Tag Archives: Google Pixel 2

Game of Pawns

Most people have heard of the Game of Thrones, George R.R. Martin’s masterpiece filmed and shown by HBO. Its final season will come in 2019 and the air is filled with teasers, speculated spoilers and optional fan made false trailers. Yet have you heard of the game of pawns? This goes directly towards the entire Australian Encryption Bill. I spoke about it 2 days ago in ‘Clueless to the end‘, where we are introduced to the misrepresented views of Peter Dutton. On how he plays the system on getting the FAANG group to help him a little, which is exactly what the FAANG group is unwilling to do. In addition to what I wrote there is the voice of Paul Brookes, chair of Internet Australia. He gave us: “it is important for law enforcement to find ways to improve their capabilities for intercepting criminal activities through the communications sectors, “they must not do so via hastily enacted legislation which fails to consider the legitimate concerns and advice of global technology experts, and carries the very clear risk of creating more problems than it solves”“, in this Paul is right and the issue is growing on other settings too. In the last three days we have been made privy to: ‘Hackers stole millions of Facebook users’ highly sensitive data — and the FBI has asked it not to say who might be behind it‘. Optionally because they cannot unsubstantiated blame Russia again, yet in the much larger setting it seems that they do not have a clue. In addition, we see evolving today: ‘PS4 Users Are Claiming That Malicious Messages Are Breaking Their Consoles‘. The last one seemingly has a solution as reported by Kotaku: “It does seem that the exploit is purely text-based, so changing your PlayStation messenger privacy settings should prevent it from happening. You can do that by going to Account Management in your console Settings, heading to the Privacy Settings submenu, and changing Messaging settings to “Friends Only” or “No One,” meaning that only your pre-selected friends or no one at all can message you“. Two attacks, the second one without knowing the extent of the attack in a setting that could not have been prevented by the encryption bill, the fact that the authorities have been grasping in the dark gives a very clear view on how short the authorities are on the ability to stop these events. All the BS short-sighted attempts to access data whilst the entire communication system is flawed beyond belief shows just how clueless the governmental players have become.

So as this week is likely to be about: “It appears to be the worst hack in Facebook’s 14-year history“, many will all go into the blame game against Cambridge Analytical, ye the foundation is that the internet was always flawed, and again we see a setting where the failing of non-repudiation is at the core of certain events. A setting where ““access tokens” – essentially digital keys that give them full access to compromised users’ accounts“, done through hacks into vulnerabilities into a setting of ‘authentication’, where the optional ‘non-repudiation’ might have optionally prevented it. That basic flaw has been around for over a decade and the tech companies are unwilling to fix it, because it makes them accountable in several additional ways.

Non-Repudiation

In a setting where you and you alone could have done certain things, is stage against the setting of someone with the claimed authority has staged the deletion of all you created. That is the stage we are in and the damage is increasing. As more and more vulnerabilities are brought to light, the lack of actions are beyond belief.

The NPR reported something interesting that the initial sources did not give me. They give us: “the hack exploited three separate bugs in Facebook’s code. No passwords were compromised, but the hackers were able to gain “access tokens” that let them use accounts as though they were logged in as another person“, as far as I can speculate, non-Repudiation might not have allowed that, making non-repudiation a much larger priority for social media than ever before. The fact that the data captures are getting larger makes the change also a lot more important. If the value of Facebook is data, keeping that secure should be their first priority, the Encryption bill would also be a void part if non-repudiation becomes an actual part of our lives. The dire need of Common Cyber Sense is seen everywhere and we need to give less consideration to people who cannot keep their Common Cyber Sense.

You see, the issue is becoming a lot more important. The fact that these accounts are now sold on the dark web, with the by-line: “If sold individually at these prices, the value of the stolen data on the black market would be somewhere between $150m and $600m“, we are certain that this will get a lot worse before there is any improvement. It is my personal view that actively seeking a non-repudiation setting will hasten that process of making your data more secure.

It is in addition the setting that the Dream Market offers, which by the way is useless. The Chinese vendor offering the data, could in the end merely be an expelled student from any US university living in Dublin, there is at present no way to tell who Chernobyl 2550 actually is.

