I'm a char salesmen. I share things about; Programming, SysOps, Civil Rights, education, and things that make me happy. And robots.
966 stories
·
14 followers

Ransomware and the Internet of Things

1 Comment

As devastating as the latest widespread ransomware attacks have been, it's a problem with a solution. If your copy of Windows is relatively current and you've kept it updated, your laptop is immune. It's only older unpatched systems on your computer that are vulnerable.

Patching is how the computer industry maintains security in the face of rampant Internet insecurity. Microsoft, Apple and Google have teams of engineers who quickly write, test and distribute these patches, updates to the codes that fix vulnerabilities in software. Most people have set up their computers and phones to automatically apply these patches, and the whole thing works seamlessly. It isn't a perfect system, but it's the best we have.

But it is a system that's going to fail in the "Internet of things": everyday devices like smart speakers, household appliances, toys, lighting systems, even cars, that are connected to the web. Many of the embedded networked systems in these devices that will pervade our lives don't have engineering teams on hand to write patches and may well last far longer than the companies that are supposed to keep the software safe from criminals. Some of them don't even have the ability to be patched.

Fast forward five to 10 years, and the world is going to be filled with literally tens of billions of devices that hackers can attack. We're going to see ransomware against our cars. Our digital video recorders and web cameras will be taken over by botnets. The data that these devices collect about us will be stolen and used to commit fraud. And we're not going to be able to secure these devices.

Like every other instance of product safety, this problem will never be solved without considerable government involvement.

For years, I have been calling for more regulation to improve security in the face of this market failure. In the short term, the government can mandate that these devices have more secure default configurations and the ability to be patched. It can issue best-practice regulations for critical software and make software manufacturers liable for vulnerabilities. It'll be expensive, but it will go a long way toward improved security.

But it won't be enough to focus only on the devices, because these things are going to be around and on the Internet much longer than the two to three years we use our phones and computers before we upgrade them. I expect to keep my car for 15 years, and my refrigerator for at least 20 years. Cities will expect the networks they're putting in place to last at least that long. I don't want to replace my digital thermostat ever again. Nor, if I ever need one, do I want a surgeon to ever have to go back in to replace my computerized heart defibrillator in order to fix a software bug.

No amount of regulation can force companies to maintain old products, and it certainly can't prevent companies from going out of business. The future will contain billions of orphaned devices connected to the web that simply have no engineers able to patch them.

Imagine this: The company that made your Internet-enabled door lock is long out of business. You have no way to secure yourself against the ransomware attack on that lock. Your only option, other than paying, and paying again when it's reinfected, is to throw it away and buy a new one.

Ultimately, we will also need the network to block these attacks before they get to the devices, but there again the market will not fix the problem on its own. We need additional government intervention to mandate these sorts of solutions.

None of this is welcome news to a government that prides itself on minimal intervention and maximal market forces, but national security is often an exception to this rule. Last week's cyberattacks have laid bare some fundamental vulnerabilities in our computer infrastructure and serve as a harbinger. There's a lot of good research into robust solutions, but the economic incentives are all misaligned. As politically untenable as it is, we need government to step in to create the market forces that will get us out of this mess.

This essay previously appeared in the New York Times. Yes, I know I'm repeating myself.

EDITED TO ADD: A good cartoon.

Read the whole story
reconbot
4 days ago
reply
Previous generation wrote spam filters, this one is ad networks, next one will deal with this.
New York City
Share this story
Delete

Cloudflare gets another $50,000 to fight “new breed of patent troll”

3 Shares

Cloudflare, the CDN and Internet security company, has gone full berserker-mode in its fight against patent-holding company Blackbird Technologies.

Blackbird sued Cloudflare in March, claiming infringement of US Patent No. 6,453,335. Two weeks ago, Cloudflare explained the strategy it would use to fight back. The company pledged to not only seek to invalidate the '335 patent, but it will spend $50,000 on a "bounty" seeking to gather prior art and knock out all Blackbird-owned patents.

