The Market Ticker
Commentary on The Capital Markets- Category [Technology]
2015-02-20 08:48 by Karl Denninger
in Technology , 410 references

I think this is a bit more than "messed up":

(Bloomberg) -- Lenovo Group Ltd. said it’s working on a tool that will let laptops owners remove software that was pre-installed on the computers and potentially exposed users to hacking attacks and unauthorized activity monitoring.

The software itself is called Superfish.

Note that the company apparently is in both the United States and Israel -- and is backed by venture capital.

This means that it is subject to US anti-hacking and privacy laws -- including the wiretapping statute.

For extra credit please explain how what this software does manages to evade the prohibition on wiretapping as the software intentionally and without prior affirmative consent of the user intercepts data that the user is intending to keep private (evidenced by the use of "https") and uses said data.

That they do so by intentionally tampering with SSL certificates just adds to the insult.

Wiretapping, I note, is a federal offense and the fact that the company claims it is only to deliver "ads" is immaterial; the statute only requires that you "use" the data intercepted for a purpose to your benefit (making money by displaying ads certainly falls within that definition) and that the data flowed across a state line, for there to be a violation.

View this entry with comments (registration required to post)

2015-02-19 06:15 by Karl Denninger
in Technology , 420 references

Read it and weep, folks.... then get that crap out of your house.

Or business.

And now we have the Internet of Things (IoT). If we continued in this trend we'd have a new space that ignores the security lessons from mobile, but it's actually much worse than that.

The Internet of Things is worse than just a new insecure space: it's a Frankenbeast of technology that links network, application, mobile, and cloud technologies together into a single ecosystem, and it unfortunately seems to be taking on the worst security characteristics of each.

Every device they tested was insecure.  Some of them were not only insecure they were able to load tampered firmware back to the server it came from at the company, and thus cause other people's devices to be compromised.


PS: I hate it when I'm right.

PPS: When will you insist that when you're sold something with this sort of blatant security problem that the company that sold it to you be held fully responsible for all harm done -- including the time and hassle to correct the problem or replace the device?

View this entry with comments (registration required to post)

This is not good folks.

Multiple integer overflows in the GraphicBuffer::unflatten function in platform/frameworks/native/libs/ui/GraphicBuffer.cpp in Android through 5.0 allow attackers to gain privileges or cause a denial of service (memory corruption) via vectors that trigger a large number of (1) file descriptors or (2) integer values.

That is extremely nasty, if it proves out.

Note that this sort of exploit is both network-exploitable and potentially could bypass device management software as well.

It looks like it was also fixed, as there's a commit that looks to be effective given the description.  However, this would only be effective for devices with a very recent version of the Android software and that's a tiny piece of the whole.

Google, for its part, along with both handset vendors and carriers, typically do not update older versions of handsets.

This, by the way, is one reason you want a BB10 handset.  Even the oldest, the Z-10, can and does run current firmware, so any problems like this (and I've yet to see a confirmed exploit of this sort) can be rapidly fixed and distributed to all users of the handsets.

One needs to consider another factor here, which is that in the US the carriers tend to play gatekeeper, insisting on having control over firmware updates.  The exception is Apple, which does their own distribution for IOS.  Fortunately this can be trivially worked around for BlackBerry's BB10 handsets but it's not so simple for Android users who may not be able to obtain an update at all absent carrier involvement.

If you're running an Android handset with other than Android 5.0, or any other than a very recent codebuild of 5.0, you're are material risk here.  It must be expected, given the scope of this problem that it is being actively exploited.

View this entry with comments (registration required to post)

One of the worst forms of computer "virus" is found in what is called ransomware.

There are a handful of variants out there today; all get into your computer through an email (usually) or nefarious web site that manages to trick you into loading what you think is a document or similar thing, and is really a piece of rogue software.  It then generates a public-key pair, sends the private part to the ransom server somewhere and uses the other half to encrypt the files on your machine.

At this point you're ****ed; public-key cryptography is extremely strong, and other than paying for the decryption key or someone finding the server and publishing them all, your files are effectively gone.

I've had a couple of friends come to me with machine buggered by this crap over the last couple of years and there is no solution by brute force, nor does removing the infection do a thing for you once the encryption has happened.

Now this crap has shown up on Android devicesand it gets in by claiming you need a "flash upgrade."

This points out what I've said before -- Android has a nasty "device administrator" privilege, few people understand it, and, well...... boom.

The only "real" good news is that most people don't have anything on their phones that cannot be replaced, other than perhaps their pictures.  While losing those is a bummer many people mirror them immediately over a cloud service -- which might (if the service doesn't sync the encrypted replacement copies!) save you.  However, it's still a serious pain in the ass.

It's a nice MadMax style cyberworld out there, isn't it?

View this entry with comments (registration required to post)

So you wish to purchase a spying device and put it in your living room eh?  

I wrote about this quite some time ago.....

As first reported by The Daily Beast, Samsung's Smart TV privacy policy includes the following warning.

"Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition," the site says.


Heh Dave, let's smoke a joint!

Whooop-whooop!  Hands on your head, you're under arrest!

Fanciful?  Not really.  Whether Samsung claims to not store or use the data is irrelevant, really.  The fact is that it is transmitted out of your house, and due to that any compromise in the chain of trust between the source and destination makes possible interception.

Do I trust Samsung?  Not as far as I can throw them.

The problem is that I trust them more than I trust the random government or other commercial goon!

Don't think turning this feature "off" stops it either -- that's yet to be proved up.

Fox News is trying to debunk this.  Sorry, no dice -- there is nothing you can do about a rogue firmware update -- or hidden back door in the code -- that allows "someone" to turn the microphone on without notifying you, other than cutting the wire going to the mic!

If Samsung wants me to believe that no such back door exists, now or in the future, it can release the source code to the TV firmware and provide a means to verify that it has been unmodified when loaded.  Until then I have no intention of believing them and you shouldn't either.

If you have such a device you better black-ball its outgoing connections in your router.  If you don't know how to do that, well....


View this entry with comments (registration required to post)

Main Navigation
Full-Text Search & Archives
Archive Access
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.


The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be reproduced or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media or for commercial use.

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.