Manufacturer Included Malware

When we buy a computer we are necessarily trusting the manufacturer to some extent. One of the things we trust the manufacturer to do is deliver a system free of malware. This trust isn’t always properly placed since many manufacturers include a lot of software that is indistinguishable from malware but we usually trust the manufacturer to not make that malware persistent. What happens when the manufacturer not only includes malware but also makes it so persistent that a clean installation of Windows won’t remove it?

Windows 8 and Windows 10 contain a surprising feature that many users will find unwelcome: PC OEMs can embed a Windows executable in their system firmware. Windows 8 and 10 will then extract this executable during boot time and run it automatically. In this way, the OEM can inject software onto a Windows machine even if the operating system was cleanly installed.

The good news is that most OEMs fortunately do not seem to take advantage of this feature. The bad news is that “most” is not “all.” Between October 2014 and April of this year, Lenovo used this feature to preinstall software onto certain Lenovo desktop and laptop systems, calling the feature the “Lenovo Service Engine.”

[…]

Making this rather worse is that LSE and/or OKO appear to be insecure. Security issues, including buffer overflows and insecure network connections, were reported to Lenovo and Microsoft by researcher Roel Schouwenberg in April. In response, Lenovo has stopped including LSE on new systems (the company says that systems built since June should be clean). It has provided firmware updates for affected laptops and issued instructions on how to disable the option on desktops and clean up the LSE files.

This is an example of a manufacturer using a legitimate feature for nefarious purposes. The feature, as far as Microsoft intended it, was meant to be an anti-theft measure:

And in its own awful way, it’s a feature that makes sense. The underlying mechanism is simple enough; the firmware constructs tables of system information when the machine boots. The operating system then examines these tables to, for example, learn what hardware is installed in the machine and how it is connected. This is all governed by a specification called ACPI, Advanced Configuration and Power Interface. Microsoft defined a new ACPI table, the Windows Platform Binary Table (WPBT), that contains information about a firmware-embedded executable. When it boots, Windows looks for a WPBT. If it finds one, it copies the executable onto the filesystem and runs it.

The primary purpose of WPBT is the automatic installation of anti-theft software. This kind of software typically does a couple of things that require online connectivity: it can phone home to check if it’s been reported stolen (and brick or otherwise disable itself if it has), and it can phone home to simply report where it is to aid recovery of lost or stolen hardware.

Instead Lenovo used it to ensure the pre-install software that comes with the laptop, which was insecure, would always be installed even if the user did a clean install with a Windows disc. That’s pretty scummy behavior. Fortunately Lenovo appears to have stopped doing this but trust, as far as I’m concerned, has already been breached.

Peripherals Are Potentially Dangerous

Some auto insurance companies are exploring programs where customers can receive reduced rates in exchange for attaching a dongle to their vehicle’s on-board diagnostics (OBD) port. The dongles then use the diagnostics information provided by the vehicle to track your driving habits. If you’re a “good” driver you can get a discount (and if you’re a “bad” driver you’ll probably get charged more down the road). It seems like a good deal for drivers who always obey speed limits and such but the OBD port has access to everything in the vehicle, which means any dongle plugged into it could cause all sorts of havoc. Understandably auto insurance companies are unlikely to use such dongles for evil but that doesn’t mean somebody else won’t:

At the Usenix security conference today, a group of researchers from the University of California at San Diego plan to reveal a technique they could have used to wirelessly hack into any of thousands of vehicles through a tiny commercial device: A 2-inch-square gadget that’s designed to be plugged into cars’ and trucks’ dashboards and used by insurance firms and trucking fleets to monitor vehicles’ location, speed and efficiency. By sending carefully crafted SMS messages to one of those cheap dongles connected to the dashboard of a Corvette, the researchers were able to transmit commands to the car’s CAN bus—the internal network that controls its physical driving components—turning on the Corvette’s windshield wipers and even enabling or disabling its brakes.

“We acquired some of these things, reverse engineered them, and along the way found that they had a whole bunch of security deficiencies,” says Stefan Savage, the University of California at San Diego computer security professor who led the project. The result, he says, is that the dongles “provide multiple ways to remotely…control just about anything on the vehicle they were connected to.”

