Tag: Technology

Technology Isn’t the Problem, You Are

Earlier this year several of Apple’s investors tried to pressure the company into working to combat iPhone addiction. This proposal makes sense, right? After all, Apple has created an addicting product so shouldn’t it take responsibility for its creation? No on both accounts. Why? Because Apple isn’t at fault, its users who have become addicted to its devices are:

I know intimately that if we want to achieve tech-life balance, people must start taking responsibility for their choices. No one is forcing consumers to buy an iPhone, use Facebook, stare at Twitch, masturbate to porn or any of the other millions of things you can do with technology. Every single one of those actions is a choice we make, and if there is one lesson from addiction treatment that everyone should hear it is that it is nearly impossible to help someone who doesn’t want help.

Apple isn’t forcing you to buy or use an iPhone. In fact, unlike government, no technology company is forcing you to use its product. Just like alcohol, you have a choice whether or not you use an iPhone, Facebook, Twitter, or any number of other technology products. If you’re an alcoholic, then you need to take responsibility for your actions. Likewise, if you’re addicted to a technology product, then you have to take responsibility for your actions.

Addiction isn’t a legal or technological problem. An addict will find ways to work around any external controls that are placed on them. Heroine addicts manage to get their fix even though their drug of choice is illegal. iPhone addicts will turn off or bypass any technological controls that Apple puts into place. Breaking an addiction requires an addict to first admit that they have a problem and then to personally take actions to break their addiction. The choice to overcome an addiction needs to be made by an addict, not by an outside party.

If Your Device Relies on the Cloud, You Don’t Own It

Towards the end of 2016 Pebble announced that much of it had been acquired by Fitbit. Since Pebble wasn’t doing well financially, news of it being acquired wasn’t surprising. However, Pebble fans had hoped that Fitbit was planning to continue the Pebble line. As is often the case with acquisitions, Fitbit was primarily interested in Pebble’s intellectual property, not its product portfolio. As part of the acquisition Fitbit promised to keep Pebble’s online services running for a while. Yesterday Fitbit announced the date it would be shutting down those services:

But for those who want nothing to do with Fitbit OS development and only care about how long their Pebbles will last, this news is bittersweet. According to Fitbit’s announcement, Pebble devices will continue to work after June 30, but these features will stop working: the Pebble app store, the Pebble forum, voice recognition features, SMS and email replies, timeline pins from third-party apps (although calendar pins will still function), and the CloudPebble development tool.

Pebble fans have been unhappy with the acquisition every since Fitbit announced that it was planning to shutdown Pebble’s online services. However, I think Fitbit was actually pretty decent about the entire thing since it left the online services running for as long as it did and even allowed Pebble developers to push some firmware updates to allowed existing Pebble devices to continue operating in some capacity without the online services. Unfortunately, even with those firmware changes, a lot of Pebble functionality will be crippled once Fitbit turns off the old Pebble servers.

So the lesson people should take away from this is that proprietary devices that rely on proprietary online services aren’t owned property, they’re temporarily licensed products. At any moment the manufacturer can decide to turn off the online services, which will effectively brick or reduce the functionality of the devices that rely on those services. Had the Pebble been an open source product the option would have at least existed for the community to develop new firmware and alternate online services to keep their Pebbles running.

Decentralized the Internet

I’m glad to see that other people are beginning to understand the need to decentralized the Internet:

Net neutrality as a principle of the federal government will soon be dead, but the protections are wildly popular among the American people and are integral to the internet as we know it. Rather than putting such a core tenet of the internet in the hands of politicians, whose whims and interests change with their donors, net neutrality must be protected by a populist revolution in the ownership of internet infrastructure and networks.

In short, we must end our reliance on big telecom monopolies and build decentralized, affordable, locally owned internet infrastructure. The great news is this is currently possible in most parts of the United States.

I’ve been saying this for years. If you want a feature like net neutrality, you have to control the infrastructure. Personally, I’d like to see a decentralized Internet that encrypts all traffic by default for both confidentiality and anonymity purposes. What people are calling net neutrality would be enforced by default on such a network because nobody could see the traffic to throttle or block it. However, it would come at a performance cost (TANSTAAFL).

