The Market Ticker
Commentary on The Capital Markets- Category [Technology]

Heh heh heh....

There may be much more advertising in apps than it seems. Thousands of mobile applications are secretly running ads that can't be seen by users, defrauding marketers and slowing down smartphones, according to a new report by Forensiq, a firm that tracks fraud in online advertising.

Bloomberg is onto something here.  I got scooped (partially) by this; I've been running a bit of a study here locally looking at exactly how badly you're getting hosed on your cell data -- that is, how much of your data that you're paying for is going to putting forward ads .vs. content you requested.

I noted some rather curious things during my testing with this; I'm not done with my story but do expect to finish it and report sometime in the next month or so; it's a bit of a process putting together the means to not only gather the logs (the easy part) but then breaking it down in a fashion that's both repeatable and defensible.

But -- the gist of the Bloomberg story is that some app publishers are generating code that loads ads you can't see.  This gets them paid for the impressions but you never saw the ad -- and what's worse is that you paid to get it delivered to your device too.

Now that's outright fraud (upon the advertiser) and it points out that the so-called "vetting" that is done by the various app stores is essentially worthless.  Then again anyone that expected otherwise is probably incredibly naive; how, other than an in-depth analysis, is someone supposed to "vet" an app before releasing it?  What I suspect is done is that known exploits are checked for in an automated process, and perhaps that the app loads and runs is tested -- but not much more.

Unfortunately that's nowhere near sufficient, as any sort of "zero-day" exploit unknown to the vendor (e.g. Google or Apple) won't trip their detection software nor will something like this as the ad "sources" are legitimate.

What caught these guys was the outrageously large amount of data grabbed -- far more than legitimate use would support . Unfortunately a smaller, but still bogus, grab could easily be going on in a far-more pervasive way -- and it would be very, very difficult for an advertising network to detect.

View this entry with comments (registration required to post)

Note the company missing from these discussions thus far.....

Following news that iOS devices are at risk of spyware related to the Hacking Team, the saga continues into the Android sphere. We found that among the leaked files is the code for Hacking Team’s open-source malware suite RCSAndroid (Remote Control System Android), which was sold by the company as a tool for monitoring targets.

The RCSAndroid code can be considered one of the most professionally developed and sophisticated Android malware ever exposed. The leak of its code provides cybercriminals with a new weaponized resource for enhancing their surveillance operations.

These are extremely dangerous tools and once on your device it is nearly impossible to know they're present.  Worse, they subvert virtually all of your so-called "good practices" (such as not using crappy 4-digit passwords) since they have access directly to the device's storage, where it is able to get at passwords themselves for things such as your social media and email accounts.  Even if the remote site uses something like OATH that doesn't help as that credential is on the device, as good as a password, and can be stolen.

While the exploits in question here are targeted at pre-5.0 Android versions it is important to note that the discovered pieces are materially old -- to believe that there is no exploit available against the current Android versions you have to believe that the people responsible stopped working on it.  That's implausible, to be kind.

I have repeatedly said that it is just a matter of time before this sort of "tool" is used for some sort of extremely severe breach of security that impacts millions of consumers, particularly their financial or health data.  The reason is architectural; these devices are simply not built from the outset to be secure and never will be as the firms involved do not have that as the primary impetus in their corporate DNA.

When, not if, that breach happens -- and we now know that the tools to do it are in the wild and have been for some time -- it will bring back to the forefront that among "smart device" manufacturers that there is exactly one choice if you don't want to be hacked and the question will then be this: Is having the "snapchat" app important enough to you that you're ok with all your nudie snaps and bank account being raided by cybercriminals?

Only one company's devices will be left standing when the remains of the others have crumbled into ash on the back of this event.

 by tickerguy


View this entry with comments (registration required to post)

I warned about this quite some time ago.

I WAS DRIVING 70 mph on the edge of downtown St. Louis when the exploit began to take hold.

Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.


Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.

That happened because the nice "remote access" features of the vehicle, including things such as "remote start" and so-called "telematics" are tied into the same CANBUS in the vehicle that controls life-critical functions such as the transmission, brakes and accelerator -- plus, in many modern cars electric-assisted steering!

