The Market Ticker
Commentary on The Capital Markets- Category [Technology]

Oh boy....  Got a Chromecast?

Petro’s 20-minute YouTube video breaks down how the Rickmote works, but to briefly summarize, the device employs an unencrypted command called “deauth,” which basically deauthorizes the device from the network. As TechCrunch points out, this isn’t a Chromecast bug, but actually a relatively common quirk among WiFi devices.

Uh, yep.  And now that it's "clean" the hacking device simply attaches it (since it's looking for a network to attach to) and.... now it has control of it.

The worse news?  If the person who hacked you walks off (drives off, powers off, etc) you're screwed since there's no clean way to reset it back to unconfigured mode and the authorized network to which it is attached is no longer around!

Got a $35 Raspberry Pi?  The code for this one is public..... And maybe you need to grab a copy of your own for defensive purposes lest your Chromecast unit be rendered worthless!  At least if you have a copy you can reset your own device if someone hacks it...

How much fun could you have with this in an apartment building parking lot, or simply driving down a residential street?

SECURITY IS A PROCESS, NOT A PRODUCT GOOGLE, AND NOT HAVING A PHYSICAL RESET/CLEAR NVRAM BUTTON ON A DEVICE ALONG WITH LEAVING OPEN UNAUTHENTICATED "RESET" COMMANDS IS ****ING CRIMINALLY STUPID!

h/t Mr. Ford

Update: There is a claim in the user manual that there is indeed a "hard reset" capability built into the device that would allow an exit from this condition.  That would at least allow you to get out of this state, once it happens.  I don't have one to test with.... and given that unauthenticated access to reset functionality (over wireless at that!) can be performed I'm not about to have one any time soon either.

View this entry with comments (registration required to post)
 

Oh boy.....

Apple has endowed iPhones with undocumented functions that allow unauthorized people in privileged positions to wirelessly connect and harvest pictures, text messages, and other sensitive data without entering a password or PIN, a forensic scientist warned over the weekend.

Why would Apple include such an undocumented interface?

There is no legitimate reason to do so.  There is a legitimate reason to include documented APIs for extracting data, but were they to be documented there would have been a howl a long time ago about the lack of protection of the data they can access.

What do these services do? You're not going to like it:

Zdziarski said the service that raises the most concern is known as com.apple.mobile.file_relay. It dishes out a staggering amount of data—including account data for e-mail, Twitter, iCloud, and other services, a full copy of the address book including deleted entries, the user cache folder, logs of geographic positions, and a complete dump of the user photo album—all without requiring a backup password to be entered. 

....

The Pcapd service, for instance, allows people to wirelessly monitor all network traffic traveling into and out of the device, even when it's not running in a special developer or support mode. House_arrest, meanwhile, allows the copying of sensitive files and documents from Twitter, Facebook, and many other applications.

Isn't that special?

Undocumented, unfettered access to the data on the device -- and all someone needs is even transient access to any device you've paired your phone with, ever, from the time of the last hard (data wipe) reset -- Bingo!

That "pairing" your phone effectively permanently defeats any encryption or password you have set for anything on the device wasn't disclosed when you paired for music or some other legitimate purpose, is it?

Didn't think so.

If you're a CIO at some firm with a concern over security -- say, a health-care company with a potential ERISA/HIPPA exposure or a financial entity with various fiduciary responsibilities: May I ask how warm you're getting under the collar right about now?

Oh, about that IBM "partnership" smiley

View this entry with comments (registration required to post)
 

Amusing how this is considered "news."

Look, let's get to the bottom line right up front: IBM has no mobile strategy of any sort.  Period.

So this isn't a "partnership" at all; it's essentially a sales agreement with Apple's products.

Ok, so what?

None of this changes the fundamental reality of Apple's products -- They are aimed at consumers, they are "weak sauce" when it comes to enterprise applications and security, and absent major changes in how the "unified" view that Apple has toward devices that's not going to change.

And make no mistake -- it won't change.  It can't change because Apple derives a huge amount of its income from its "ecosystem", including its proprietary view of ownership of everything and how you must use their products to tie it all together (e.g. to transfer "things" to their devices, such as music.  Itunes anyone?)

What IBM has is a bunch of suits going into corporations -- that is, salespeople.  There's benefit there to both firms -- don't get me wrong.  But what's the new paradigm coming from this?  There isn't one; Apple already has a view of what it wants iPads to do, and of course we all know what a "smartphone" does.

I find it amusing that Apple delineated "on-site service and support" for iPhones and iPads as one of the big changes coming from this.  On-site service?  Really?  So when you crack your screen someone will walk in with a new one and this is somehow ground-breaking?  You're kidding me, right?

As for "big data and analytics", color me unimpressed.  All everyone does these days is use the word "cloud" and "big data" and people swoon.  Show me how this transforms business and I'm interested -- but on balance I simply don't see this as anything beyond what you already have through various application solutions, and tying yourself to a single vendor in a world of increasingly more-powerful mobile connectivity (where said application capability can be delivered through device-independent technology such as HTML5) appears to be a step backward.

