Re: If Only Google Could Get A Handle On Their Own Security Problems
Re: paragraph 2 - various third party apps can do all of that.
Some of them may require the device to be rooted.
184 posts • joined 26 Jul 2007
Re: paragraph 2 - various third party apps can do all of that.
Some of them may require the device to be rooted.
And yanno what's funny about using VirusTotal to do your malware check?
Google owns it. :D
It's trendy to bash antivirus (especially when you have your own axe to grind), but it reminds me of all the dimwits who breezily proclaimed on January 1, 2000 that the Y2K computer problem was obviously a big hoax because the world didn't come to an end that day. (Conveniently forgetting that the world had spent decades and billions of dollars/pounds updating everything precisely so that would NOT happen.)
Oftentimes when a security measure is this ubiquitous people in ivory towers who have enough advanced knowledge and skills that they don't personally need to rely upon such measures make dumb sweeping proclamations about everyone else.
I haven't used A/V on most of my personal boxes for decades (except Android where eg the available web browsers are too unsophisticated to be capable of being configured securely and Google has a lousy track-record of letting malware/spyware into its appstore), but I would never dream of advising one of my clients to do the same.
I sympathize with both parties. A company in IBM's position can absolutely have a legitimate concern that keeping the worst parts (eg exploit code) offline during the initial disclosure will prevent some of their customers from being exploited. Perhaps after some nominal timeframe they can "un-embargo" it.
And while full disclosure is a nice philosophical goal, I've seen more than my fair share of "security researchers" over the years who seem more determined to make a name for themselves by releasing documentation and tools to facilitate widespread malicious behavior via copycats than they truly seem interested in improving the security of the digital world.
I don't know what category Maurizio Agazzini comes under. But likewise, not every company that thinks in the way IBM is here is automatically some cartoonish caricature of the sleazy, profit-hungry monster that only cares about their bonuses and golden-parachutes.
Given that OVH is one of the very largest hosting providers in the world (especially free or cheap hosting, thus they have more than their share of miscreants as customers), and given that Level3 operates one of the very largest "Tier one" transit networks in the world - statistical probability suggests that yes, it was probably a coincidence.
Then you may want to have that olfactory sampler of yours examined for proper function.
All it would take is a casual look at my comments here over the years (including other ones right here in this thread for you to figure out just how wrong you are about that.
I'd say there's a good chance I started soldering electronic things together before you were born, given the demographics of this website.
So yeah, I'm a total beginner at this stuff.
The statistical risk of damage to a $10 surface-mount component when attempting to de-solder it from a circuit board is exactly the same whether it's one of a dozen junk phones you are casually tinkering-with in your garage or a key piece of potential evidence in a massive and highly time-sensitive international terrorism investigation where failure is not an option. (Which for some reason you have also been asked to perform in that garage lab of yours)
But the stakes in the latter are about 1,000,000 times higher. Which is why you don't send such high-value evidence to tinkerers to play around on in their garage lab for 6 months. And the price of such an operation varies accordingly.
Actual high-security/low-production devices such as those used in top-secret roles eg military and by national-security officials, often have just such countermeasures.
But it would be corporate suicide for a company to build a product that sells at the scale of hundreds of millions per year, which is essentially 100% un-repairable.
Especially since the vast majority of end-users don't give a rat's behind about security and privacy anyway. (If they did, companies like Facebook wouldn't exist)
Re: "Not so amateur"
What you offer as 'proof' says that he's an academic, not a professional forensic technician.
As I wrote previously, the constraints of an actual, high-profile forensic investigation of a very high-profile, high-value piece of evidence are vastly different than what a guy tinkering in his home lab (while probably destroying many phones in the process) are under. Has nothing to do with his smarts or abilities, has everything to do with A) being able to guarantee success within a certain timeframe, and B) being able to guarantee that even if he doesn't succeed, he doesn't destroy the evidence in the process.