I guarantee any savings you get from your insurance company from attaching one of these dongles to your OBD port will be dwarfed in comparison to the cost of crashing your vehicle due to your brakes suddenly being disabled.

This is a perfect example of two entities with little experience in security compounding their failures to create a possible catastrophe. Automotive manufacturers are finally experiencing the consequences of having paid no attention to the security of their on-board systems. Insurance agencies now have a glimpse of what can happen when you fail to understand the technology you’re working with. While a dongle that tracks the driving behavior of customers seems like a really good idea if that dongle is remotely accessible and insecure it can actually be a far bigger danger than benefit.

I wouldn’t attach such a device to my vehicle because it creates a remote connection to the vehicle (if it didn’t the insurance companies would have any reliable way of acquiring the data from the unit) and that is just asking for trouble at this story shows.

Nothing to See Here

My Kindle Voyage arrived last night so I was playing with that instead of blogging. Admittedly it’s expensive but holy hell is it a wonderful reading device. The screen is really nice (at least compared to my first generation touch screen Kindle) and the back light doesn’t interfere with the e-paper legibility. Did I mention the return of the page flip buttons? I missed those and am glad they’re back. If you read a lot I highly recommend this thing.

Since Goodreads is integrated with the Voyage I created an account. If you want to know what I’m reading and what I’ve read you can follow me here (hint: it’s almost all science fiction and history).

The Future is Here

If there are any questions about my belief that technological advancements will save us before political actions this story should answer them:

Snuggly situated in an industrial section of Oakland, CA is Next Thing Co. a team of nine artists and engineers who are pursuing the dream of a lower cost single board computer. Today they’ve unveiled their progress on Kickstarter, offering a $9 development board called Chip.

The board is Open Hardware, runs a flavor of Debain Linux, and boasts a 1Ghz R8 ARM processor, 512MB of RAM, and 4GB of eMMC storage. It is more powerful than a Raspberry Pi B+ and equal to the BeagleBone Black in clock speed, RAM, and storage. Differentiating Chip from Beagle is its built-in WiFi, Bluetooth, and the ease in which it can be made portable, thanks to circuitry that handles battery operation.

$9 for a computer with a 1Ghz process, 512MB of RAM, and 4GB of storage? And it runs Linux? Sign me up! I never thought I’d live to see this day. My family’s first computer, and we came to the computer game fairly late, was a real piece of shit 3.11 machine and must have cost at least $2,000 or $3,000. Back then the idea that a computer would be available for $9 was inconceivable.

This is another example of the market providing real solutions to real problems. Is there any wonder why us market anarchists have more faith in it than politicians who seem incapable of identifying, let alone solving, real problems?

Got $17,000 Burning a Hole In Your Pocket? Apple Can Help!

Yesterday Apple unveiled a new MacBook and released more details about the Apple Watch. The new MacBook certainly qualifies as a fantastic feat of personal electronics manufacturing. However having only a single port on the entire device makes it useless to me. One USB Type-C port that also doubles as the charging port means attaching accessories to the laptop will be impossible. I think Apple really missed the mark by not having the power adapter integrate a USB Type-C hub. None of this matters though since I’m not the intended audience for the laptop.

The Apple Watch appeared to be the star of the show even though I found it underwhelming when compared to the new MacBook. Apple announced that its watch would have a paltry 18 hour battery life based on estimations of average usage (but we have no idea what it estimates to be average usage so the measure is meaningless). However pricing was announced and if you have $17,000 burning a hole in your pocket Apple is here to help.

People have been comparing the luxury Watch Edition of the Apple Watch to high end watch manufacturers such as Rolex, Jaeger-Le Coultre, and Patek Phillipe. I feel that there’s a major difference that people making the comparison are leaving out. When you drop ten grand or more on, say, a Rolex you have a timepiece for life. Hell, you have a timepiece for the life of your children and their children. There is also resale value. Dropping ten grand or more on the Apple Watch will net you an electronic device that will be outdated next year and that will pretty much eliminate its resale value. I also have my doubts that the Apple Watch will be as serviceable as watches from well known watchmakers (there are skilled watchmakers that still service decades old Submariners, for example). Even if you do pass down an Apple Watch it’s unlikely getting a replacement battery in 30 years will be feasible. So I don’t think comparing the Apple Watch to established watchmakers is a terribly good idea.