Today, Cloudflare CEO Michael Prince said his company is 

doubling the amount of money it will spend

to kill off Blackbird's patents and is working with state legislators to ban Blackbird's business model.

"We're excited to report that a friend in the industry who read our blog post and shares our concerns about the corrosive impact of patent trolls has made an anonymous donation of​ $50,000 to support our efforts to invalidate the Blackbird Tech patents​," wrote Prince in today's blog post. "That means that we are now committing at least $100,000 to the effort to find prior art on and initiate actions to invalidate the Blackbird Tech patents."

The initial bounty was split up, with $20,000 going toward the particular patent used to sue Cloudflare and $30,000 dedicated to other Blackbird patents. Cloudflare and its backer have gotten so many prior-art submissions on the patent used against Cloudflare that 100 percent of the newly donated $50,000 will go toward finding prior art on the other Blackbird patents.

Blackbird Technologies, a Massachusetts firm founded by two former big-firm lawyers, has said it has a "new model" that allows for more efficient monetization of patents. Essentially, Blackbird cuts costs by acting as both lawyer and client, a move that Cloudflare lawyers believe may violate attorney ethics rules. Cloudflare has asked legal regulators in Massachusetts and Illinois to take a look at the business, which Prince says is a "dangerous new model of patent trolling."

Blackbird founder Wendy Verlander told Ars in a statement that Cloudflare's allegations "are completely without merit," and she will vigorously defend against them.

Prince noted that state lawmakers are waking up to the danger of attorneys litigating their own patents. In Illinois, state Rep. Keith Wheeler has introduced a bill that would stop attorneys from earning fees for legal services relating to patents that they themselves own. The bill provides exceptions if the attorney "is actively engaged in producing a product or service" related to the patented invention.

In Massachusetts, where Blackbird is based, another

bill

is being considered to limit "bad faith" assertions of patent infringement. That bill is

similar to ones passed in other states

, which are targeted primarily at patent demand letters.

"We’re happy to work with interested lawmakers in other states, including Delaware, to advance new laws that limit the practices of patent trolls, including Blackbird Tech’s 'new model,'" Prince says. "We can share the information we’ve learned and pull together model legislation. If you are interested or know a legislator who may be, feel free to email us."

In the post, Prince also praised the prior art submissions they've received thus far as being "exceptionally high quality." He continued:

The Cloudflare community of users and readers of our blog are an accomplished bunch, so we have a number of searches that were done by expert engineers and programmers. In one case that stood out to us, someone wrote in about a project they personally had worked on as an engineer back in 1993, which they are convinced is conclusive prior art to a Blackbird Tech patent. We will continue to collect and review these submissions.

Prince suggests that those interested in helping should take a look at the 20 Blackbird patents for which no prior art has yet been submitted. Cloudflare will update its chart of Blackbird patents, color coding them to indicate how much prior art they have on each. The new donation cash will be used to increase the bounty paid to researchers turning up prior art, as well as fund invalidation proceedings at the US Patent and Trademark Office.

And, of course, Cloudflare will implement the most powerful tool of any good patent troll hunter: T-shirts! A T-shirt celebrating the goals of "Project Jengo" will be given to anyone who submits "a legitimate entry of prior art."

Read the whole story
reconbot
4 days ago
reply
New York City
satadru
4 days ago
reply
New York, NY
Share this story
Delete

Hacking Fingerprint Readers with Master Prints

1 Share

There's interesting research on using a set of "master" digital fingerprints to fool biometric readers. The work is theoretical at the moment, but they might be able to open about two-thirds of iPhones with these master prints.

Definitely something to keep watching.

Research paper (behind a paywall).

Read the whole story
reconbot
5 days ago
reply
New York City
Share this story
Delete

The Future of Ransomware

1 Share

Ransomware isn't new, but it's increasingly popular and profitable.