For every Skorobogatov that proudly announces he's come up with a successful hack, there are probably at least 100 people that tried and failed. Which one of those 100 should the FBI have hired instead of Cellebrite or whoever they did hire? John McAfee? :D
And how much was it worth it for them to have an answer in March, rather than waiting 6 months for the tinkerer to come up with a successful hack?
Skorobogatov claims it took him 4 months, but it's nearly 10 months since the FBI got their hands on Farook's iphone.
Except the little fact that the article author claims that the FBI overpaid by "$999,900" - valuing the amateur hacker's work at exactly $100. (In fact, valuing their labor at "zero", and only accounting for their out of pocket cost for hardware. Which is uhh, rather sensationalist.)
All that said: I'm no apologist for the FBI, or Comey in particular who I think is a lying/deceptive piece of sh.... But the premise of the article doesn't "prove" that the FBI overpaid "$999,900". (See my previous comment)
They probably overpaid, and overpaid by a lot, and trumped-up the figure to make headlines. But they could not have done it in a proper way for $100, either.
It's also telling that we never heard a peep from the FBI later about what they had actually found on the device - which likely corroborates the opinion of various people who said prior to the hack being announced that it was highly unlikely that there was anything of value on the phone anyway. (It was his work phone, he already destroyed his personal phone.)
You can't compare the work of some amateur that values their time and expertise at 'zero' - and who spends months working on the hack, along with probably destroying dozens of phones in the process, to an actual forensic investigation of a highly valuable piece of evidence.
When you desolder the chip that holds all the memory of the device from the board, there is a huge risk that you damage the chip beyond repair and then everything that might have been on it is lost, whether or not you eventually figure out how to extract data from similar chips.
For a certain class of person, the only possible explanation for a person who has revealed widespread injustices, lies and governmental abuses and thus rattled feathers in high-places (and is therefore on the run from governments determined to punish him for that) is that he is a self-aggrandizing attention seeker.
I think such pre-determined conclusions say more about their worldview than his.
Thank goodness for so many of those "attention-seekers" over the millennia that had the perspicacity and conviction to force society to make important changes that ultimately became the human race's heroes.
But no, in this case, we keep hearing instead that he's just an "attention seeker".
If so, that's an attention-seeker we could use more of.
Actually the Swedish allegations have always been weak and questionable, and the Swedes already had a chance to question him about the allegations, which they did, and they cleared him to leave the country.
Sorry but for those who have actually reviewed the actual history in detail and who don't have some kind of in-built bias against the guy, the whole matter stinks to high heaven.
"...any links to actual evidence that Yelp offers such quids pro quo?"
Yes, they do. But here's how they do it:
At the top of every review today, Yelp now proudly states:
" Your trust is our top concern, so businesses can't pay to alter or remove their reviews. Learn more."
No, they don't technically "remove" negative reviews, they hide them. Which is the go-to tactic these days for online "review pages": the vast majority of people do not have the motivation or drive to seek out anything but the stuff right at the top of any page they are viewing. If a company like Amazon or Google Play systematically put the positive reviews of a product or service right at the top, 99% of people will never read anything but those positive reviews.
SO they hide the ones their advertised businesses don't like. Take a look here: http://imgur.com/a/qaEjB
That's an example from today, using a desktop browser. Note how they hide the bad reviews and call them "Not Recommended", at the very bottom of the page (there are 20 reviews per page) in small, faint grey text with a tiny dropdown button. And I'm not sure that "unhide" feature is even available to people using a mobile to view reviews. (Probably the majority of Yelp users these days)
Sleazy, absolutely. Pity it's not thought of as illegal here in Capitalism Central.
I remember the days when Yelp was much more useful. Now you have to be very careful to not get misled by the reviews.
If the "per capita" absolute amount of dollars/pounds/etc paid in income tax annually by a billionaire is higher than what a dishwasher at a fish and chips shop pays annually, is that supposed to be some kind of shocking and satisfying revelation of fairness?
