The Market Ticker
Commentary on The Capital Markets

Time for this one...

smiley

I've known this for quite a while, and in fact have alerted (in an oblique way) to the risk when I wrote on 10/4/2013 about Android apps and the permission screen -- and how Android intentionally hides certain very dangerous security permissions on a secondary screen when asking if it's ok to install something.

Now that the nasty is out in the open there's no reason to mince my words any more.

The majority of devices running Google's Android operating system are susceptible to hacks that allow malicious apps to bypass a key security sandbox so they can steal user credentials, read e-mail, and access payment histories and other sensitive data, researchers have warned.

Not the majority.  Basically all.

All Android apps have to be "signed" with a cryptographic key.  That's good.  I have one that I self-generated and use for testing and development purposes.

The problem comes with the fact that Android has a (relatively short) list of "super signatures" that allow access to places you should not be able to go.  Those signatures are there for what could be argued are legitimate purpose, such as a MDM component that needs to be able to run around your system with effective impunity.

Think of it as a "SUID" bit of sorts -- there are certain applications that have "super user" capability even on a non-rooted device, and when they use it you're not prompted.  This is different than when you root your device; in that case you can tell your phone to warn you that privilege escalation is being requested and give you the option to say "No!"

This particular back-door privilege escalation is of the same sort as Apple's IOS one, in that it doesn't require you to grant permission for it.  Adobe Flash uses it as a means to shim itself into an app so you can display flash content, but it never has to ask you if this is ok first -- it's given the permission by virtue of what the app is.

That's very dangerous -- if there's a bug in that application your data can be left at risk.

In this case what Google did, however, is much worse: Android fails to verify that the cryptographic signature that claims to be for one of those trusted apps really came from the actual legitimate source of said application.

How would you know this, in general, if it was being done correctly?  Each of these "real" apps with this set of super privilege has a certificate signed by a certifying authority.  Just like your driver license has certain validating components to it such as a holographic picture embedded in it a cryptographic signature has validation features in it as well.

If you go to tickerforum.org via https, you see the little lock.  If you click that lock and then drill down you will see a certification path down to that certificate; each of the certificates up the chain has signed the one under it.  So long as all of those signatures are good the certificate claiming that I am "tickerforum.org" is known (as long as the cryptography is not compromised) to be valid.

This assumes you actually check the chain all the way back up to the root in the certificate store, and Android does not!

What that allows me to do is present a trivial forgery of any application, and since certain app names and sources are "white listed" and automatically allow that app super permissions, if you are tricked into installing one of those with a forged certificate you're ****ed.

How do you get tricked into installing it?  Google Play has historically been full of fake apps!  For example, when BBM was being introduced for Android there were dozens of fake BBM applications released on Google Play.  What was in them?  I don't know exactly, but that they were fakes was easily determined -- if you looked.  Yes, Google claims to be looking for such forgeries -- but if they are and detecting them before they allow them to be accessed by the public how did all the fake BBM apps wind up in the Play Store?  Google could check certificate validation (and might) in the Play Store before releasing an app, but given their clear and very publicly-discernible record with the fake BBM apps.....

In short I don't believe Google's claims in regard to their curation of apps prior to their visibility to the world.

So what happens if you install one of these trojan horses, either through an "App Store" or otherwise?

Your phone's security is instantly and permanently compromised.  Once installed the app can rename and hide itself, preventing you from removing it.  Worse, it's entirely possible for an application that is running with elevated permissions of this sort to remount your root partition on the phone read/write and then insert itself into the NVRAM of the device.

For most Android devices this means that the malware will survive even if you hard reset the phone in the future because Android, in general, does not keep a separate copy of the original firmware from which it can reload itself -- a hard reset simply formats the data partition.  Anything that manages to get into the system partition stays and will remain active, even across a hard reset!  The only way to get rid of the spyware if you get bit by this is to use something like ODIN (if your device is a Samsung) to re-flash the entire device from scratch -- which is not software that a user typically has access to.