The concept is simple: Your computer gets infected with a virus that encrypts your files until you pay a ransom. It's extortion taken to its networked extreme. The criminals provide step-by-step instructions on how to pay, sometimes even offering a help line for victims unsure how to buy bitcoin. The price is designed to be cheap enough for people to pay instead of giving up: a few hundred dollars in many cases. Those who design these systems know their market, and it's a profitable one.

The ransomware that has affected systems in more than 150 countries recently, WannaCry, made press headlines last week, but it doesn't seem to be more virulent or more expensive than other ransomware. This one has a particularly interesting pedigree: It's based on a vulnerability developed by the National Security Agency that can be used against many versions of the Windows operating system. The NSA's code was, in turn, stolen by an unknown hacker group called Shadow Brokers ­ widely believed by the security community to be the Russians ­ in 2014 and released to the public in April.

Microsoft patched the vulnerability a month earlier, presumably after being alerted by the NSA that the leak was imminent. But the vulnerability affected older versions of Windows that Microsoft no longer supports, and there are still many people and organizations that don't regularly patch their systems. This allowed whoever wrote WannaCry ­-- it could be anyone from a lone individual to an organized crime syndicate -- to use it to infect computers and extort users.

The lessons for users are obvious: Keep your system patches up to date and regularly backup your data. This isn't just good advice to defend against ransomware, but good advice in general. But it's becoming obsolete.

Everything is becoming a computer. Your microwave is a computer that makes things hot. Your refrigerator is a computer that keeps things cold. Your car and television, the traffic lights and signals in your city and our national power grid are all computers. This is the much-hyped Internet of Things (IoT). It's coming, and it's coming faster than you might think. And as these devices connect to the Internet, they become vulnerable to ransomware and other computer threats.

It's only a matter of time before people get messages on their car screens saying that the engine has been disabled and it will cost $200 in bitcoin to turn it back on. Or a similar message on their phones about their Internet-enabled door lock: Pay $100 if you want to get into your house tonight. Or pay far more if they want their embedded heart defibrillator to keep working.

This isn't just theoretical. Researchers have already demonstrated a ransomware attack against smart thermostats, which may sound like a nuisance at first but can cause serious property damage if it's cold enough outside. If the device under attack has no screen, you'll get the message on the smartphone app you control it from.

Hackers don't even have to come up with these ideas on their own; the government agencies whose code was stolen were already doing it. One of the leaked CIA attack tools targets Internet-enabled Samsung smart televisions.

Even worse, the usual solutions won't work with these embedded systems. You have no way to back up your refrigerator's software, and it's unclear whether that solution would even work if an attack targets the functionality of the device rather than its stored data.

These devices will be around for a long time. Unlike our phones and computers, which we replace every few years, cars are expected to last at least a decade. We want our appliances to run for 20 years or more, our thermostats even longer.

What happens when the company that made our smart washing machine -- or just the computer part -- goes out of business, or otherwise decides that they can no longer support older models? WannaCry affected Windows versions as far back as XP, a version that Microsoft no longer supports. The company broke with policy and released a patch for those older systems, but it has both the engineering talent and the money to do so.

That won't happen with low-cost IoT devices.

Those devices are built on the cheap, and the companies that make them don't have the dedicated teams of security engineers ready to craft and distribute security patches. The economics of the IoT doesn't allow for it. Even worse, many of these devices aren't patchable. Remember last fall when the Mirai botnet infected hundreds of thousands of Internet-enabled digital video recorders, webcams and other devices and launched a massive denial-of-service attack that resulted in a host of popular websites dropping off the Internet? Most of those devices couldn't be fixed with new software once they were attacked. The way you update your DVR is to throw it away and buy a new one.

