The Market Ticker
Commentary on The Capital Markets- Category [Technology]

This is pretty ugly...

There's a new round of Stagefright vulnerabilities that allows attackers to execute malicious code on more than one billion phones running ancient as well as much more recent versions of Google's Android operating system.

Stagefright 2.0, as it's being dubbed by researchers from security firm Zimperium, is a set of two bugs that are triggered when processing specially designed MP3 audio or MP4 video files. The first flaw, which is found in the libutils library and is indexed as CVE-2015-6602, resides in every Android version since 1.0, which was released in 2008. The vulnerability can be exploited even on newer devices with beefed up defenses by exploiting a second vulnerability in libstagefright, a code library Android uses to process media files. Google still hasn't issued a CVE index number for this second bug.

Isn't that special?  We all thought this was fixed, right?

Guess not.

What really ought to bother people is that Google has a huge team of folks that are supposed to be involved in security -- and good coding practice.  They clearly are not doing a decent job of it, especially considering that this area of the system software was implicated in the previous stagefright exploit.

You would think that such a discovery previously would have led to a full code audit on the entire part of the software.

Apparently, you'd be wrong.

But, as we all know, the only thing that matters to consumers these days is that they can run Snatchchat; whether some random jackass can steal everything on their device -- eh, that's no problem at all.

View this entry with comments (registration required to post)

My complaint with the University System (in the general sense) goes back literal decades; during my time at MCSNet I blackballed degrees from a number of Universities, declaring that they had no value in my hiring decisions, as a result of certain departments within those schools "teaching" things that were, in my opinion, quite possible to falsify.

You can't defend teaching something that can be mathematically or scientifically falsified -- and this is doubly true when the university starts trying to arm-twist the government into turning speaking in a dissenting voice into a disqualifying characteristic for a job or even worse, a felony charge.

But now it gets better -- Ernst & Young in the UK has announced that it will remove degree requirements from its entry criteria, saying that there is no evidence that success in college correlates with achievement through life.

It's about damn time.

During my professional career some of the worst people, in terms of objective thought and willingness to be rigorous, particularly in computer-related fields, have been among advanced degree-holders.  At the same time some of the best people I've run into, in terms of ability to actually achieve, have been among those with no degree at all.

There are many possible reasons for this, but the reason doesn't matter.  For instance, it may be that those who are good may go to college for a short time, determine that they're learning nothing from their so-called "degree program" while spending a lot of money and being pushed around by people who know less than they do, and leave.  At the same time those who are marginal producers (or worse) may find that due to grade inflation and other factors (including, I might add, questionable at best "professors") they can "succeed" in college despite being poor in-field or worse, completely incompetent.

In my opinion this has gotten much worse over the last 30 or so years, with the most-outrageous deterioration happening in the post-graduate world.  Simply put we hand out advanced degrees simply because you made it through the program but historically-speaking the advanced degree is supposed to indicate that the person who received it is capable of, and has demonstrated, breaking new ground in the field.

This is broadly no longer true, even at the PhD level.

Speaking of which, in the computer field, I point to the mess we have when it comes to security.  It's a near-literal every week security advisory that comes out which is simply a matter of non-engineering -- that is, buffer overflows and similar exploits.  This is literal first few semester stuff in any computer science or computer engineering degree program and yet this sort of exploit has been the genesis of virtually all of the security problems found in various operating systems and other software that runs with privileges -- from Apple, from Microsoft, from Google (e.g. Android), in Adobe's Flash and more.  Whether from laziness or rank incompetence this is firm evidence that the so-called "degrees" granted by universities and which are nearly-universally required to gain jobs at such firms, are worth an effective zero.

It's nice to see someone recognize it formally, however -- so my hat is off to E&Y in this regard.

View this entry with comments (registration required to post)

This is really, really, fracking dumb.

Locked phones require a passcode. But there's a way to get around that. Just type in an insanely long password. That overloads the computer, which redirects you to the phone's home screen.

It's a time-consuming hack, but it's actually easy to pull off.