Finding and exploiting three bugs in Facebook gets you optionally half a billion, the governments are that far behind and there is no indication that they will catch up any day soon. When going back to the Facebook setting, we also saw “Facebook said third-party apps and Facebook apps like WhatsApp and Instagram were unaffected by the breach“, yet another source gives us: ‘WhatsApp Bug Allowed Hackers To Hack Your Account With Just A Video Call’ (at https://www.valuewalk.com/2018/10/whatsapp-bug-video-call-fixed/) implying that Facebook users are in a lot more peril then shown from the different media. We are given: “A security researcher at Google’s Project Zero discovered a strange bug in WhatsApp that allowed hackers to take control of the app if they just knew your phone number. All they had to do was placing you a video call and getting you to answer it. Though the WhatsApp bug was disclosed only on Tuesday, Google researcher Natalie Silvanovich had discovered and reported it to the Facebook-owned company back in August“. So even as it seems that Facebook is not giving us ‘faulty’ information; the mere fact on the existence of the flaw as seen with: “She disclosed the WhatsApp bug to the public only after the company fixed it via a software update. Silvanovich wrote in a bug report that heap corruption could occur when the WhatsApp app “receives a malformed RTP packet.” The bug affects only the Android and iOS versions of WhatsApp because they use the Real-time Transport Protocol (RTP) for video calling” is showing a dangerous setting where a number of failings within this year alone gives rise to the flaws in security and proper testing of apps and the stage of security is failing faster than we should be comfortable with.

So even as CBS News was all about hacking elections last week, giving us: “These cyber-attackers are driven by a variety of motivations, says Andrea Little Limbago, the chief social scientist at data security firm Endgame. “As long as attackers find it in their best interests or find the motivation to want to have some sort of effect … they’re going to think about what they could do with that access,” she says. “Especially China, Russia, and Iran.”“, the failing we see that there is a flaw in the system, it is not merely on pointing at the wrong players, it is about the flawed setting that some systems were breached in the first place. The larger setting is not the hack, it is access and the need for non-repudiation is growing at an alarming rate, in a setting where none of the players are ready to accept non-repudiation, we see a faulty authentication approach and that is the cost of doing business. So when you consider it a sign of the times, consider that I personally witnessed a bug that Whatsapp showed over 27 years ago, when a financial package on DEC VAX/VMS has something called Ross Systems. An intentional illegal action would crash your terminal program and leave any user in the VAX/VMS system with supervisor rights, with total access to every file on the server and every drive. Would it be nice if certain lessons were learned over a quarter of a century?

That is the issue sand the opposition of those who want to push out new features as soon as possible and that danger will only increase in a 5G setting, so when your mobile becomes your personal data server and someone does get access to all your credit card and health data, you only have yourself to blame, good luck trying to sue the technology companies on that. Actually that is exactly what Google is facing with class actions against both the Pixel and Pixel 2 at present. Should they lose these, then the ante goes up, because any case involving flawed data security, when flagged as inappropriately dealt with could cost Google a lot more than they are bargaining for, and it is not just Google, Apple, and Facebook will be in equal settings of discomfort.

If only they had properly looked at the issues, instead of seeking the limelight with a new fab. In the end, are we mere pawns to them, to be exploited and under secured for their short terms needs of clicks and sales pitches? What happens when it falls? They will still get their golden handshakes and a life without complications for decades, what are we left with when our value in data is sold on?

We are merely pawns in a game and no one wants the throne, they merely want to be the second fiddle and walk away overly rich (or own the Iron Bank), we enabled this, and we get to live with the fallout that comes next, all because non-repudiation was too hard for these players.