Wiring a computer into the OBD port and doing this while in the car is one thing -- that requires physical access. This is from a remote location -- literally anywhere.

WIRED has learned that senators Ed Markey and Richard Blumenthal plan to introduce an automotive security bill today to set new digital security standards for cars and trucks, first sparked when Markey took note of Miller and Valasek’s work in 2013.

That will do exactly nothing so long as it is considered "permissible" for life-safety critical functions to be on the same physical bus with anything that has connections to the outside world -- like the infotainment system.

All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone. Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. And thanks to one vulnerable element, which Miller and Valasek won’t identify until their Black Hat talk, Uconnect’s cellular connection also lets anyone who knows the car’s IP address gain access from anywhere in the country. “From an attacker’s perspective, it’s a super nice vulnerability,” Miller says.

**** you Chrysler and everyone else doing this **** -- which is nearly all of the automakers.  Every one of these vehicles needs to be recalled now and since there is no way to fix it as this problem stems from the physical sharing of the same data bus between life-safety and externally accessible devices every one of them needs to be bought back at full retail price and crushed.

Yeah, that will kill all the companies that did this -- which is most of them.

This is why I don't have any of that crap in my 2015 Mazda.  It has three pedals, a manual transmission and no external connectivity at all.

That was not an accident, it was intentional on my part.

I'm going to laugh my ass off when the bad guys figure out a zero-day exploit -- and they will.  They will commandeer a million vehicles at once telling them to floor the accelerator, disable the brakes and (for those with electric assist steering, which is most nowdays) yank the wheel hard left.

When you die because you put convenience and your "Pandora" in front of basic security principles and you do not demand that every one of these damn cars be recalled and crushed at the automakers expense right damn now I will simply put up this sign:


View this entry with comments (registration required to post)

This self-serving piece of tripe from Pao is quite-amusing, and underlies much of what passes for the Internet these days.

I have just endured one of the largest trolling attacks in history. And I have just been blessed with the most astonishing human responses to that attack.

What happened to me while head of the popular online forum Reddit for the past eight months is important to consider as we confront the ways in which the Internet is evolving. Here's why:

The Internet started as a bastion for free expression. It encouraged broad engagement and a diversity of ideas. Over time, however, that openness has enabled the harassment of people for their views, experiences, appearances or demographic backgrounds. Balancing free expression with privacy and the protection of participants has always been a challenge for open-content platforms on the Internet. But that balancing act is getting harder. The trolls are winning.

What a complete and utter load of nonsense.

First, Reddit has a rather, uh, unique "business model."  It "employs" unpaid volunteers to moderate its discussion forums; part of the reason people have been willing to do this for as long as they have is (1) the ego-stroke from being speshul and (2) the so-called "free expression" at Reddit.

But there is a severe problem with this sort of thing -- it horrifies real companies with real images they want to project and protect, such as Ford, Proctor and Gamble, Heinz and others.  Simply put your "dead baby" pictures (or whatever else you want to post) may well be protected expression under the First Amendment but no part of the First Amendment gives you the right to demand that others pay to store, forward and transmit your trash.

On the other hand nobody forces any firm to not do so either.  Well, except for one problem -- those firms have to have some way of making money, and when you don't charge anything to use your site that inevitably means advertisers.

Reddit's board knew this when the firm was founded.  But they, like so many others in this space, thought they could have it both ways -- or at least they managed to con the userbase into believing it.

Then reality came to visit in the form of $50 million in venture funding last fall.  With it came outside people who wanted accountability for the $50 million smackers they put on the table, and none of those folks had any intention of taking risk by saying "oh yes, your attacks on fat people and dead baby pictures are what we believe in."

Now there are those who think that Pao was a defensive hire -- that is, she was brought in because she had sued her former firm for alleged sexual discrimination (even though she not only lost, she lost badly) and this would give the company some sort of "shield" against Social Justice Warriors.  It's a plausible theory too, but if it's true then it says some truly ugly things about Pao's intelligence and competence to be in the left seat anywhere.