There is one defense against this sort of persistent risk available -- the base load can be engineered to have zero free space (in which case you can't write anything more into there as there's no room for it.)  There are a few stock device loads I'm aware of that are built this way -- but not many.

If you get bit by this, and your device's load isn't protected against this risk it takes only seconds for a rogue app to permanently destroy your device's security.

I think you can understand why I didn't let loose everything I discovered at the time I started talking about this.... but now that it's in the open, well.....

View this entry with comments (registration required to post)
 

There's an interesting op-ed on Fox News...

I ask all Americans to picture the following scenario:

Al Qaeda builds cells in Mexico and takes control of the Coahuila region which borders Texas. The United States closes border crossings to prevent Al Qaeda from its stated goal: smuggling weapons to use to destroy America. Significant international pressure mounts to re-open the border crossings and the United States permits humanitarian aid to pass through while looking out for any terror-related materials. America monitors the Gulf of Mexico to insure that weapons would not arrive in Coahuila via the sea.

Despite these efforts, weapons flow from Guatemala to Mexico, enabling the terrorists to send them to Coahuila with ease. U.S. intelligence is aware of the stockpiles of missiles in Coahuila, but the missiles are stored in very dense residential areas and any attempt to destroy them could lead to significant civilian casualties. The citizens along the southern border of Texas are advised that a threat exists and are given instructions in case of an attack. But all assumptions were that Al Qaeda would not have the nerve to attack.

And then it happens. A missile is shot from Piedras Negras, Mexico, to Eagle Pass, Texas.  The 5-mile distance means that the 30,000 residents of Eagle Pass have only seconds to find shelter. Air raid sirens blare at 8:00 a.m. as the children in the 15 Eagle Pass elementary schools, two junior high schools, and two high schools are riding their bikes and walking into their school buildings.

Sound scary?

Welcome to Israel.

But "Al Qaeda" is "Hamas,”  "Coahuila" is "Gaza," and "Eagle Pass" is the Israeli town of "Sderot."

Given the deep commitment of the American government to the security of its citizens, America would, no doubt, react with force. The residents of Piedras Negras would be warned to evacuate and the U.S.  Air Force would fire at any area possibly housing the missiles and their launchers. And I have no doubt that the U.S.  would go after other potential threats, including  the stockpile of missiles in Ciudad Acuna, which threatens Del Rio, Texas, a mere 6 miles away.  This would be done despite the fact that the terrorists surround their missiles with innocent women and children as human shields. 

Oh really?

We'd bomb Mexico and then invade?

Really?

I think you give us too much credit.

You see, it was about 13 years ago that a bunch of Saudi-linked people came into this country under false pretense.  They then hijacked a number of airliners and used them as bombs, murdering 3,000 Americans, most of them innocent civilians.

To this day the US Government has blacked out and considered classified what is known about where they came from and who funded them.  We know good and damn well exactly what happened and who was behind it, including how that attack was funded and who assisted with the logistics, but the report on that act of terror redacted those portions and to this day, more than 10 years later, we not only haven't taken retributive action for that act of war (not terrorism) against the responsible parties (an act far greater than Hamas has inflicted on Israel!) we haven't even taken economic action against the responsible nation-state either!

So before you tell us that we should hold Israel to the "same" standard you might want to consider exactly how pussified this nation has become, and what this nation's people tolerate -- because under that standard Israel gets no quarter for what they're doing at all.  You see, our standard, as defined by what happened on 9/11 and then what didn't happen to the people to whom that attack was conclusively linked is rather different than the scenario you laid out in your OpEd.

I didn't say I agreed with that inaction and intentional obfuscation by our government, by the way. I was pretty damn sure where the trail led after 9/11 in short order and my view of the best and proper response was and is pretty much the same as yours: "Drop that ****er -- twice." (credit Crimson Tide)

Incidentally that nation (Mexico) you named in your scenario?  It has sent somewhere around 11 million illegal invaders into our nation and we not only refuse to deport them we also haven't acted against that country -- indeed, we have allowed our corporations to offshore operations there and granted them special trade status in exchange for their citizens illegally invading our land!