Solutions aren't easy and they're not pretty. The market is not going to fix this unaided. Security is a hard-to-evaluate feature against a possible future threat, and consumers have long rewarded companies that provide easy-to-compare features and a quick time-to-market at its expense. We need to assign liabilities to companies that write insecure software that harms people, and possibly even issue and enforce regulations that require companies to maintain software systems throughout their life cycle. We may need minimum security standards for critical IoT devices. And it would help if the NSA got more involved in securing our information infrastructure and less in keeping it vulnerable so the government can eavesdrop.

I know this all sounds politically impossible right now, but we simply cannot live in a future where everything -- from the things we own to our nation's infrastructure ­-- can be held for ransom by criminals again and again.

This essay previously appeared in the Washington Post.

Read the whole story
reconbot
6 days ago
reply
New York City
Share this story
Delete

Extending the Airplane Laptop Ban

1 Comment and 2 Shares

The Department of Homeland Security is rumored to be considering extending the current travel ban on large electronics for Middle Eastern flights to European ones as well. The likely reaction of airlines will be to implement new traveler programs, effectively allowing wealthier and more frequent fliers to bring their computers with them. This will only exacerbate the divide between the haves and the have-nots -- all without making us any safer.

In March, both the United States and the United Kingdom required that passengers from 10 Muslim countries give up their laptop computers and larger tablets, and put them in checked baggage. The new measure was based on reports that terrorists would try to smuggle bombs onto planes concealed in these larger electronic devices.

The security measure made no sense for two reasons. First, moving these computers into the baggage holds doesn't keep them off planes. Yes, it is easier to detonate a bomb that's in your hands than to remotely trigger it in the cargo hold. But it's also more effective to screen laptops at security checkpoints than it is to place them in checked baggage. TSA already does this kind of screening randomly and occasionally: making passengers turn laptops on to ensure that they're functional computers and not just bomb-filled cases, and running chemical tests on their surface to detect explosive material.

And, two, banning laptops on selected flights just forces terrorists to buy more roundabout itineraries. It doesn't take much creativity to fly Doha-Amsterdam-New York instead of direct. Adding Amsterdam to the list of affected airports makes the terrorist add yet another itinerary change; it doesn't remove the threat.

Which brings up another question: If this is truly a threat, why aren't domestic flights included in this ban? Remember that anyone boarding a plane to the United States from these Muslim countries has already received a visa to enter the country. This isn't perfect security -- the infamous underwear bomber had a visa, after all -- but anyone who could detonate a laptop bomb on his international flight could do it on his domestic connection.

I don't have access to classified intelligence, and I can't comment on whether explosive-filled laptops are truly a threat. But, if they are, TSA can set up additional security screenings at the gates of US-bound flights worldwide and screen every laptop coming onto the plane. It wouldn't be the first time we've had additional security screening at the gate. And they should require all laptops to go through this screening, prohibiting them from being stashed in checked baggage.

This measure is nothing more than security theater against what appears to be a movie-plot threat.

Banishing laptops to the cargo holds brings with it a host of other threats. Passengers run the risk of their electronics being stolen from their checked baggage -- something that has happened in the past. And, depending on the country, passengers also have to worry about border control officials intercepting checked laptops and making copies of what's on their hard drives.

Safety is another concern. We're already worried about large lithium-ion batteries catching fire in airplane baggage holds; adding a few hundred of these devices will considerably exacerbate the risk. Both FedEx and UPS no longer accept bulk shipments of these batteries after two jets crashed in 2010 and 2011 due to combustion.

Of course, passengers will rebel against this rule. Having access to a computer on these long transatlantic flights is a must for many travelers, especially the high-revenue business-class travelers. They also won't accept the delays and confusion this rule will cause as it's rolled out. Unhappy passengers fly less, or fly other routes on other airlines without these restrictions.

I don't know how many passengers are choosing to fly to the Middle East via Toronto to avoid the current laptop ban, but I suspect there may be some. If Europe is included in the new ban, many more may consider adding Canada to their itineraries, as well as choosing European hubs that remain unaffected.