What is being described here is a basic buffer overflow.  You keep stuffing characters into a buffer that is of size "X" and since the programmer was stupid and didn't protect against you trying to stuff more characters in than there is space for the buffer "overflows" and scribbles on whatever else is in the vicinity.

Some of these attacks require precision of a form, in that you "scribble" instructions which wind up on the stack, and then when the routine in question returns it executes your code instead of what the programmer intended.  That's one form of this, but it requires a fair bit of work to pull off because you have to craft your instructions to be correct and executable, and arrange for them to wind up in the right place.

This one is simpler; it crashes the program in question which then winds up unlocking the device (since the "lock" is really nothing more than a "captive" program that prevents other things from being used because it keeps "focus", that is, the ability to take input, for itself -- when it exits, voila!)

These sorts of vulnerabilities are stupid because protecting against them requires only that the programmer give a damn.  Further, if code was written to use unsafe copying of data around originally it can be quite-easily "retrofitted" to not do that by writing a small wrapper routine and then doing a batch-replace.  You then get to find all the serious screw-ups that fail to work after you've done that (and there likely will be a few.)

This is 2015 and for security-related software, or anything that runs in such a context, to have this vulnerability is utterly inexcusable.  But this sort of flaw points out exactly how little the firms involved care about auditing their code for such vulnerabilities.

What's probably worse is that the so-called "fix" described in that article probably only was applied to the particular case in question and it's a near-certainty that a global replace on all such unbounded copies to call a routine that isn't unbounded wasn't done, which means there are probably more instances of this flaw in the code, as of yet undiscovered.

That's not impressive, Google.

View this entry with comments (registration required to post)

I like it.....

To most Twitter users, URL link shorteners are a convenient way to stuff more into a 140-character message. But a proposed class action lawsuit filed on Monday alleges that the social media service is using them in violation of the Electronic Communications Privacy Act and California's privacy law.

The complaint brought in federal court in San Francisco from Wilford Raney and others similarly situated is claiming that despite Twitter's assurances that users are allowed to "talk privately” among one another, "Twitter surreptitiously eavesdrops on its users’ private Direct Message communications. As soon as a user sends a Direct Message, Twitter intercepts, reads, and, at times, even alters the message."

This suit takes the position that the "offering" of a private message system that in fact runs analytics on the shortened URLs (which inherently happens because the shortening "service" gets the click and then issues a redirect to the client's machine) effectively eavesdrops on the conversation.

The issue here is that the service generates something of value through inspection of your content, which Twitter represented that it wouldn't do (that is, the claim was made that your conversation is private) -- in this case the "thing of value" is advertising targeting that becomes more-applicable to you because your "private" conversation was viewed.

The counter-argument is likely to be some sort of "necessary to operate" defense -- which sounds awfully thin to me.

Do note that Google was attacked for the same thing -- reading your Gmail traffic and using what's contained in it for advertising purposes.  It would appear to me that the argument is not so much one of these services reading the content as falsely claiming that the content, in this case a "direct message" and in Gmail's case your email inbox, are "private."

View this entry with comments (registration required to post)

The cell wars are escalating.....

With the new iPhone 6S/6S+ and carriers ditching their contract and subsidized phone models pretty-much at the same time Apple (correctly) appears to have observed that people won't be paying $650+ all at once, and the shock of hitting the credit card for that is going to dissuade a lot of buyers.

So the company has essentially entered the consumer financing business and now will offer "installment payments".

But -- you will still need to buy the cell service to go with it.

It'll be interesting to see how this works out.  T-Mobile, for its part, jumped on the game with their $20/month for 18 month deal, but you don't own the handset when you're done -- you have to either turn it in or buy it out at the end of the term.

Will this be enough to continue the "illusion" of the $199 iPhone?  I don't think so -- but we shall see.

View this entry with comments (registration required to post)

Main Navigation
MUST-READ Selection:

Full-Text Search & Archives
Archive Access

Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.


The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be reproduced or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media or for commercial use.

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.