And no, I don't support that either.

But I'm in the tiny minority in this nation among our people, and the proof thereof is that neither Democrat or Republican administration has been forced to release said documentation or do anything about the source of those attacks 13 years after the fact.  Indeed, we still sell them weapons!

You're barking up the wrong tree dude; what we once had in this country with regard to our view of acts of war against our nation and her people on December 7th, 1941 is no longer here, and those who claim otherwise (such as that Boehner) are lying sacks of crap.  

Trust them at your risk -- I sure as hell don't and I live here, not there!

View this entry with comments (registration required to post)
 

There has been much strum and furor over the proliferation of "tax inversion" strategies undertaken by corporations in the last few months.

Broadly, a tax inversion is a transaction where a US and foreign corporation "merge", with the US corporation taking a loan from the foreign unit.  This effectively shifts the income to the foreign nation since interest is tax deductible in the United States (and taxable as income in the other country), but since the firms are in fact one (the foreign one having merged with the US one) the result is to preference where taxes are paid.

The screaming coming from Jackoff Lew of Treasury on these is amusing but not surprising, nor is the fact that the complaints from the government are at their core dishonest.

The real problem is a fundamental distortion that the United States government adopted a long time ago on purpose to preference uneconomic actions for the purpose of goosing systemic leverage. 

As I have repeatedly pointed out over the last seven-plus years the fundamental economic outcomes we experience can be viewed through the lens of a few charts quite succinctly -- and accurately.

First, total systemic debt from all sources:

Note the rise in this debt -- from about $5 trillion in 1980 to nearly $60 trillion today, while GDP went from $2.8 trillion to ~$17 trillion.

In other words, debt increased about 13x over 30 years while GDP increased 6x.

Since all money in modern systems is in fact debt this means that purchasing power, adjusted for economic output, fell by 50%.  This tells you on an irrefutable basis that roughly half of all the debt taken on during that period was uneconomic -- that is, absent some sort of distortion or stupidity by the person doing so, it wouldn't have happened.

What has our government done?  It has taken on a huge amount of uneconomic debt itself -- there is $12.57 trillion worth outstanding now (not including intergovernmental debt such as Social Security and Medicare) as opposed to $660 billion in 1980, an expansion of 52.5 times, or 4x that of the economy as a whole!

This is the direct cause of the destruction of the middle and lower class income in this country as it is a direct devaluation of purchasing power, intentionally undertaken.  It is not The Fed that did this, it is Congress and the Executive!

And how do we know this is the result?  Because we can easily look at the delta in GDP and that in debt:

Since every dollar of debt taken on is immediately spent to find the actual GDP produced absent this uneconomic activity you must subtract the delta in debt back out of the gross GDP delta.  When you do so you find that we've been digging a bigger and bigger hole on essentially continual basis since 1980!

Then, to add to the insult of the Federal Government's own conduct they have also provided incentives for others to also engage in uneconomic transactions through the tax code by allowing the expensing of interest against revenues!

That's nuts; the only reason to borrow is when the expected benefit of doing so (e.g. by expanding your plant, equipment and personnel) exceeds the cost of the money including the interest.  By making the interest top-line deductible you remove the return on investment consideration entirely from the calculation!

Well Jackoff Lew and Maobama, what the hell do you expect people people to do when you diddle the damned tax code so as to provide incentives for uneconomic behavior, whether that be through a "mortgage interest" deduction or one for corporate spending funded by debt?

There is nothing illegal or wrong about a company or person who structures their finances around the intentional acts that the government provides incentives for!

If you want to stop "inversions" then remove interest as a deduction, top-line or otherwise, across the board from the tax code.  If someone is going to borrow, no matter whether it is a person or business, they should only do so if the economic benefits of the transaction, including the interest expenses, exceed the costs.

Of course if this change was to be made then the entire pyramid of pulled-forward asset prices and consumption would instantly collapse, as would the so-called "GDP" funded by this stupidity.  That is, of course, the argument against doing so.