 

Advertisements

Leave a comment

Filed under IT, Media, Politics, Science

Rocking the bullshit

There has been a massive issue with Huawei, the accusations by the US is the largest one, one of its sheep (aka Australia) has been on the same post on how Huawei is such a large danger to the safety and security of a nation. It gets ‘worse’ when we see ‘The DNC tells Democrats not to buy Huawei or ZTE devices ever’, (at https://www.theverge.com/2018/8/3/17649920/dnc-democrats-huawei-zte-devices-ban-china-hacking-threat). Here we see the quote “people shouldn’t be using devices from either Chinese company for work or personal use. The words echo what federal officials have already said about Huawei and ZTE posing possible security threats to the US. In February, CIA, NSA, and FBI chiefs testified in front of a Senate committee that the two companies were beholden to the Chinese government and the devices could become tools for undetected espionage“, my issue has always been: ‘show me the evidence!’ Basically EVERY phone can be used as a spying device, that is one clear thing we got out of the Cambridge Analytica part, in addition, the Fitness tracking app Strava was a great way to find CIA black ops bases, so even as Strava merely mapped ‘a regular jogging route’, using Google or Apple maps, you would be able to map out the base, the supply routes and so on, the Apple Fitbit would be there for the Russian government knowing where these specialists were and when the were there. So in all that, and all the security transgressions seen here, not of the were Huawei or ZTE, yet, how much noise have you heard from the CIA, NSA, or FBI on Apple? Even now, they are that one Trillion dollar company, are they too big to mention?

I wonder why?

Yet, Huawei is not out of the hot water yet, they are actually in deeper hot waters now but this time it is allegedly by their own actions. Reuters is giving u mere hours ago: ‘Huawei in British spotlight over use of U.S. firm’s software’, the news (at https://www.reuters.com/article/huawei-security-britain-usa/huawei-in-british-spotlight-over-use-of-us-firms-software-idUSL5N1US343) gives us: “One of those is due to Huawei’s use of the VxWorks operating system, which is made by California-based Wind River Systems, said three people with knowledge of the matter, all of whom spoke on condition of anonymity when discussing details which were not made public in the report“, which now leads me to the setting that the American accusations are set on the premise of American Software used? How dopey is that?

Then we get: “the version of VxWorks being used by Huawei will stop receiving security patches and updates from Wind River in 2020, even though some of the products it is embedded in will still be in service“. In all this, the fact that it is still serviced for another 2 years, how are we now in the stage of: “potentially leaving British telecoms networks vulnerable to attack“? Is that not equally a questioning setting? Do we not have enough issues out there with Microsoft which has been nearly forever a security concerns, at this point, 2 years early we get the security warning on Huawei, yet not on Microsoft or Apple for that matter, in all this Google is equally a place of patches, and in all this, Huawei is the one getting unbalanced and unfairly burned at the stake like a Catholic at an Elisabeth I barbecue gathering.

Yet the good stuff is “All three sources said there was no indication that the VxWorks mismatch was deliberate. There is also no suggestion that the software itself represents a security risk“, this now leads us to two parts. The first is if it is true that ‘no suggestion that the software itself represents a security risk‘, does this mean that Huawei never had a security risk and if that is incorrect, why not present that evidence so that every Huawei Owner can test for this transgressions ending whatever future Huawei had in the first place.

In the second part, if there is no proven security flaw in the Huawei on hardware, is the security flaw a software one, or better stated an American software one, and if so, why are these people only going after Huawei and not after a dozen American firms?

The one part that we see in Channel News Asia is “Consultant Edward Amoroso, a former chief security officer at AT&T, said Huawei’s experience in Britain showed the challenges of securing international supply chains. Although no one should dismiss Huawei as a supplier solely because of its geographical location, reliance on software that is going out of support is a legitimate concern, Amoroso said“, the news (at https://www.channelnewsasia.com/news/business/huawei-in-british-spotlight-over-use-of-us-firm-s-software-10590268) gives the part that does matter, in this Edward Amoroso is right, software at the end of its reign is often the true safety concern, not merely because of the time frame, but in extent the time required to properly update the software on all the devices, which is not always a smooth path and tends to open up additional security gaps. In that part of the equation Huawei does have a legitimate problem to address. The second part to all that is “In addition to the issue with VxWorks, this year’s report also cited technical issues which limited security researchers’ ability to check internal product code“, I believe it to be a minor part and the proper investigators could seek or test for the issues, not merely that, the limitations also remove whatever options there are for zero day breaches, which has a much larger legal frame to address. So even as we agree that the US setting of accusation without evidence (proper presented evidence is merely the stuff that makes the grass grow in Texas). We also get that the US is giving us: “In the United States, the Pentagon is working on a “do not buy” list to block vendors who use software code originating from Russia and China“, there is an actual thing called national security and as such, it is their right to implement that part, I do believe that in the end it might be somewhat counterproductive, but it is still within their rights to be in such a setting nor no other reasons.