One thing is certain, begging the Federal Communications Commission Fascist Communications Club (FCC) to enforce net neutrality isn’t a longterm solution as we’re seeing today. Under the Obama administration net neutrality was enforced by the FCC. Under the Trump administration it looks like it won’t be enforced. When the next administration comes into power it could go either way. Begging Congress isn’t any better because what one Congress passes a future Congress can eliminate.

Let’s Put a Remotely Accessible Computer in a Door Lock

Let’s put a remotely accessible computer in a door lock, what could possibly go wrong?

A HomeKit vulnerability in the current version of iOS 11.2 has been demonstrated to 9to5Mac that allows unauthorized control of accessories including smart locks and garage door openers. Our understanding is Apple has rolled out a server-side fix that now prevent unauthorized access from occurring while limiting some functionality, and an update to iOS 11.2 coming next week will restore that full functionality.

The Internet of Things (IoT) introduces all sorts of new and interesting exploits. These exploits range from minor, such as your lights turn colors, to severe, such as having your doors unlock for an unauthorized person. Unfortunately, since software is already incredibly complex and becoming more so every day it’s unlikely we’ll see secure IoT devices anytime in the near future. Fortunately, it appears that Apple caught this vulnerability and was able to patch it before it was actively exploited.

Venezuela Tries Its Hand at Creating a Failed Cryptocurrency

A cryptocurrency managed by the same regime that tanked the economy of a country that has vast natural resource wealth? I can’t see how this could possibly go wrong!

CARACAS (Reuters) – Venezuelan President Nicolas Maduro looked to the world of digital currency to circumvent U.S.-led financial sanctions, announcing on Sunday the launch of the “petro” backed by oil reserves to shore up a collapsed economy.

The leftist leader offered few specifics about the currency launch or how the struggling OPEC member would pull off such a feat, but he declared to cheers that “the 21st century has arrived!”

I’m doubting that we’ll see any technical white paper about the Petro since that would solidify implementation details and I’m guessing the Venezuelan government’s plan is to have a cryptocurrency it can change on a whim.

Physical Access Isn’t Necessarily Game Over

I swear Apple fanboys are some of the dumbest people on the planet. Quite a few of them have been saying, “If an attacker as physical access, it’s game over anyways,” as if that statement makes the root user exploit recently discovered in High Sierra a nonissue.

At one time that statement was true. However, today physical access is not necessarily game over. Look at all of the trouble the Federal Bureau of Investigations (FBI) has been having with accessing iOS devices. The security model of iOS actually takes physical access into account as part of its threat modeling and has mechanisms to preserve the integrity of the data contained on the device. iOS requires all code to be signed before it will install or run it, which makes it difficult, although far from impossible, to insert malicious software onto iOS devices. But more importantly iOS encrypts all of the data stored in flash memory by default. Fully encrypted disks protect against physical access by both preventing an attacker from getting any usable data from a disk and also by preventing them from altering the data on the disk (such as writing malware directly to the disk).

macOS has a boot mode called single user mode, which boots the computer to a root command prompt. However, if a firmware password is set, single user mode cannot be started without entering the firmware password. The firmware password can be reset on machines with removable RAM (resetting the password requires changing the amount of RAM connected to the mainboard) but most of Apple’s modern computers, some iMacs being the exception, have RAM modules that are soldered to the mainboard.

Physical access is especially dangerous because it allows an attacker to insert malicious hardware, such as a key logger, that would allow them to record everything you type, including your passwords. However, that kind of attack requires some amount of sophistication and time (at least if you want the malicious hardware to be difficult to detect), which is where the real problem with High Sierra’s root exploit comes in. The root exploit required no sophistication whatsoever. Gaining root access only required physical access (or remote access if certain services were enabled) to an unlocked Mac for a few seconds. So long as an attacker had enough time to open System Preferences, click one of the lock icons, and type in “root” for the user name a few times they had complete access to the machine (from there they could turn on remote access capabilities to maintain their access).

Attempting to write off this exploit as a nonissue because it requires physical access requires willful ignorance of both modern security features that defend against attackers with physical access and the concept of severity (an attack that requires no sophistication can be far more severe than a time consuming sophisticated attack under certain threat models).

