Category: Technology

Vulnerability Found in Wi-Fi Protected Setup

I apologize for being a little late with this news but I’m on vacation, what can you really ask from me? Anyways a brute force vulnerability was discovered in Wi-Fi Protect Setup (WPA):

A few weeks ago I decided to take a look at the Wi-Fi Protected Setup (WPS) technology. I noticed a few really bad design decisions which enable an efficient brute force attack, thus effectively breaking the security of pretty much all WPS-enabled Wi-Fi routers. As all of the more recent router models come with WPS enabled by default, this affects millions of devices worldwide.

Ouch, glad I never used WPS to setup the security on my wireless network. Technical details about the vulnerability can be found in this writeup [PDF].

Government Bans Importation of Several HTC Phones

Via Engadget I found some very depressing news, The International Trade Commission sided with Apple in a recent patent dispute case. This means that several phones manufactured by HTC are no longer legal to import into the United States:

So what Apple has won is a formal import ban scheduled to commence on April 19, 2012, but relating only to HTC Android phones implementing one of two claims of a “data tapping patent”: a patent on an invention that marks up phone numbers and other types of formatted data in an unstructured document, such as an email, in order to enable users to bring up other programs (such as a dialer app) that process such data. The import ban won’t relate to HTC Android products that don’t implement that feature, or that implement it in ways not covered by those patent claims.

I’m not sure what HTC phones this will affect, but I know this patent describes behavior found in my Evo 4G. Regardless of what phones this affects one thing is for certain, this ruling perfectly demonstrations how businesses use the government to force competition out of their market.

While many HTC fans have been quick to jump on Apple as the culprit here I disagree. Apple simply used tools made available to cause problems for a competitor. The real culprit here is the International Trade Commission (ITC) who hold a monopoly on making such rulings and have the ability to initiate violence in order to enforce the decision. Were it not for these two things the matter would be entirely between Apple and HTC. Unfortunately our federal government maintains monopoly power over what can and can’t be imported into this country so this matter is now between Apple, HTC, and consumers who wish to purchase HTC phones. What should have been a ruling consisting entirely of monetary compensation has turned into a series of devices being added to the verboten list.

Another problem that has lead to this ruling are software patents. Software patents are one of the dumbest ideas our government has ever decided to allow. I’m not sure how algorithms are treated the same as physical inventions but alas I didn’t make the stupid laws. All I know is when a product can be banned from importation because of the way an application link is formatted that something is horribly wrong with our legal system.

AT&T Ends Bid for T-Mobile

AT&T and finally decided its attempted merger with T-Mobile was just not going to be allowed by the United States government:

US telecoms giant AT&T has said it will not pursue its $39bn bid to buy T-Mobile USA after running into fierce government objections.

[…]

AT&T has said it would include a $4bn charge in its fourth-quarter accounts to cover any potential compensation due if the deal does not go ahead.

AT&T agreed to buy T-Mobile USA from Deutsche Telekom in March, aiming to create the largest US wireless network.

While many T-Mobile customers are cheering I question whether or not this will allow T-Mobile to continue exiting. The bottom line is Deutsche Telekom is no longer interested in T-Mobile and is willing to break the subsidiary up and sell it in pieces if necessary. Likewise the $4 billion AT&T just payed for the failed merger goes to Deutsche Telekom, who may or may not invest it back into T-Mobile.

The merger also caused a great deal of damage to T-Mobile as it basically froze them in place. During the merger they did little or no network expansion that I’m aware of, obtained relatively few new phones, and now sit as the only carrier who doesn’t have the iPhone. If T-Mobile wants to remain relevant they have to play catchup for the last several months they did nothing while AT&T attempted to purchase the company. Overall the attempted merger may have caused irreversible damage to the fourth major carrier in the United States.