In the end there are a few issues in the field and some are out there, but with a lack of technical details, some cannot be proven, yet the fact of what some have done in the past might give the setting of ‘is it more likely than not that some do not really have 5G‘ is a true setting, yet I prefer to have the actual evidence, that some are trying to keep buried, and the media is part of that chase, which is odd to say the least. Huawei is bouncing back and forth and their hold to grow fast via the UK will be there, but from my point of view, they will need to fix the VxWorks part a lot faster than they think they need. From my estimation a new software solution should be well beyond the Beta stage in Q1 2019 if they want to have any chance of keeping their lucrative growth contracts in place. In equal measure we need to look at Canada and Australia, as they are currently set to be nothing more than US tools in all this. In all respects no actual and factual evidence was thrown out in the open. If that was done Huawei would have lost pretty much every non-Chinese contract, the fact that the BS is spread even larger with absence of evidence gives more reliability that there is no real security danger and it is more a tool for some to get the slice of 5G pie, probably at the expense of a monthly data dump, nicely mailed via UPS to: N 11600 W, Saratoga Springs, UT 84045, USA. That alone should give us the goods on who to trust and who to be cautious of. In all this, no evidence has been presented to the public (and their right to know) on how Huawei is a threat to our security. The fact that I believe that this is all bogus in one thing, the issues seems to be blown up as everyone takes a queue from John Bolton, that whilst the setting “Five Eyes is an alliance between Canada, New Zealand, the United States, Australia, and the United Kingdom that facilitates collaboration in intelligence activities” gives us that there are three in the dark, the UK might be around with the knowledge and the rest merely takes a queue form the US, which has seemingly been whispering like they did in the WMD in Iraq phase, you do remember that in the end, they were never found and it was merely bad intel. So in that setting whilst Corporate America, Canada and Australia are all in fear of their gap against leading Huawei, in that setting we are supposed to have faith on the American gospel on what constitutes a danger from Huawei? And now that we are made aware that the software solution used is an American one?

Yup, we have all kinds of problems and some are valid issues of concern as Edward Amoroso phrases it. Yet between a setting of concern and an actual concern is a mile long gap and whilst we acknowledge that Huawei has some fixing to do, until actual evidence is shown that there is a security breach, the only thing that the US can do is to offer a $229 instant price match for the Apple, or an $100 instant price match for the Google Pixel 2, or a $400 instant price match for the Samsung 9, why would anyone in this day and age pay more for the same, actually, with the enhanced batteries of Huawei you will still miss out, but that might be the smallest cross to bear. All this because some players just didn’t get the pricing right, too many fingers on the margin pie, that alone seems to unbalance the entire equation, because all these players will miss out when Huawei is given free reign there. In this the equation is no longer about security, it will be merely about greed and those enabling for it. Is that not equally important an element to consider?

I’ll be honest, I am still happy with my Huawei P7, it was really affordable against anyone offering anything and after 3 years working 24:7, where would you think I would look first? The one who had proven himself, or the one overpricing its brand (OK, with the Pixel at a mere $100 more, that is still an awesome deal).

When we decide on pricing it is one, when unreliable players in the game force us away from the affordable option it becomes a different stage and so far, the US has proven to lose reliability again and again when it comes to their version of security. To emphasize on that, check on all the printing regarding the Landmines in Yemen placed by the Houthi and the amount of articles that we see in the NY Times, the LA Times and the Washington Post. Now consider the impact of mines and why Americans seem to be eager not to inform you. By the way, that setting was almost certain a setting that Iran enabled, if you questions that (which is fair) then answer the simple question, where did the Houthi forces get 1,000,000 mines from?

We are kept in the dark on the wrong topics and it is time to set the limelight on those people keeping us knowingly in the dark.

 

Leave a comment

Filed under Finance, IT, Law, Media, Politics, Science