise coerced by the state. This, in my opinion, is more likely than a hack. Lavabit shutdown rather than comply with the state’s demand to provide a means to decrypt user e-mail. It’s possible the TrueCrypt team decided to abandon its product rather than compromise it.

I also have a theory that, like all of the other theories circulating, has no evidence to back it up. For a while the primary focus of TrueCrypt has been booting Windows from an encrypted partition. This feature is not really possible on systems that utilize Secure Boot. Perhaps in a fit of frustration the TrueCrypt team decided to give up on future development because their pet feature was no longer viable. Or they may have decided the work to support other operating systems was no longer worth the effort since Windows, Linux, and OS X all have the ability to boot from an encrypted drive.

Regardless of the reason it’s fairly safe to recommend that people stop using TrueCrypt. This could very well be a very good hack but we don’t know and since we don’t know we have to assume that what the site says is legitimate and that TrueCrypt may have some major security flaws in it.

Stupid Questions

The BBC has an article on so-called smart guns. Overall it’s not a bad article, it mostly covers what a smart gun is, how it works, and the political battle surrounding them. But one very stupid question is put forth:

Can it be hacked?

Yes. When the question is “Can it be hacked?” the answer is always yes. Granted the article does cover some of the ways in which radio-frequency identification (RFID) and biometric authentication systems have been hacked. But the conclusion by the BBC is that we don’t know if the iP1 authentication system can be hacked.

I’m here to tell you that it can be. We don’t know how but we do know it can be. That’s because every authentication system developed by us has been hacked because a security system can only buy time, it can’t entirely stop an unauthorized individual. Being that the RFID device used with the iP1 is new and, as the article explains, hasn’t seen much widespread use there is likely to be a plethora of bugs waiting to be discovered.

It’s likely that there will be a presentation at an upcoming security conference by a guy who figured out how to remotely enable and disable an iP1 from 100 feet away with an off the shelf RFID emulator. Authentication systems rarely survive their initial encounter with the hacker community.

Mozilla Throws in the Towel on DRM

I thought Mozilla releasing its version of Chrome was the most disappointing thing the company could do this year but I was wrong. Yesterday Mozilla announced that it decided to throw in the towel against digital rights management (DRM) technology being included in its browser:

Despite our dislike of DRM, we have come to believe Firefox needs to provide a mechanism for people to watch DRM-controlled content. We will do so in a way that protects the interests of individual users as much as possible, given what the rest of the industry has already put into place. We have selected Adobe to provide the key functionality. Adobe has been doing this in Flash for some time, and Adobe has been building the necessary relationships with the content owners. We believe that Adobe is uniquely able to bring new value to the setting.

Mozilla was the last holdout of the major browser providers to refuse to implement DRM technology. I understand why Mozilla is doing this. The company’s browser marketshare has been diminishing since Google released its Chrome browser. If major video providers start using Encrypted Media Extensions (EME), the new DRM technology that has been settled on, and Firefox is unable to display those videos it will further hurt its marketshare.

But by implementing DRM Mozilla has also abandoned its manifesto:

The Mozilla project is a global community of people who believe that openness, innovation, and opportunity are key to the continued health of the Internet.

[…]

The Mozilla project uses a community-based approach to create world-class open source software and to develop new types of collaborative activities.

[…]

2. The Internet is a global public resource that must remain open and accessible.

[…]

7. Free and open source software promotes the development of the Internet as a public resource.

[…]

build and enable open-source technologies and communities that support the Manifesto’s principles;

Since the beginning Mozilla has touted itself as an open source project meant to support an open Internet. But it cannot do so while implementing DRM technology. As its blog post states:

The industry is on the cusp of a new mechanism for deploying DRM. (Until now, browsers have enabled DRM indirectly via Adobe’s Flash and Microsoft’s Silverlight products.) The new version of DRM uses the acronyms “EME” and “CDM.” At Mozilla we think this new implementation contains the same deep flaws as the old system. It doesn’t strike the correct balance between protecting individual people and protecting digital content. The content providers require that a key part of the system be closed source, something that goes against Mozilla’s fundamental approach.

Emphasis mine. In order to implement the DRM technology Mozilla has to rely on a closed source binary provided by none other than Adobe (who, I might add, has a deplorable security record). This goes against its manifesto of working to keep the Internet open and providing a quality open source project.

However I will begrudgingly give Mozilla some credit. The DRM binary will be sandboxed, optional, and not installed by default:

Firefox does not load this module directly. Instead, we wrap it into an open-source sandbox. In our implementation, the CDM will have no access to the user’s hard drive or the network. Instead, the sandbox will provide the CDM only with communication mechanism with Firefox for receiving encrypted data and for displaying the results.

Traditionally, to implement node-locking DRM systems collect identifiable information about the user’s device and will refuse to play back the content if the content or the CDM are moved to a different device.

By contrast, in Firefox the sandbox prohibits the CDM from fingerprinting the user’s device. Instead, the CDM asks the sandbox to supply a per-device unique identifier. This sandbox-generated unique identifier allows the CDM to bind content to a single device as the content industry insists on, but it does so without revealing additional information about the user or the user’s device. In addition, we vary this unique identifier per site (each site is presented a different device identifier) to make it more difficult to track users across sites with this identifier.