FBI Collecting Carrier IQ Data

Every since the news about Carrier IQ broke the metaphorical shit has been hitting the metaphorical fan. People are understandably upset about the type of information carriers are collecting using the, until recently, little known software. In my original post related to Carrier IQ I stated:

Carrier iQ is likely one of the most dangerous pieces of software in common use today. I do understand the great amount of benefit it gives to cellular providers but we all know anything accessible by said providers can also be access by the government, often without so much as a court order.

I hate having my suspicions confirmed:

Michael Morisy, a journalist who founded an organization called MuckRock to ease the process of filing FOIA requests, wrote the FBI on Dec. 1 asking for “any manuals, documents or other written guidance used to access or analyze data gathered by programs developed or deployed by Carrier IQ…. In addition, I ask for expedited processing as this is a matter of immediate news interest: The existence of Carrier IQ’s software was recently disclosed and has immediate ramifications on constitutionally protected privacy rights.”

The FBI acknowledged receiving his request within a few days, and then issued a blanket denial, which cites a law exempting records from disclosure if releasing them could interfere with law enforcement proceedings. “In applying this exemption, I have determined that the records responsive to your request are law enforcement records; that there is a pending or prospective law enforcement proceeding relevant to these responsive records; and that release of the information contained in these responsive records could reasonably be expected to interfere with the enforcement proceedings,” an FBI records management official named David Hardy wrote to Morisy.

Notice that the Federal Bureau of Investigations (FBI) filed for an exemption, they didn’t claim to have no such data available. The only logical conclusion one can draw from this fact is that the FBI has data collected by Carrier IQ on hand but doesn’t want to disclose how much. I wouldn’t be surprised if the FBI has issued blanket requests for this data from carriers using National Security Letters (NSL). As targets of NSLs are legally prohibited from disclosing the mere fact that they received the letter we have no idea how much of this data has been collected by the FBI, they could have issued a demand that all data collected using the Carrier IQ software be turned over.

Paranoids are just people with all the facts.

Using Cell Phones to Track Shoppers

I’ve said cell phones are the best spy devices we’ve ever decided to voluntarily carry around and, as Bruce Schneier points out, the ability to judge a person’s location based on their cellphone signal isn’t restricted only to government agents:

Online retailers have long gathered behavioral metrics about how customers shop, tracking their movements through e-shopping pages and using data to make targeted offers based on user profiles. Retailers in meat-space have had tried to replicate that with frequent shopper offers, store credit cards, and other ways to get shoppers to voluntarily give up data on their behavior, but these efforts have lacked the sort of data capacity provided by anonymous store browsers—at least until now. This holiday season, shopping malls in the US have started collecting data about shoppers by tracking the closest thing to “cookies” human beings carry—their cell phones.

The technology, from Portsmouth, England based Path Intelligence, is called Footpath. It uses monitoring units distributed throughout a mall or retail environment to sense the movement of customers by triangulation, using the strength of their cell phone signals. That data is collected and run through analytics by Path, and provided back to retailers through a secure website.

The location of any device that emits a wireless signal can be triangulated. Again I will state that cell phones are immensely useful but not only to their owners. Combining the fact that cell phones are almost always on their owner, contain a vast amount of personal information about their owner, and have built-in cameras and microphones makes for devices that are great for spying on select individuals. While people can harp on the malls for implementing this technology ultimately it’s nothing new as your cell phone provider, whom I worry about far more, have the exact same information at all times (usually with some history of your past locations).

Companies Don’t Like Getting Caught Doing Shady Things

The company I mentioned a couple days ago that specializes in making root kit software for today’s smart phones isn’t taking the news about their little business being publicized very well:

A data-logging software company is seeking to squash an Android developer’s critical research into its software that is secretly installed on millions of phones, but Trevor Eckhart is refusing to publicly apologize for his research and remove the company’s training manuals from his website.

Though the software is installed on millions of Android, BlackBerry, and Nokia phones, Carrier IQ was virtually unknown until the 25-year-old Eckhart analyzed its workings, recently revealing that the software secretly chronicles a user’s phone experience, from its apps, battery life and texts. Some carriers prevent users who actually find the software from controlling what information is sent.