As Warren Buffet (considered to be one of the most highly respected US investors and one of the wealthiest in the world) has pointed-out on numerous occasions, there is something very wrong with the fact that his personal tax rate is far lower than his personal secretary's.
In short: the wealthy have the attitude and the means to find ways to escape the kind of taxation rates that most of the populace pay. That generally comes down to political power and the resources that capital allows them to expend on the matter.
In the case of companies like Apple and Google, most of what they have been doing with tax-jurisdiction shopping is actually legal in the USA. It only became a hot-button issue after western countries were financially crippled post-2008 and looking for scapegoats.
The way I see it there are 2 major issues: the laws that allowed such practices to flourish in the first place (tell the politicians and banksters to solve those - and good luck with that), and the fact that globalized tech companies like Apple and Google which deal heavily in digital 'intellectual property' make it quite trivial to move capital around, since most of their assets are ephemeral and not physical. (In addition to the IP assets, the vast majority of their manufacturing is outsourced to other entities)
The EU apparently wants to retroactively penalize Apple and make them a high-profile media pariah, but if it was such a big issue going back 10 years in their own backyard, the EU should have dealt with it themselves 10 years ago by making sure member states like Ireland could not grant companies like Apple these low or zero-tax incentives. Instead of waiting 10 years and then trying to make a media circus out of it to deflect attention from their own failings.
Considering that FIPS 140-2, IIRC, includes as part of the standard such ignominious technologies such as DUAL_EC_DRBG, that certification just doesn't have the same 'ol shine it used to, for some people..
Best be going now..
Mexico also being the second nation in North America which refers to themselves as "United States" (..of Mexico), for almost as long as the USA. (47 years less, to be exact. Almost 200 years now.)
I gleefully attract many cross-eyed looks and grimaces by pointing-out such inconvenient facts and using terms like "Yanks" or "USians" when referring to US residents.
Apple Cart Upsetter in Chief
I don't normally read Reddit. But the stuff I read yesterday on Reddit was like a bunch of petulant children that have already made their minds up that TeamViewer (you know, the company that's been giving away a fabulously useful, stable and reliable product to people for years now) is the Big Evil Satan.
As for the snippet you quoted: TV's new permission notification thing should stop any bruteforcing dead in its tracks.
Also do not forget that there was a trojan discovered last month that exploited the TeamViewer client by bundling it with the trojan and using it to create a proxy reflector. TV might want to look into how they can harden their client to make it more difficult for it to be exploited in that way.
I just read about what the "teamviewer trojan" is - seems that they were not just bundling Teamviewer with the malware, they seem to have exploited its functionality in a certain way to facilitate their hack:
Including hiding any obvious presence of Teamviewer on PCs so compromised machines are less obvious.
Perhaps its time for Teamviewer to add countermeasures to their code to make it harder to hijack it in this way.
I'm inclined to agree with this.
TeamViewer is a VERY widely used app, there are all sorts of ways it could be falsely implicated, including this KNOWN issue where some miscreants are bundling it with a trojan and then using it to further exploit the already-trojaned system.
TeamViewer has done the world a great service by allowing millions of people to use this excellent product for free for years now. But as with any widely-used free product that does things online, miscreants often exploit those tools for their own sleazy purposes.
SMDH that some people here immediately assume that TV is at fault with no actual specific evidence, and then talk about the "superiority" of tools like VNC which, for many years, had the worst security in the world. (eg, NO encryption whatsoever unless you created your own encryption tunnel to pass its traffic through, and most people never bothered)
Data breaches have become so ridiculously common lately that the likelihood of someone NOT having had their data compromised in one of them is getting smaller and smaller. The entire voting population of Mexico was one such recent example.
"Please allow an extra 2 days incoming transit time as all incoming shipments are routed through the NSA's logistics center."
Actually he described DDG as "Google scraping", eg, uses Google search results.