As passengers voice their disapproval with their wallets, airlines will rebel. Already Emirates has a program to loan laptops to their premium travelers. I can imagine US airlines doing the same, although probably for an extra fee. We might learn how to make this work: keeping our data in the cloud or on portable memory sticks and using unfamiliar computers for the length of the flight.

A more likely response will be comparable to what happened after the US increased passenger screening post-9/11. In the months and years that followed, we saw different ways for high-revenue travelers to avoid the lines: faster first-class lanes, and then the extra-cost trusted traveler programs that allow people to bypass the long lines, keep their shoes on their feet and leave their laptops and liquids in their bags. It's a bad security idea, but it keeps both frequent fliers and airlines happy. It would be just another step to allow these people to keep their electronics with them on their flight.

The problem with this response is that it solves the problem for frequent fliers, while leaving everyone else to suffer. This is already the case; those of us enrolled in a trusted traveler program forget what it's like to go through "normal" security screening. And since frequent fliers -- likely to be more wealthy -- no longer see the problem, they don't have any incentive to fix it.

Dividing security checks into haves and have-nots is bad social policy, and we should actively fight any expansion of it. If the TSA implements this security procedure, it should implement it for every flight. And there should be no exceptions. Force every politically connected flier, from members of Congress to the lobbyists that influence them, to do without their laptops on planes. Let the TSA explain to them why they can't work on their flights to and from D.C.

This essay previously appeared on CNN.com.

EDITED TO ADD: US officials are backing down.

Read the whole story
reconbot
6 days ago
reply
This should stay down
New York City
Share this story
Delete

medievalpoc: actuallyblind: kimboosan: actuallyblind: [Image...

4 Shares


medievalpoc:

actuallyblind:

kimboosan:

actuallyblind:

[Image: tweet by Titanium Cranium (@FelicityTC) including three screenshots of a Harry potter book in three different formats on Amazon. Text:

“Harry Potter on Amazon -

Print: $6.39
Audio: $44.99
Braille: $100.00

#CripTax”]

So, let me explain this a bit.

The defenders of CripTax prices will say that those prices cover the cost of production. This is, without a doubt, true. I work at a university where we often have to take written materials and convert them into braille – it takes a LOT of people hours, special software, and a braille embosser.

But those defenders of higher prices are reversing the argument to justify fleecing disabled readers.

What do I mean by that?

Braille is not magic. It is done by taking plain text and feeding it through fairly affordable translation software, creating a document that can easily be printed in braille.

All that time and effort and special software? IS NOT FOR THE BRAILLE.

It is to take the document provided by the publisher (usually in PDF format, the same file they send to the printers) and turn it into plain, unadorned text, by hand. Text has to be “stripped” (OCR/text recognition); images have to be described; footnotes have to be embedded; special pullouts and other formatting shifted or removed. 

Printing in braille is cheap; reverse engineering a finished text to print it in braille IS NOT.

Same with those audio books. After a book is completed and, often, after it has already been published, the publisher arranges to have the book recorded by a professional voice actor/reader, which usually also involves a recording producer, if not a recording studio, which all stacks up to $$, no two ways about it.

However: that cost? IS RARELY FACTORED INTO THE BUDGET OF PRINTING A BOOK.

Oh, it might be, if the author is JK Rowling and it is well known that readers will want audio versions right away. But most of the time, nope, the audio book is produced only after the hard copy book has become a decent seller, and so it’s an extra cost which is claimed must be covered by making the audio version extra expensive to buy. (Even then it’s somewhat ridiculous, since honestly, creating an audio book is, in the end, cheaper than printing, factoring in the cost of paper.)

If publishers factored audio book production into the assumed costs of publishing a book, they would have very little reason to price it higher.