IBM got buried trying to do this years ago with mainframes; rather than keep those devices in the unique places where they fit best (and in some cases fit only, particularly when it comes to massive I/O requirements) they tried to shove it down everyone's throat and damn near buried the company.

Yes, I know, that was many, many years ago.  But "cloud" is the same crap; it has its applications to be sure, but as a guy who's made my living in the tech space over the decades I am a skeptic on-balance when it comes to "cloud" because cloud computing and storage represents another level of indirection between you and what you're doing, and that means another set of hands reaching into your pocket -- that is, greater cost.  

There is a place for it -- where you need extreme and unpredictable scalability in both directions.  There it can make plenty of sense but only if you believe the "cloud" structure you select can hit the upper boundary scale limits you may need.

I see puff piece dreams and a reach here -- and an attempt to deflect attention from the fact that saturation in both phones and tablets is and has occurred -- not a revolution.

View this entry with comments (registration required to post)
 

As I pointed out at the time "Knox" was announced, I didn't believe it would or could work.

It's dead Jim.

After 18 months of going it alone and spending untold sums of money on development and marketing, Samsung is throwing in the towel on Knox. Google GOOGL +0.67% is stepping up to take the lead on Android security.

The move by Samsung is not surprising, considering Samsung’s 24% drop in operating profit and 10% drop in sales for the three months ended June 30th. And despite a lot of hype, Knox market take rate is a miserable at <2%. 

Bawahahahaa....

As for Google "taking up the lead" on Android security?  Yeah, right.  Google and security?  You're kidding, yes?

It is my view that the Google Play "ecosystem" has been diametrically on the other side of security forever.  As I pointed out when BBM was being announced for Android there were literally dozens of fake "BBM" apps being proffered on Play.  How does such a blatant and outrageously false set of apps get onto an app store except by willful blindness or worse?

Security is a process, not a product.  Examining apps before approving them requires time, and time is the enemy when your first, foremost and only concern is making as much money as possible and vacuuming up as much information as possible.  Holding apps for review and having actual human looks at them requires time and dilutes both information flow and speed, thereby diminishing the vacuuming up of information (that you then sell.)

Remember that Android (and IOS, for that matter) are diametrically opposed to enterprise-level (not to mention personal) security in the base sense.  They both wish to own and process the data you have on your device, tying them inexorably to the publisher's services.  This is how they make money, and as such expecting otherwise is simply foolish.

If you want an integrated and compartmentalized security system you need to be thinking BlackBerry, not Apple or Google.

But -- BlackBerry is missing a few things.  Let's put them out there, and hope that someone over in Chen's office is listening:

  1. Many enterprise users will find BlackBerry's "Balance" to be exactly what the doctor ordered.  There's only one problem -- what do you do about phone calls?  BlackBerry could solve this by shipping a dual-SIM unit with both SIMs active at the same time.  Text messages and calls could then come into both partitions at once, you could answer a call from either, and you could make a call or send a message (text or MMS) from either side, at your election.  Now I can have one device with two distinct personalities that extends to the one place it currently does not -- phone calls and other messages flowing over the radio interface.  This is a real issue right now that I have heard from real users; they have Balance but due to policy cannot make or take personal calls (or text messages) over their "work" line and thus have to carry two devices anyway.  If BlackBerry fixes this they will own that segment of the market -- and it is not a small segment either!  (Think DOD and virtually all "highly regulated" industries for openers.)

  2. ENABLE S/MIME FOR EVERYONE.  I've shouted this before, but it needs to be re-stated.  Secure email is the first requirement for enterprise users.  Demanding that everyone be on BES sounds like a way to drive BES sales, and it would be except that on IOS you can load a S/MIME certificate without any such nonsense.  Why does BlackBerry cede small business sales?  That's stupid.

  3. Fix the few VPN niggles in BB10.  Specifically, if the VPN is up MMS messages fail as the routing for those packets goes down the VPN.  That doesn't work because the carrier gateways won't take a connection from outside their own internal networks to prevent MMS spamming.

There is much more; I have previously put forward a number of other recommendations for a future product path, such as moves that would make replacement of tablets and light PC users with a "phone-style" device functional and possible.  A good part of it (e.g. keyboard and mouse integration over Bluetooth) already works on BB10.  What needs to be developed is a decent wireless or "docked" screen interface that respects the native screen resolution rather than the phone's panel res, along with the OS support to enable this to work in a fashion that is palatable (and transparent!) to phone app developers.  Then port Open Office and voila -- you have an 80-90% solution.

Remember folks that 80% of anything is pretty easy.  It's the last 20% that's hard.  But you don't need it all to sell the hell out of it, and if you give enterprise users a way to carry only one device yet give up nothing in terms of both personal use and enterprise security you will have a huge win.  

Nobody does it today, but BlackBerry is the closest with Balance.  Simply resolving 1-3 up above would get the small business user (without BES/Balance, where "corporate" and "personal" are not really separate) security for email where he needs it as they can run their own private VPN and get all data traffic secured, while not compromising functionality.