Which would explain that particular bit, but I was actually not of the impression that DDG used Google as a source. I thought they pulled their results from a variety* of sources, including their own spider.
*(~400 sources, was the figure I recall. Neither do I think Google is amongst them.)
Thanks. Well who knows, then. All sorts of complicated voodoo going on with Google's search, that much seems certain.
One thing I would have tried was just to use the acronym and see what kind of results show up. And then add additional terms until the results disappear.
The dumbing-down of search engines over the last 10+ years has left us with a situation where the majority of the popular ones (except Google, interestingly) completely ignore double-quotes as a way of trying to specify only a specific string of words in a particular order.
So the first problem is that the non-Googly services are likely interpreting your query entirely differently than how Google does.
And then of course there's the infamous "tunnel vision" issue with Google and others serving you customized results. Are you searching from a clean device/browser, cookies cleared, not logged-in to any other Google services/sites?
I just discovered that BBM is now offering "private chat" for free, which used to be part of their add-on privacy subscription. (Along with message retraction/editing, photo retraction, etc)
Private chat is a snapchat-like service where when you enter such a chat your username becomes invisible, history is not retained, timestamps are not visible, and screenshots are blocked or send a notification to the other party.
Perhaps Andrew mistook that for BBM Protected?
@AndrewOrlowski - in the article you claim:
"...making all of its goodies available for free, including secure encrypted chat."
Are you saying that BlackBerry Ltd is now offering BBM Protected for free? This would be news to me.
BBM has been encrypting its chats on the wire with real encryption (as opposed to the traditional BBM "scrambling") ever since they built BBM on BB10 and went cross-platform. But data-at-rest encryption, or the other additional BBM Protected layers of security, have always required some sort of subscription.
Have they really done away with that now?
The way I look at it, anyone who gives a rat's hindquarters about privacy has always been an idiot to use WhatsApp, because WhatsApp's user identities are directly tied to each person's phone number (like SMS), which means that (AFAIK) you are broadcasting your telephone number to the whole world whenever you use it. Furthermore, anyone who uses anything owned by FB and expects their privacy to be respected is an idiot of the highest degree.
Ergo, people of that persuasion who are miffed about sharing their contacts list with the FacePlex seem sort of quaint.
The only people who enjoy this sort of "protection" are the elite members of the ruling class like Bush, Sarah Palin, etc.
The rest of us can just go pound sand as far as law-enforcement is concerned, if someone guesses our lousy AOL password.
McAfee's credibility is several levels below the FBI's, at this point.
They did have an MDM solution at that San Bernardino agency, but apparently it was in "test mode" on Farook's phone and not fully enabled yet. Oops.
@Pott, I often vehemently disagree with your rants. This one I agree with 300%.
I'm enough of an old fart to imagine that I was in the biz' before the majority of the major players had turned into mendacious monstrosities that are seemingly comprised of 85% marketing BS and 15% technology, if you're lucky.
It would be hilarious as hell if it weren't so pathetic that I oftentimes will get some drivel in my mailbox that after reading over 4-5 times I still cannot figure out WTH they are supposedly talking about: 100% idiotic buzzwords, corporate double-speak and impenetrably abstract euphemisms for what I do not know.
Living through the days when HDDs failed a lot more frequently perhaps places a different light on these things.
The problem with SSD failures is that there is no "Plan B" where you can take it to a fabulously expensive outfit that will find a way to retrieve the magnetic bits, usually. If the chips fail, they fail. There is no resurrecting them at any price, usually.
And then there is that pesky problem where SSDs in powered-off state (particularly after they've been used a while), tend to "forget" what was stored on them, randomly. Oops.
I actually love that article layout.