If publishers factored in creating a “plain text” file – including having editors/authors describe images – that could be used to print braille copies or to be used with refreshable braille readers (electronic pinboards, basically), then there would be zero reason to price those books higher.

tl;dr:
Yes, it’s a #criptax, and the excuse that “those formats are more expensive to produce so they have to be priced higher” is only true if you completely throw out the premise that publishers have an obligation to account for disabled readers when they are actually budgeting for and publishing the book.

I’m really glad you brought this up, because this is exactly the sort of argument thatpeople try to use to justify inaccessibility in all kinds of areas. When we tell a company that their website or appliance or piece of technology isn’t accessible, they frequently tell us that they are sorry to hear that but that the accessibility is too expensive and time-consuming to add in now. There is also a provision in the law that allows companies to not bother including accessibility in their products if the cost of building in the accessibility is more than 5% of the total cost to build the whole product in the US.

That seems reasonable on the surface, doesn’t it? Except here’s the thing—the accessibility should have been a part of the original plans to begin with and designed in from the very beginning and should have been considered a necessary element and just another ordinary part of the cost of producing the product, not some extra feature that can be opted out of if it’s too expensive. The problem is that these companies do not understand the fact that if you cannot afford to build the product with the accessibility included, then you cannot afford to build the product and that is that. It’s exactly the same as not being able to afford to make the product with all elements up to safety and health codes and standards. If you can’t afford to meet the legal standards, then you can’t afford to make the product, and it’s that simple. Accessibility is not an exception to this and it should not be considered as such. It should be just as much an ordinary required part of the design process as any other element, not an extra, shiny, fancy feature that you can just choose not to bother with if it costs a little bit of money.

Accessibility should be part of the standard design process just as much as safety codes and health standards and other legal regulations. The ADA has existed for 20 years so companies have had ample time to catch up and learn to plan for accessibility from the beginning as a part of the standard required design process. If you can’t afford to create the product fully up to code, standards, and accessibility laws, then you simply can’t afford to make the product. No excuses, no exceptions.

Thanks for this awesomely informative post; this is precisely what I used to do for a living, in a college environment. People were often surprised that this work was not somehow already done by the publishing companies, but nope. My department did it all by hand, more or less. From scanning, to creating PDFs, to OCR text extraction, to formatting the files for JAWS, to making the corrections and image descriptions.

The thing is, college textbooks are so image heavy, compartmentalized, and splashed with text boxes on every page, with increasingly convoluted diagrams that sometimes take up multiple pages, I was basically *writing* half the textbook myself. Basically, you have to take an image like this diagram (which might be in a book, or part of a handout, or be embedded in an inaccessible online module, or part of a video lecture, or maybe it’s part of a powerpoint or slideshow):

and figure out how to describe every bit of pertinent information that is happening visually, decide in what order to present that information, and do it in a way that doesn’t make the student just decide to give up because holy crap, right??

And this part is *just* the textbook. I did this for all class materials-in all topics, in all formats, for every teacher, in every discipline. everything from astronomy, world history, american history, economics, biology, literature, art history, history of modern philosophy, poetry, and even a few things for extracurricular and clubs.

And you know what? A lot of the time professors would seem to think they’re doing everyone some kind of favor by giving us the books and materials like, the DAY before class starts. Or, y’know, sometimes like a week AFTER.

There’s a reason I decided to become staff in Disability Services rather than a professor as I’d originally intended-I was a disabled student too, and I wanted to do my best to prevent others from having to fight like I had to fight. I started out with like 5 people working under me to get the stuff scanned and processed and I was doing the final corrections, formatting, and image/diagram descriptions; by the time it was nearing its end it was just me literally flopping books on a scanner with one hand and typing with my fingers and wrist with the other.

They eliminated my department like 2 years ago, and I got laid off. **there’s** your “commitment” to accessibility in higher education.

That’s how the sausage gets made, my friends….and in this case, how it doesn’t.

Read the whole story
satadru
6 days ago
reply
New York, NY
reconbot
8 days ago
reply
New York City
Share this story
Delete
Next Page of Stories