The Fix for High Sierra’s Embarrassing Privilege Escalation Bug and the Fix for the Fix

Apple has already released a fix for its embarrassing privilege escalation bug. If you haven’t already, open the App Store, go to Updates, and install Security Update 2017-001. However, after installing that you may notice that file sharing no longer works. In order to fix this problem you need to perform the following steps:

  1. Open the Terminal app, which is in the Utilities folder of your Applications folder.
  2. Type sudo /usr/libexec/configureLocalKDC and press Return.
  3. Enter your administrator password and press Return.
  4. Quit the Terminal app.

In conclusion High Sierra is still a steaming pile of shit and you should stick to Sierra if you can.

Adaptability is an Established Military’s Greatest Weakness

You may have heard the phrase, “The military is always preparing to fight the last war.” Any military that has been established for a length of time seems to get dragged down by entrenched ideologies and traditions. This leads them to become very rigid. The United States military is a great example of this. During its War on Terror it has clung to its usual tactics, which work well against other large national militaries but are more or less useless against asymmetrical tactics. It has also proven incompetent at information security, which is no a major component in warfare:

After uncovering a massive trove of social media-based intelligence left on multiple Amazon Web Services S3 storage buckets by a Defense Department contractor, the cloud security firm UpGuard has disclosed yet another major cloud storage breach of sensitive intelligence information. This time, the data exposed includes highly classified data and software associated with the Distributed Common Ground System-Army (DCGS-A), an intelligence distribution platform that DOD has spent billions to develop. Specifically, the breach involves software for a cloud-based component of DCGS-A called “Red Disk.”

Don’t get me wrong, I’m all for government transparency and appreciate the military’s current, albeit accidental, dedication to it. However, from a strategy standpoint this is pretty damned pitiful.

macOS High Sierra is Still Terrible

macOS High Sierra may go down in the history books as Apple’s worst release of macOS since the initial one. Swapping the graphical user interface to use the Metal API wasn’t a smooth transition to say the least but the real mess is in regards to security. There was a bug where a user’s password could be displayed in the password hint field so logging in as a malicious user only requires entering a user’s password incorrectly to trigger the hint field. But yesterday it was revealed that the root account, which is normally disabled entirely, could be activated in High Sierra by simply typing root into the user name field in System Preferences:

The bug, discovered by developer Lemi Ergin, lets anyone log into an admin account using the username “root” with no password. This works when attempting to access an administrator’s account on an unlocked Mac, and it also provides access at the login screen of a locked Mac.

The only good news is that you can defend against this bug by enabling the root account and giving it a password.

The security mistakes in High Sierra are incredibly amateur. Automated regression testing should have caught both the password hint mistake and this root account mistake. I can only assume that Apple’s quality assurance department took the year off because both High Sierra and iOS 11 are buggy messes that should never have been released in the states they were released in.

There’s Hope for the Internet of Things

Granted, it’s not a lot of hope but it seems like some consumers are actually holding off on buying Internet of Things (IoT) products due to security concerns:

Consumers are uneasy about being watched, listened to, or tracked by devices they place in their homes, consulting firm Deloitte found in a new survey it released Wednesday. Thanks to such discomfort, consumer interest in connected home home technology lags behind their interest in other types of IoT devices, Deloitte found.

“Consumers are more open to, and interested in, the connected world,” the firm said in its report. Noting the concerns about smart home devices, it added: “But not all IoT is created equal.”

Nearly 40% of those who participated in the survey said they were concerned about connected-home devices tracking their usage. More than 40% said they were worried that such gadgets would expose too much about their daily lives.

IoT companies have been extremely lazy when it comes to implementing security, which is a huge problem when their devices provide surveillance capabilities. If enough consumers avoid purchasing insecure IoT devices, IoT companies will be forced to either improve the security of their devices or go into bankruptcy.

Apple has done a good job at easing consumer’s security concerns with its biometric authentication technology. When Touch ID was first introduced, a lot of people were concerned about their fingerprints being uploaded to the Internet. However, Apple was able to east these concerns by explaining how its Secure Enclave chip works and how users’ fingerprints never leave that secure chip. The same technology was used for Face ID. IoT companies can do the same thing by properly securing their products. If, for example, an Internet accessible home surveillance device encrypted all of the data it recorded with a key that only the users possessed, it could provide Internet accessible home surveillance capabilities without putting user data at risk of being accessed by unwanted personnel.