For that larger enterprise where "personal" and "corporate" are truly separate you'd have a dual-attach, dual-personality device that has both personal and business segments with full separation and capability on two separate carrier accounts, even on different carriers!  Now the corporation that wants to issue a device and have control over it can, while at the same time the user can put his own SIM into it and on Balance have that attached to the personal side.

That's an unbeatable combination.

View this entry with comments (registration required to post)
 

God I hate this crap spewed on the TeeVee.

Let's dispense with it right now -- there's a ****ing craze going on with "wearable" tech, such as the "Fitbit" and similar.  Apple is of course allegedly introducing a "smart watch", there are those that link to Android, and similar.

I've used a stand-alone product now for about four years in pursuit of my running and cycling.  I doubt I will ever be interested in one of these so-called "smart" devices, and I expect all of them to be huge fails in the marketplace.

The issue is format, comfort and data display.  The needs of someone who wants a watch on their wrist for everyday use are drastically different from those who want a "workout partner."  Among other things the sort of stylistic bands and such that are found on "everyday" watches are either uncomfortable or will actually cut you during vigorous exercise.  Simply put "style" is grossly inappropriate for workout use; you need rounded corners on your timepiece along with a soft band that securely anchors the device on your wrist and neither cuts into it or allows the device to move, as if it slides around it will chafe and, eventually, bloody you.

Second, data display.  I want four items of data "in my face" whenever I glance at my watch while working out.  I want the data immediately and without having to press buttons or wait.  For running that's the current lap pace, the last lap pace, the total distance consumed and (if I have the strap on) my current heart rate. That's it, but there's a problem here because I need all four and many of these so-called "universal" timepieces can only display two or three.  Three is not four and I need all four pieces of data when working out to know where I am and how I'm doing in meeting my goals.  When running I further want laps automatically tallied off on a per-mile basis; I rarely (except when racing, of course) have them marked on my route so I can press a button to manually do so.  You'd be shocked at how many so-called "GPS running watches" cannot give you one mile lap splits automatically!

When cycling I want current speed, distance covered and, again, heart rate.  If I had a cadence or power sensor (I have neither) I would want those.  Again that's four.  And again, most of these devices show three -- or less.  A display that "cycles through" is worse than useless; if I have to do more than glance at my timepiece while running it upsets my cadence and while cycling it's downright dangerous and can lead to a crash, just like fidding with your phone to read a text can when driving.

I don't do Tri stuff, so swimming doesn't matter to me, but if you are into Triathlons then some sort of accurate swim recording is a problem, because GPS signals don't work underwater -- and guess where your arm is a good part of the time when swimming?  There are a few specialized devices that claim to have solved this problem; I don't do this particular sport so I can't comment on that with any sort of actual knowledge.

All of the above causes a problem because having the data I want displayed clashes with a "nice, neat, trim" appearance.  I have recently switched to a Garmin 310XT from the 305; the two are more similar than different.  But nobody's going to mistake the 310 or 305 for a fashion piece; they're functional devices that do a job, but you sure as hell won't wear one with your business suit or dress!

Then there's another problem -- data security.  I'm more than a bit uncomfortable with having my timepiece integrate with anything outside of my direct control.  It's bad enough to have my phone on and pinging all the time but this sort of data is quite valuable, and who's to say it will remain yours -- and yours alone?  I don't know that there's an answer to that general issue, incidentally, but you ought to think about it quite carefully before you concede that these sort of devices are a good idea for you.  At least with my running and cycling watch I can keep all the data it collects locally if I so choose.  Not so much with some of the newer ones, and definitely not with the so-called "integrated" smart watches.

And finally, there's price.  The 310XT is now available at a rational cost.  Many of the higher-end watches in the "fitness" arena are just plain outright ridiculous when the financial side of things is considered.  I find it fascinating that marketing folks believe people will pay upwards of $400 for a workout watch that has a non-replaceable battery with a limited cycle life -- typically 300 or so cycles just as with a cellphone, since they all use the same lithium battery technology.  I note that I have cut open my 305 once already to replace the battery -- Garmin wanted $80 to swap it, which is outrageous considering that the battery itself is a whole $5 piece.  If you work out daily and charge the watch every couple of days you're talking about getting one or two years of life out of it before you bin the thing.  We as consumers need to stop tolerating that sort of crap; there's no reason not to put the battery behind a screwed-down, O-ring sealed door so it can be replaced in the field at a rational cost.

I know people will argue that nobody cares about privacy any more, and perhaps they're right.  But you can't get around the other problem -- functional issues related to size and style and which clash in a serious way with an attempt to use these devices for any sort of intended purpose when it comes to working out, along with their price.

Yet that's a huge part of how they're being marketed -- as some sort of device that will help you across your daily activities, including your daily workout routine.

I'm not buying what they're selling.

View this entry with comments (registration required to post)
 

Main Navigation
Full-Text Search & Archives
Archive Access
Get Adobe Flash player
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be reproduced or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media or for commercial use.

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.