The problem with that argument is that as I have also repeatedly pointed out due to the nature of compounding you must borrow at an exponentially-increasing rate to keep up said uneconomic transaction streams over time, and there is no such thing as an exponentially-increasing series that can continue indefinitely on a planet of finite size and mass.

View this entry with comments (registration required to post)
 

I chuckled when I read this over the weekend...

You can now nab a 30-year fixed mortgage for under 4%. That’s the second week in a row, by the way, that rates have been so low. As of this writing, the numbers tick slightly, but the range remains remarkably low – 3.96% to 4.08%. In either extreme, extremely weird, and stunning when you consider we are supposedly in the latter stage of a recovery.

Usually at this point in an economic turnaround, things are rocking, and interest rates are jumping. But we all know the economy isn’t rocking. And as a result, interest rates are not jumping. What’s weird is those rates are dropping, which usually presages something bad happening.

Then again, this hasn’t been your father’s recovery, has it? Even with absurdly-low interest rates for what’s been years now, it’s hard to make the case they’ve triggered any kind of housing boom. Sales of new single-family homes fell 4.9% through the first six months of the year. They were down 8.1% in June. So let’s just say the trend is not the housing industry’s friend.

Neil goes on to moan about people being "tentative" or even "skeptical" about buying a house, but offers no answers for the reason we're seeing what is happening.

That's because he is either deluded or intentionally refusing to talk about the facts -- although he does dance awfully close to the truth with his last sentence:

None of this means housing still isn’t a compelling investment, but when real estate trendsetter Zillow estimates some home values may take another few years to reach their pre-meltdown peak…it’s enough to make you…puke.

Really Neil?

How did we get those so-called values that render getting "back there" in a "few years" something that's puke-worthy?

It was all fraud -- and in fact had been for the last 30 years in one form or another.

That's the dirty secret.

How does housing go up in "value" without median family income also rising?  It cannot, except through two mechanisms -- ever-falling rates and fraud.

That is, loans that are not really loans -- they're speculative leverage vehicles where the only rational expectation for ability to pay is the ever-decreasing rate of interest and/or ever-looser standards for said loans, so you can roll it over into a new loan with a higher alleged "value" for your house.

What is a 2/28 or 3/27 other than this?  There was never an expectation that the alleged "borrower" could pay at the 28 or 27 rate.  The 2 (or 3) rate was "affordable", but this was nothing more than a gambling vehicle, with the gamble being that you could come back and refinance before the 2 or 3 year period expired.

The "benefit" to such a gamble is that each such refinance generates more closing fees and costs, stealing money from you and putting it in the banksters pockets.  The problem with such a gamble is that first it effectively extends forever the time in which you have an essential zero in equity in your home (in other words you're renting it for the price of the monthly payment) and the roll-over risk is yours; if you cannot roll the loan at an acceptable price when the time comes since you can't afford the fully-amortized payment you lose the house and have nothing.

Incidentally, that same scheme was a huge part of the reason The Depression was so damaging -- the exact same game was played with balloon mortgages in the 1920s and Fannie Mae was created as a specific response to it.  Unfortunately like nearly all government "intervention" that simply substituted one fraud for another and vectored the benefit of same toward a politically-favored few while shrouding the scam in a legal protection racket.

At the core the entire housing market over the last 30 years has been a gigantic leverage machine, predicated on the fact that everyone buys a payment, not a house.  That in turn means that the secular, 30 year trend toward lower rates as shown here has created a false belief of home price "appreciation" that has become ingrained into the national psyche, along with the pronouncements of people like Neil and, of course, the NAR.

Unfortunately that which is false always eventually percolates to the surface, and the truth becomes known.  The simple fact of the matter is that housing is not an investment, it is a depreciating and relentlessly taxed capital asset that one factually rents forever, and one only does that because it is cheaper than renting and the buyer has the personal and financial stability necessary to make the transaction costs rational (meaning, you're going to be there for a good long time.)

We've spent more than 30 years destroying that second premise along with the interest-rate distortions.  The relentless drive to offshore labor, to sell worthless degrees and lard up educational costs to the point that the marginal value of college has been siphoned off to a large degree by banks and universities and the biggest con game of all -- federal deficit spending -- has eviscerated what's necessary for home purchases to make sense for most Americans.