[…]

When Carrier IQ discovered Eckhart’s recent research and his posting of those manuals, Carrier IQ sent him a cease-and-desist notice, saying Eckhart was in breach of copyright law and could face damages of as much as $150,000, the maximum allowed under US copyright law per violation. The company removed the manuals from its own website, as well.

So Carrier IQ doesn’t like the fact that their little software has become very public. This is likely because people who have heard this news haven’t been taking it very well and I’m sure complaints have been rolling into the customer support lines of AT&T, T-Mobile, Verizon, and Sprint. While it sucks that Carrier IQ are such dicks that they have threatened legal action against Eckhart for bringing their shenanigans to light it’s good to hear Eckhart’s cavalry has arrive:

On Monday, the Electronic Frontier Foundation announced it had came to the assistance of the 25-year-old Eckhart of Connecticut, whom Carrier IQ claims has breached copyright law for reposting the manuals.

This is why I give money to the Electronic Frontier Foundation. Hopefully this case is quickly resolved so Eckhart can continue his research unmolested.

Oracle Submits One of the Dumbest Court Filings Ever Conceived

Oracle is a company I hold no love for. Their products never impressed me (probably because I have no need for a proprietary high-end database system) and I hate what they ended up doing with the products and services they obtained from the Sun Microsystems acquisition. Yet Oracles latest court filing really takes the cake:

Hewlett-Packard has secretly contracted with Intel to keep making Itanium processors so that HP can maintain the appearance that “a dead microprocessor is still alive”, and make money from its locked-in Itanium customer base and take business away from Oracle’s Sun servers, Oracle said in a court filing on Friday.

That’s right, Oracle is throwing a hissy fit because they believe Hewlett-Packard (HP) are secretly floating money to Intel in order to keep the Itanium processo alive. My questions is this: who fucking cares? When one company gives another money in trade for a good or service that is called a transaction. As these transactions are agreements made between two entities neither is obligated to reveal the details to anybody else.

Why is Oracle wasting taxpayer money by bring up the fact HP and Intel do business in court? This isn’t a secret, anybody with an HP computer knows this as it’s advertised by a sticker on the computer that says, “Intel Inside.” If HP is paying Intel money to continue production of the Itanium processor what does it matter? What justification is there for bringing up this fact in court?

Tactics to destroy competition like this is one of the many things wrong with the United States economic system. Were the state controlled courts willing to simply toss this type of stupidity out the door money would be saved but businesses throughout the country and that money could be put to productive use. Instead our economy is so intermingled with government that you can’t make a single move without filling out the correct form in triplicate and getting the expensive rubber stamp of approval. Our court system needs to stop being a mechanism for companies to destroy competition through monetary attrition.

One Major Kindle Headache

While I absolutely love the Kindle there is one improvement I would like to see, a way of copy and pasting a WPA key. I’m a little over the top when it comes to computer security so you know I’m one of those weirdos who uses a 63-character gibberish string for my WPA key. Needless to say this is a huge pain in the ass to enter when I want to attach my Kindle to my wireless network. With my iPhone and iPad I can simply e-mail the key to myself (as I run my own e-mail server the e-mail goes from my system to my system and thus never leaves my control), copy the key from the e-mail, and paste it in the wireless configuration screen on the device.

I wish Amazon would put in an easy workaround such as letting the user drop a plain text file containing their key in the root directory of the device. Anything would be better than having to enter in 63-characters of gibberish. With all of that said it is much easier to type in the key with the new touch screen Kindle than it was with the old Kindles.

Besides that the Kindle Touch is pretty awesome. I’ll eventually get a full review of the device up that better expresses my thoughts.