In the end I don’t see the Apple Watch selling terribly well but few people have made money betting against Apple since Steve Jobs took the reigns back. That new MacBook will probably sell like hotcakes though. People want thin laptops and the new MacBook is certainly thin.

Everybody is In On the Surveillance Game

This has been a bad week for my laptop. Last week my battery gave up the ghost. On Sunday the hard drive died. Finally on Monday the spare hard drive I swapped into the laptop committed seppuku. Since the hard drive I dropped in on Sunday night was my last spare drive I had to make a trip to the local computer parts emporium to acquire another one. While searching through the hard drives I came across something rather funny:

western-digital-surveillance

That must be Western Digital’s National Security Agency (NSA) edition hard drive.

Also, as a side note, when it comes time to choose a name for your laptop don’t choose Loki. Just throwing that out there.

Another Problem Easily Avoided By Not Wearing Skinny Jeans

Apple made a major design oversight with its latest iPhone. It seems that the phone does not get along with skinny jeans:

It was only a matter of time before the monstrosity known as the iPhone 6 Plus started causing problems. Today, word is getting out that the 5.5-inch phone may be vulnerable to unplanned situational curvature.

In other words, the phones are bending, and they’re not supposed to bend. They bend because people are putting them in their pockets, then sitting down, which is a reasonable thing to do. Call it Apple’s #Bendghazi, if you will. Or #Bendgate

This entire fiasco is pretty funny to me because I wear tactical mall ninja pants. My pockets are literally large enough to stuff .308 magazines into. There’s so much extra room in most of my pockets that I can sit down comfortably with .308 magazines stuffed into them. Nothing presses tightly against my skin and therefore isn’t likely to bend. But the trend today seems to be tighter and tighter pants with vestigial pockets that, like the front limbs on a Tyrannosaurs Rex, are technically there but functionally useless.

OK, I’m half joking there. I’m sure many of the iPhone 6s that have been bent weren’t left half hanging out of a vestigial pocket on a pair of skinny jeans. The real problem here is that people got exactly what they wished for. That is to say people have been demanding thinner phones with larger displays. While this sounds like a great combination you run into the real structural limitations. Namely the materials that make up a phone; glass, plastic, and aluminum; aren’t flexible but if you make them too thin they also aren’t strong enough to resist much force. Combine that with a larger surface area to exert force against and you have the recipe for a pretty flimsy piece of shit.

Be careful what you wish for because you may just get it.

Why I Like Night Sights

Somebody went and did it. Somebody upset the cosmic balance in the gun community by questioning ancient scripture. Via the Firearm Blog I came across a post that argues against night sights being a necessity. This is much more interesting than the caliber wars because you don’t often see people arguing over whether or not night sights are a must, their necessity is usually taken as a given. I encourage you to read it and keep an open mind because the author makes some good points. With that said, I’m going to explain my primary purpose for having night sights on my defensive firearms.

I’m not a fan of spending more money for night sights. But I have a condition which makes night sights handy. That condition is shitty eyesight, namely myopia. Without corrective lenses I can’t see fine detail out further than six or so inches. The notches that make up my rear sight blur together to create a rectangular blob sitting on top of my handgun, which makes picking out a black front sight practically impossible. But make the sights glow, specifically make the rear sights glow a different color from the front sight, and I can distinguish front from back and do a halfway decent job of aligning them. While my nearsightedness makes it practically impossible to distinguish the black rectangular blob on the rear of the gun from the black rectangular blob on the front of the gun I can distinguish the two orange blobs from the green blog.

Fortunately my nearsightedness doesn’t make seeing gross detail nearly as difficult. I can see well enough to determine if the person in front of me is holding a weapon and acting in a threatening manner. My low light vision is also surprisingly good (the light from a digital clock is usually enough for me to make out notable detail in a room). So my primary limitation in a low light self-defense situation is seeing the sights because they’re really tiny.

I do carry a flashlight on me because being flooding an aggressor with a 200 lumen light will probably blind him for a bit and will certainly make him very visible to me. A good flashlight or weapon mounted light is more valuable, in my opinion, than night sights when dealing with low light defensive situation. Laser sights are also good tools in my opinion since I can see a green blob on a target even better than two orange blobs and one green blob on top of my gun. The only reason I don’t have a laser/light combination mounted on my defensive firearm is because I can’t find a combination of a holster and sight with a green laser that I like (and I need green specifically because my eyes don’t pick up the wavelength most red lasers use very well). For my needs night sights are very useful, green laser sights are greatly appreciated, and really bright lights are awesome. But as always your situation probably differs from mine and your mileage will vary.