Many people like to blame The Fed but in fact it is Congress and The Executive that are responsible for the destruction of purchasing power that has occurred -- all of it.  It is Congress that allows banks to lie about how they operate; the common chestnut of banks taking in and then lending out deposits is a factual lie and everyone in the industry knows it.  Instead the banks literally print money and then when those funds are spent and deposited by a merchant the "reserve requirement" (such as it is) is met ex-post facto, which is in fact fraud -- never mind the various dodges to avoid even that tiny constraint on bank leverage.

The Fed, government and media have spent most of the last 5 years trying to convince people that fraud is good instead of bad, and that they should jump back into a game that marks them as losers.  So far it's not working out very well -- while there are those who are going for it, enough thus far are simply saying "No!"

It's about damn time.

PS: Those buildings Neil used in his image at the top?  They're not houses -- those are hotels in the game Monopoly.  It would figure that a limousine rider like Neil wouldn't know that, as he has never stooped so low as to play an actual board game.

View this entry with comments (registration required to post)
 

Hmmm.....

A switch in health care saves Oklahoma County hundreds of thousands of dollars and could be millions by the end of the year, but those on the other end of the switch claim there's more than meets the eye.

Charts show patients cost savings on a variety of surgeries. Each one with a difference of several thousands of dollars.

The reason? A switch to self-funded healthcare coverage.

Dr. Keith Smith makes sure, from first glance, you know his Surgery Center of Oklahoma loves the free market.

"It seems like every industry but health care has free market discipline has to endure," said Dr. Smith. "Competition is a healthy thing."

What does the other side (the hospital folks) say?

"It's creating less costly care, which is good for the consumer, but it's making the hospital setting even more costly, because what you're leaving the hospital with are sicker patients and more complex patients," President of the Oklahoma Hospital Association, Craig Jones, said.

So let me see if I get this right.

Mr. Jones appears to have made an admission -- his association members have been cost-shifting onto the backs of people coming into the hospital with "less sick" and "less complex" situations.

That is, by virtue of intentional obfuscation of the price of a procedure up front you are effectively forced to pay for someone else's procedure in whole or part.

Now here's the problem with that: It's broadly illegal to conspire to do that in other industries.

For instance, a car repair shop cannot fail to give you a binding estimate, within a reasonable tolerance (say, 10%) of the cost of a procedure before they start work.  In fact, consumer protection laws force them to do so.  Were said garage to intentionally try to cost-shift an engine replacement onto the backs of those who just need their oil changed by refusing to tell us up front how much the oil change would cost, then surprising us with a huge bill, we would call that fraud, because it would be.

Indeed, that sort of practice -- getting a car up on the rack with a vague promise of it being "reasonable" to fix and then presenting the owner with a huge bill that must be paid to get the car back used to be common in the car repair business.  

Laws were passed to prohibit this practice because it was (properly) seen as outrageously abusive to consumers who lack enough knowledge to be able to detect this sort of deception and effectively deal with it.

So why does the medical profession get away with this, given that Craig Jones, President of the state's Hospital Association, appears to have just admitted to the very same practice?

Oh, just for reference, the Surgery Center of Oklahoma's pricing is approximately one fifth of that of many hospital's "Chargemaster" rates for the same procedure.  We are not talking about a 10 or 20% difference here, we are talking about 10 or 20% of the price.

Note that most people have a roughly 20% co-insurance and deductible combination on their so-called "health insurance."

If this crap were to be stopped you wouldn't need so-called "health insurance" as you would pay approximately the same price for the entire procedure as you now pay in "co-insurance" and "deductible", which means you are effectively paying an "insurance premium" for no reason other than to enable this practice by the hospitals and insurance companies.

View this entry with comments (registration required to post)
 

Main Navigation
Full-Text Search & Archives
Archive Access
Get Adobe Flash player
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be reproduced or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media or for commercial use.

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.