Cell Phones are the Greatest Spy Devices Ever Invented

Cell phones are one of the greatest double edged swords human being have ever invented. They’re incredibly convenient communication devices that not only allow the possessor to make and receive phone calls but also send and receive e-mails, text messages, instant messages from various services, and almost any other data communication you can think of. Due to the amount of personal information we put into these devices they also make the greatest spy gadgets ever invented as they have a microphone, list of contacts, your recent e-mail messages, your current and previous locations, and other similar types of data. Because of the latter rootkits installed on phones are far more dangerous than those installed on personal computers, which is why this is unnerving news to say the least:

You may recall from a few articles back that we started talking about something called CIQ or Carrier iQ. This is, essentially, a piece of software that is embedded into most mobile devices, not just Android but Nokia, Blackberry, and likely many more. According to TrevE, the software is installed as a rootkit software in the RAM of devices where it resides. This software basically is completely hidden from view and in it virtually invisible, and worst of all, rather complicated to kill (some devices more so than others and you will see why in a few minutes). This is given root like rights over the device, which means that it can do everything it pleases and you will have nothing to say about it.

Why do we go into this? Well, a while back I was having some conversations back and forth with TrevE regarding all the HTC’s PoCs that he has been working on, and he started wondering about CIQ, as according to him, was one of the worst things that he had found in HTC’s code. So, he decided to start digging a little into this and found out that there is much more to be said regarding this software than even manufacturers will dare say. It turns out that CIQ is not exactly what many people don’t see (as it is hidden), but it is rather a very useful tool for system and network administrators. The tools is used to provide feedback and relevant data on several metrics that can help one of the aforementioned admins to troubleshoot and improve system and network performance. Point and case, the app seems to run in such a way that it allows the user to provide the input needed via surveys and other things. To put things in a more visual way, this is what CIQ should look like

Carrier iQ is likely one of the most dangerous pieces of software in common use today. I do understand the great amount of benefit it gives to cellular providers but we all know anything accessible by said providers can also be access by the government, often without so much as a court order.

There is a second article that brings up some of the implications of this software being installed on many cell phones. To call such software a violation of privacy being too nice, it literally allows third parties to spy on your every move and potentially listen in to your conversations. Smart criminals would have abandoned cellular phones while performing their ill-deeds long ago but intelligent people never follow the mantra of, “if you’re not doing anything wrong you have nothing to fear” in regards to potential surveillance.

It doesn’t look as though there is much that can be done about Carrier iQ without giving up the convenience of smart phones. Still it is smart to be aware of this technology so you can make the decision of what is more important; have the ability to communicate almost anywhere or a stronger guarantee of privacy.

A Trojan that Generates Bitcoins

It was bound to happen eventually but a trojan is now circulating for OS X that syphons a victims computing power and uses it to mine Bitcoins:

“This malware is complex, and performs many operations,” security researchers from Mac antivirus vendor Intego warned. “It is a combination of several types of malware: It is a Trojan horse, since it is hidden inside other applications; it is a backdoor, as it opens ports and can accept commands from command and control servers; it is a stealer, as it steals data and Bitcoin virtual money; and it is a spyware, as it sends personal data to remote servers,” they explained.

The Bitcoin mining program that DevilRobber installs on infected computers is called DiabloMiner and is a legitimate Java-based application used in the virtual currency’s production.

The one flaw in this trojan (besides requiring manual intervention by a user to get installed) is using a Java-based application to perform Bitcoin mining. Mac OS 10.7 doesn’t include Java by default and the user must manually install it if they want to run Java applications. While a prompt will appear asking the user if they want to install Java when they try to use a Java applet those are fairly uncommon at this point so the chances of a user running 10.7 having Java installed is actually pretty low.

Still the application appears to also seek out and steal Bitcoin wallets. I’m rather shocked that we didn’t see this kind of trojan come to the attention of network security sites before now. When I first looked into Bitcoin one of the first ideas that popped into my malicious thought filled head was how easy it would be to use a massive botnet to mine a great number of Bitcoins.