My usual problem with the avalanche of data that exists to be absorbed in this field is when I see a long review of a bunch of products, I have this sense of dread that I have to slog through it, from beginning to end, looking for things of interest, and half the time I lose interest because of all the unrelated junk I'm forced to slog through to find a nugget or two. (Yeah, I do a lot of skipping to the "conclusion" page but oftentimes the info I'm looking for isn't there)
Not only was this article short and to the point, it allowed me to browse through each product description while simultaneously taking-in the performance measurements for the whole slate of products, which I thought made a much better use of my "eye-time".
Besides the "helium leakage" issue, I don't suppose enough people realize (and the industry isn't going around telling them, of course) that flash memory has this annoying problem of just getting amnesia over time.
One of the scariest aspects of SSDs and flash memory in general, to me, is the fact that data can just start randomly disappearing while they sit on the shelf, with no voltage applied.
Someone at Seagate who also is a member of the JEDEC standards-body wrote a highly publicized paper on this which was published last May, but the issue of offline flash/SSD data retention has been known-about for years.
The "all in one" approach to updating typically only works if every single executable is open-source and the developer is willing to relinquish control over the distribution of their product. And believe it or not, repositories sometimes get compromised, which is one reason why some software developers prefer not to cede control over that critical part of the chain to 3rd parties.
And while it's a nice utopian fantasy, the whole universe of software will not all become open-source in my lifetime. So, we are sometimes stuck with a bunch of proprietary updaters. Which I don't have a huge problem with if they are GOOD proprietary updaters. Pity how many unnecessarily lousy ones exist.
Some day some places may actually mandate a minimum level of software quality for some products, especially when its code flaws have a widespread effect on the well-being of the populace. Just like laws that attempt to ensure little things like the automobile you drive has brakes that actually work.
Looking at the previous Reg article about the $17M Symantec judgment, I couldn't help but guffaw at the almost perfectly appropriate surname of IV's legal spokesperson:
"“We are grateful to the jury for their hard work and for confirming the validity of these patents,” Intellectual Ventures chief litigation counsel Melissa Finocchio said in a canned statement.
Oh, well that anecdote proves it then, all A/V companies must be frauds. [rolleyes]
As for Google, clearly their talking-heads read Orwell - too bad they somehow took the wrong message from him tho.
The FCC has clear statutes that prohibit the interception or jamming of wireless telephony signals. This is why it is illegal to sell or own cellular jamming equipment in the USA, and why people who were caught snooping on the telephone calls of politicians in the past have been thrown in jail.
Of course, us proles will never enjoy the sort of privacy protections that the parasi...er, politicians enjoy.
Of course these apparatchiks and technocrats don't seem capable of comprehending how a fundamental communication technology that has been part of the world for ~60 years can just be turned off in short order and not impact all the people who have this technology embedded in all sorts of devices and equipment that WILL NEVER get updated to be compatible with DAB. Just like the bimbos in the USA that thought that adding a few weeks to daylight savings time would "save electricity" (studies have proven this is nonsense now) while immediately obsoleting all sorts of equipment with embedded clocks which were pre-programmed with the old switchover dates. (Including minor little things like building control and security systems, etc.)
All the nonsense about questionable DAB audio quality and changing/incompatible codecs/ECC also demonstrates once more the tunnel-vision of people who couldn't fathom the need for eg software-definable radios that could adapt to the future codec-du-jour.
Which leaves us at the "savings" part - which of course in my country will undoubtedly translate into corporate $PROFIT$, not anything likely to benefit the average punter. And to those who say we will all just migrate to digital streaming - A) unicast streaming media is the most ridiculously inefficient way of broadcasting content to the public ever devised, and B) this just throws us even more at the mercy of the wireless data oligopolists, which of course are the very same entities eager to realize these "savings".
Most of the non-OS-specific vulns that apply to Webkit generally seem to apply to Blackberry 10's native browser.