Yesterday’s Apple Announcement

There isn’t much else worth writing about so I’ll fill some space by giving a quick summary of yesterday’s Apple announcements.

First Apple introduced us to the new iPhone 6. It’s thinner and faster, just like every other iPhone. But here’s the twist, there are two screen sizes. The first, dubbed the iPhone 6, is slightly larger than the current iPhone. But Apple saved the best for last because the company has finally released a phone that is big enough to be impractical to carry around and it’s calling it the iPhone 6 Plus. Now Apple users can experience the joy of a phone that’s too big to fit in most pockets but too small to be a useful tablet.

Next Apple announced Apple Pay. I think the name explains it quite well, it’s Apple’s new payment system. This looks interesting simply because current credit and debit card security in this country is a joke. When it can be used everywhere credit cards are accepted I will probably take a bigger interest.

Finally Apple’s big announcement, the Apple Watch, made everybody at the event euphoric. Basically it’s the ugliest device Apple has released since I started using the company’s products. Seriously. It’s really fucking ugly. On the upside it does pack a lot of features into its hideous shell. The watchband is easily removed and replaced with other Apple Watch compatible bands because using standard watchbands would be too much to ask for. As expected it uses inductive charging, contains a heartbeat monitor, and a gyroscope. You interface with the watch via the crown, which scrolls shit when you turn it and dumps you back to the home screen when you press it in. There’s also another button on the side that brings up your contacts. Oh, I almost forgot, it also has a touchscreen, which renders all of the hardware controls pretty pointless. One of the big questions with any smartwatch is how long the battery lasts. Well Apple totally didn’t mention that so we have no idea. But come 2015 you will be able to get your hands on one for the low price of $349.00. Or for just a little bit more you could buy a Hamilton Khaki Field watch, which nets you a nice looking piece with a mechanical movement. Your choice.

After the Apple Watch announcement I began to suspect that Apple was trolling everybody at the event. My suspicions were confirmed when Apple subjected every poor son of a bitch at the event to U2. Talk about adding insult to injury. Oh, and U2 announced another shitty album. But it seems that the band finally realizes that its music is shitty because you can get it free on iTunes, which is too high of a price if you ask me.

The Vatican Armory

By today’s standards the Vatican’s Swiss Guard look goofy as fuck. While their purple and yellow uniforms look as out of place in today’s world as plated mail their weapons, at least the ones stored in the armory, are pretty modern:

Rifles of the Swiss Guard have long been whatever is standard with the Swiss Army. Since 1990, that has meant the SIG SG550 rifle. This 5.56mm NATO select-fire rifle has a 20.8-inch barrel and is one of the most accurate and reliable modern combat rifles. Its 30-round clear lexan magazines clip together like ‘jungle mag’ style for rapid exchanges. The Guard owns both the standard StW90 rifle variant and the SG 552 Commando model (with 8.9-inch barrel, 19.8-inches overall with stock folded). With the Swiss military tradition of marksmanship, it’s guaranteed that these soldiers can use them if needed.

[…]

In the 1970s, these guns were augmented by HK MP5s from West Germany, one of the first instances of the Guard using non-Swiss made guns. Today the Guard now carries the ultra-modern HK MP7 PDW chambered in 4.6×30mm. This is a good choice as these same types are used by US Navy Seals, German GSG9 and just about anyone who doesn’t agree with Jerry Tsai.

The article has many pictures of the Swiss Guard and the armory, which is full of both modern and historical weaponry. Where else in the world will you see rifles like this:

on-the-same-rack-are-SIG-SG-550s-with-double-magazines-alongside

alongside plate armor like this:

the-armory-of-the-SG-contains-many-sets-of-actual-armor

The Vatican’s Swiss Guard even have Glock 19s with the Vatican seal imprinted on the slide (you can’t go to Hell for shooting somebody with one of those, right). I would love to have an opportunity to tour the centuries of history that that armory (and the Vatican itself) contains.