That's not difficult: If you're competent to play at that level -- corporate management -- then you know damn well it's a shark tank where everything in there intends to eat you, you think before you act, you consider exactly why someone is hiring you (including doing your own diligence on the company involved) and you have a damn good idea of exactly what is going on -- and why.

Further, irrespective of your physical gender you have both an iron stomach and a set of balls.

If you can't identify with all of that you have no business sitting in the left seat.


This much is certain: Having failed on one or more of the above qualifications you sure as hell don't take to the press to whine that you got a "raw deal" and complain that the trolls are winning.

No, Ellen, the trolls are not winning.  They beat you because you were incompetent and Reddit tried to have it both ways.  You either didn't recognize why you were there at Reddit or didn't have the 'nads to stand up and take your assignment with full knowledge of both the funding model and history of the site, intending to take on all comers with your (business-style) street-sweeper.

I know more than a little bit about this.  Yes, I was in the Internet formation stage, with MCSNet.  But I took a stand nobody else would: None of the newsgroups that carried kiddie porn or obviously and blatantly pirated material were on my system. 

It was a pretty-simple business decision from my point of view.  First, those areas constituted some 80% of the Usenet newsfeed at the time.  To handle them I had to buy system capacity five times what was required to handle the feed if I excluded those areas.  Further, since I was quite-clearly expending a lot of resource for this specific purpose I was quite-concerned about the potential of being tagged for (worst case) criminal liability for what was going on in there -- and it's damn hard to argue you're an innocent bystander who is unaware when one of the group names is****, with plenty of others with similarly-incriminating labels.

This earned me the ire of a lot of people, including (no surprise) the ACLU.  In fact there was an "*******" key on all of the phones in our office, which all my agents were told to use if a customer, or potential customer, got irate at being told "no" to our providing him with his daily dose of way over the line content.  It got used quite frequently and sent the caller straight into my office on a nice dedicated line key so I had no reason to start the call by being nice as I knew the only reason they wound up on that line key is that they had already abused one of my employees.


Because that's my job as the CEO, that's why.  None of my employees were paid enough to put up with the abuse that these trolls dished out nor should they have to.  On the other hand, as the CEO and "the only guy there without a boss" if someone wanted to cuss me out I could choose to sit quietly, simply kill their account and hang up on them or cuss back and there was no appeal available -- I was the first and last word on what was going to be put up with.

That was my job as the CEO as it always is when you're in the left seat.  When you have that job you get paid to make the tough decisions and take the **** for them -- and, when necessary, to dish it out too.

Pao, instead of taking responsibility and having that key on her phone, being willing to dish it back and make no apologies for doing so, instead tried to dance around the issue.  Sorry, but nope -- when you are in charge you're in charge.  Period.  **** or get off the pot.

Reddit, for its part, is now trying to be too cute by half too.  It has now announced that instead of flatly removing the bawdy (and worse) areas it's going to "hide" them so you need to be signed in and you can't search that content any more (presumably signed in or not.)  This will (so they think) appease the money folks.

I don't think so.  I suspect what it will do, in the end, is enrage them, because it will do exactly nothing to prevent the advertising base from coming to the conclusion that the company is simply being two-faced rather than straight-up about who and what it is.

Wear your face -- your persona, if you will -- with pride Reddit.  Whatever it is.  If you made a bad deal with some VC folks then swallow hard, and if you choke or puke instead, so be it.  Nobody owes you a free lunch and there's sure as hell nobody out in cyberspace that owes you free labor.

As for Ellen playing the victim card has already failed her twice.  Were I on a board her resume is one that would get round-filed and whizzed on immediately, for the simple reason that she has demonstrated an intolerance for heat -- yet in the kitchen it often gets hot and I want a chef that not only tolerates but relishes the ingredients that go into his or her cooking.

View this entry with comments (registration required to post)

Some of you know I have a little "football" machine here that does various internal things; it's sort of a "last resort" gateway that has to always be running.  Call it the watchman that watches everything else, if you will.