The exception would be some aspects of the crypto library, which is unique to BlackBerry. (And FIPS 140-2 certified... though in the post-Snowden era I'm not sure that's something I'd be particularly proud about)
The problem BlackBerry has is that they cannot push mandatory, timely updates to their users because they are all gated through carriers. For example, the VAST majority of US Blackberry 10 users today are on devices where the latest official OS is some variant of 10.2.1 - which is riddled with security weaknesses.*
BlackBerry has also been notoriously slow at releasing security patches - their announcement in this case is notable for being much prompter than is their usual habit.
The issue of having to rely on carriers to push updates is not unique to BlackBerry (Apple is one of an extremely exclusive club not burdened by this), but their current market position most likely means that the leverage they have over carriers to "encourage" them to do so is far less than the 6-10 vendors who sell more devices that connect to carrier networks these days than they do.
*(Yes, enthusiasts can violate Blackberry's terms-of-service, find and install unapproved leaked versions of firmware on their devices, but even at that, I'd estimate of the total installed-base of devices, probably no more than 10% - at most - do this on a regular basis.)
"There was obviously a reason why the Secret Service made Obama give up his iPhone for a not-so-cool custom Blackberry when he became President."
Tidbit: Obama's device is, among other special customizations, a older BBOS device on Verizon's network - in other words - no SIM card. :D
I will admit, having hackable DNS for their core internet domain does call into question their corporate priorities.
It's a pity, because Lenovo is one Chinese company that I have historically had pretty decent faith in.
As a longtime IBM and Thinkpad user/recommender/supporter I was quite skeptical when the Lenovo takeover was announced. But over the years they have earned my trust for the most part. (Notwithstanding some of their product choices like not generally offering high-quality display panels on laptops these days)
Lenovo is not like most Chinese companies, they are highly globally diversified (in terms of ownership and workforce) - significant parts of top management are not native Chinese, with some important divisions outside of China - and they don't have major ties with the PLA or CPC. They also seem to treat their workers decently.
Thus I am inclined to think that this issue was mostly the result of attempts to squeeze extra revenue out of the mass-market product lines with the over-zealous use of "crapware", the impacts and implications of which were not fully grasped by the responsible parties. (Most likely, marketing types) Rather than some nefarious plot to spy on all their customers.
"The US dropped two bombs on Japan to end the war. They intentionally targeted cities that had civilian populations. (Oh and of course some military value.)
But the truth is that it would be considered a war crime. Yet what would have happened if we hadn't dropped the bombs?"
The Soviets would still have marched into Berlin and defeated the Germans (at far great human cost to their citizenry than the USA suffered) and the war would have ended just the same.
Thanks for playing.
BTW, you spelled "Kool-Aid" wrong. Strangely, some of us drank it as kids without even coming under its spell. :)
All you have to do is have proper equipment and provider that both support HD (eg G.722) and then it should all be fine.
So this "we still have the same low quality..." complaint in the scenario you described to be poor choice of hardware/provider, no?
I hated what Oracle did with a lot of the Sun products, including pulling support and even the ability to download a BIOS ROM for old workstations without buying a pricy service contract - but VirtualBox has become (remained?) probably the most useful Oracle software product to me, particularly because it is still accessible to anyone without having to pay a king's ransom, and it works well.
On the other hand, every single time I install a Java JRE update, I am reminded of how much I hate Oracle, since they provide "fake" options to disable various annoying features which, like clockwork, re-enable themselves without notice every single time you do a bugfix update, or even before then. (One of my long-held pet peeves: SW that wants to "pre-load" itself and suck up continuous resources on a computer when it is not being used, simply because it makes the SW look less like a sluggish albatross when you eventually actually have a reason to use it and 80% of it is already sitting there in memory, playing "memory sponge".)
That is awfully strange, isn't it.
Yes, it's true that a large portion of ICANN's revenue comes from sleazy businesses that provide no value to anyone but a tiny handful of stupid opportunists.
Now that ICANN's CEO has just learned this obvious little detail, it's time to do away with the various ICANN policies that are anti-internet-user and pro-opportunist-value-destroyer.
Eh, where's my flying pig icon...