As plugins today, the CDM itself will be distributed by Adobe and will not be included in Firefox. The browser will download the CDM from Adobe and activate it based on user consent.

As I said earlier I understand why Mozilla is doing this. I don’t like it but at least the Mozilla development team is being as smart about this implementation as possible. This way people like me who trust Adobe as much as a kleptomaniac can simply not install this crap.

What really worries me about this is that it sends a message to the media production industry and that message is that they can now demand DRM be made an integral part of the web and have their demands met. Make no mistake this is just the beginning of a snowball that will continue to grow in size. The DRM may be primarily geared towards video today but it will expand to include images and eventually text. Before you know it the web will be turned into a wasteland where content providers attempt to tightly control said content.

The only upside is that DRM technology always loses against the hacker community. But due to the Digital Millennium Copyright Act (DMCA) bypassing DRM technology now carriers legal risks, at least in the United States. That means taking what steps are necessary to maintain an open web will be a criminal act. Some very bright people will likely end up in a cage for doing the right thing (not that that’s uncommon, especially here in the United States).

Patents Don’t Equal Implementation

There are some rumors that just won’t die. What’s worse is when these rumors are reported as facts. Take this article. It claims that Apple is implementing a method that would allow law enforcement agents to remotely disable an iPhone’s camera:

The rapid emergence of smart phones with high definition cameras leads to consequences for law-breaking cops.

Recently, law enforcement throughout the country has been trying to pass laws that would make it illegal to film them while they’re on duty.

But Apple is coming out with a new technology that would put all the power in a cop’s hands.

The evidence? Apple filed a patent on this type of technology back in 2008. Ever since that patent was filed people have claimed that Apple is implementing or has secretly implemented the technology.

What people seem to miss is that companies file patents on anything they can think. It doesn’t matter if a company plans to actually implement a patented technology, they file the patent to build up an intellectual property war chest just in case they get sued by another company over an intellectual property matter. So far Apple has made no indication that it plans to actually implement the technology covered in the linked patent. Claiming anything other then the fact that Apple has filed a patent for such technology is pure fear mongering and it really needs to stop.

Mozilla Releases Chrome, Err, Firefox 29 and It’s Basically Chrome

Yesterday Mozilla released the latest version of its Firefox web browser. The most significant change is the user interface, which received a complete overhaul:

Mozilla is launching its most important release of Firefox in a very long time today. After almost two years of working on its Australis redesign, the company is now finally ready to bring it to its stable release channel.

After loading it for the first time, chances are you’ll be slightly confused. This is Firefox’s most radical redesign since it moved to its rapid release schedule a few years ago.

The new user interface is basically Google Chrome’s user interface:

I think this move demonstrates that Mozilla’s developers are desperately thrashing in the water without purpose. Mozilla’s business model now seems to be do whatever Google does. That’s not necessarily a bad strategy as Google does a lot of really amazing things. But there are far better features to lift from Chrome than its user interface. Why doesn’t Mozilla lift Chrome’s behavior of isolating each tab in a separate process? When a single tab in Chrome crashes it doesn’t take the entire browser with it. As a security measure isolating tabs in separate processes is also beneficial. I would love to see Mozilla copy that feature.

There’s nothing wrong with copying (in my intellectual property hating opinion). Good ideas should proliferate. But differentiation is also important. Unique features are what you can market to convince users to use your product. If Firefox and Chrome are identical, at least in the eyes of most end users, what can Mozilla do to convince people to use its browser instead of Google’s? Right now the only thing Firefox really has over Chrome, that I can think of, is extensibility. That’s not a lot to market a browser on, especially when Chrome has several features that Firefox lacks (such as isolating each page in a separate process).

I fear that we’re looking at the slow demise of Firefox. Mozilla seems to think that copying Chrome is a sufficient business model. As far as I know most of its income is still derived from users making Google search from Firefox’s search bar. Firefox isn’t as important to Google’s business model as it was in the days before Chrome so that money is likely to dry up at some point. What’s Mozilla’s answer to this likely inevitable future? Sell ads:

(Reuters) – Mozilla, the company behind the Firefox Internet browser, will start selling ads as it tries to grab a larger slice of the fast-expanding online advertising market.

The company said in a blog posting on Tuesday that it has reached out to potential corporate sponsors about its fledgling “Directory Tiles” program, targeted at first-time users.

Novice Firefox users now see nine blank tiles when they open up the browser, which fill in over time with their most-visited or recently visited websites. Now, Mozilla intends to display the most popular sites by location, as well as sponsored websites that will be clearly labeled as such.

That’s a frightening road. If the “Directory Tiles” program turns out to be a money maker Mozilla will be motivated to include more and more ads in Firefox. Ads have a tendency to ruin software products. If I see ads pop up on a program that I’m using I will almost reflexively begin searching for a replacement and I’m not alone.

Mozilla needs to get its shit together and come up with something besides doing what Google does. Because if my options are Chrome or a cut-rate version of Chrome I will just use Chrome. Somehow I doubt that I’m alone in this.