It's a bit old in the tooth; it's a 1.2Ghz Celeron-style computer and is in a metal case with a very old (4Gb) SSD drive -- ATA size.  You've probably never seen one, but yes, they made them; industrial strength and class, no moving parts (no fan required, in particular.)

I think it's a good dozen years old at this point and maybe more.  It uses an external 5A, 5V power supply -- one of those "bricks" you can buy.  I've gone through four or five of them over the years; they eventually start having problems with voltage regulation and the system has a hissy fit, crashing and generally getting nasty.

Well, in the last few months there have been some other problems related to stability crop up with this thing.  It's just getting old, and I suspect the SSD is wearing out (it's far too old to have any sort of SMART capability, so it's incapable of telling me.)  But I can't realistically turn it off without replacing it, because I really do need a way into the network here if something goes wrong and I'm not physically present -- to have nothing would be unacceptably bad.

Of course I can always call the kid and ask her to play "remote hands" but I'm sure you can imagine how thrilled she is with that idea (NOT!)

Laying around in my drawer I have two RaspBerry Pi computers that I bought to use as "proof of concepts" for a project.  One got turned into a very viable little media server running OpenELEC (which, incidentally, is the cat's ass on that little fanless wonder for the power it sucks out of the wall; it plays FLAC files flawlessly in digital glory to my family room AV receiver among other things) and the other was still in its box.

So I grabbed it and did the unthinkable -- I tossed FreeBSD on it.

Yes, really.  On a little box the size of a pack of playing cards with a wee 700Mhz ARM v7 processor and 512MB of memory, booting and running from an SD card.  And not the old FreeBSD (that I used to run all the time in a half-a-gig of RAM) either -- no, this is 10.2-PRERELEASE, the current codebase.  It's pretty scary really to look at it and see it tell you that out of that 512MB of memory with the system running and compiling there's over 350MB free! 

As for power this little bastard draws one amp @ 5V (without anything else attached to it) and of course it's fanless, thank you very much!

The ARM distribution has no packages available so you get to build everything you need from ports and it takes a long time to do that from source.  This is a very small (and slow!) computer, after all and it's biggest constraint is I/O bandwidth -- SD cards, no how matter "fast" they claim to be on the label, simply aren't fast compared against anything else.  Raspberry Pi has a newer model with 4x the processing speed and twice the memory but I don't know that I'm going to buy the faster one, since operationally I don't need much in terms of power and the new one does have double the draw out of the wall while still being tied to a MicroSD for boot storage -- never mind that I'm sitting here compiling source code and it's still got more than half of its memory unused.

The other cute part is that a cheap USB Ethernet adapter plugs right in and works, so I have two ports -- the onboard and the external, both working just fine.

I wouldn't try to do anything particularly demanding with this, although for a couple of users on a VPN I bet the newer version would work just fine.  This one, no.  But as a watchman it absolutely does the job, it draws nearly-zero power and while I'm not quite done compiling everything for it for under $50 with a 16Gb SD card it's flat-out unbeatable.  If you want a screen for it you can plug it into anything with an HDMI port -- like your TV, for instance.

There's another thing to consider too in this regard -- I've never seen anything boot so fast.  That project I bought these for got shelved primarily because I got real tired of the BS, as you know, with our government and all the corruption and decided I simply wasn't going to do any business-creating things; this was originally supposed to be proof of concept and then wind up either in a box with peripherals or the code would be ported to a native ARM environment.

I still probably won't go ahead and sell said product but I might well build it just for ****s and grins.  That particular application has fast boot time as one of its primary requirements and what I'm seeing here is just flat-out unbelievable (try single-digit seconds from power-on to being fully up and operating on for size.)

Did I mention it has HDMI on board too?

Give your kids a real computer for their first, not one of those crappy iFeminineProduct pieces of garbage.

Make it one of these.

View this entry with comments (registration required to post)

Main Navigation
MUST-READ Selection:
Why I Find It Hard To Give A F**k

Full-Text Search & Archives
Archive Access
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.


The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be reproduced or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media or for commercial use.

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.