This is really getting bizarre.
Yesterday BBM (BlackBerry Messenger) was supposed to go live for users on Android and IOS (Apple.) The latter happened.
The former was halted. The company said this:
Prior to launching BBM for Android, an unreleased version of the BBM for Android app was posted online. The interest and enthusiasm we have seen already – more than 1.1 million active users in the first 8 hours without even launching the official Android app – is incredible. Consequently, this unreleased version caused issues, which we have attempted to address throughout the day.
1.1 million people sideloaded the BBM software?! That's.... incredible.
There were also a ton of fake BBM downloads on the Google PlayStore. These had to be malware of some sort (what other purpose would exist for putting them out there?) and Google had done exactly nothing about them up front.
Yesterday afternoon all the fakes disappeared (presumably after BlackBerry raised hell and Google removed them.)
Then two of them showed up again, only to be killed again in the evening. This morning they're back.
None of those BBM apps are real. The three BlackBerry apps toward the bottom of the screen -- the BES10 client, Workspace manager and Secure Workspace (the latter two of which are off the bottom of the page) are BlackBerry's legitimate software.
All of the rest are fakes and some of them have as many as 7,000 or more reviews -- each.
This is serious stuff folks. The legal wonks will bleat about trademark infringement and similar but that's not where the problem resides.
These apps are attracting very strong demand as measured by their download counts even though they are not the actual software published by BlackBerry.
One must presume they are full of malware and/or simple trojan horses.
By definition such an app is going to ask for access to your contacts, storage on your device and network connectivity, and you'll be inclined to grant it. Once it has permissions the app is free (with your permission!) to roam your device and send back whatever it wants to wherever it wants.
WHAT POSSIBLE MOTIVATION EXISTS TO PUT UP A FAKE APP OF THIS SORT OTHER THAN TO DO SOMETHING NEFARIOUS?
This fiasco has exposed a severe problem with Google's PlayStore -- it is utterly trivial for someone to submit and have approved software that is blatantly illegitimate and thus must be presumed to be full of trojan horses, malware and viruses.
Now the question: How many other, similar applications are on Google's Play Store that are also BS and are on a daily basis purloining data and penetrating networks, all with the permission of the device holder and those corporations and governments that have allowed those devices under "BYOD" operations into their environments?
I don't know the answer to that question but whatever "screening" Google is doing it clearly is inadequate to stop this before the apps hit the PlayStore -- so one has to ask the perfectly legitimate question: "What else is being missed?"
Oh, and may God have mercy on your soul if you were crazy enough to secure resources with a machine certificate (very common in corporate and government environments) and that certificate is on the phone when the malware runs. You're screwed as the malware now has access to everything that you thought was allegedly "secured."
The implications of this for corporate and government entities that allow Android handsets on their networks cannot be overstated, since the user will have granted the permissions requested. In this sort of circumstance those permissions are almost certain to include not only access to all contacts and calendars (which it must have to do its job) and the network (cellular and WiFi) but also to location and local storage on the device so it can save and send pictures and similar things.
This means that such an application could quite-easily pilfer damn near anything that the phone has stored in it or can get to and it can also tell the bad guys where it is.
I'm utterly stunned at the ridiculous ease with which these ripoffs not only got posted originally (and were not proactively intercepted) but that more than 24 hours into this fiasco they continue to reappear on the PlayStore and that Google appears to be incapable of stopping it.
If you are a corporate user that has permitted "BYOD" into your enterprise and allowed these devices on your corporate network you are a blathering idiot.
The other point this episode has made, however, is that I and others have grossly underestimated the demand for BBM and its value as part of BlackBerry. I had assigned it a value of "zero" in terms of the corporation's value itself, simply because I am non-plussed on the ability to monetize it, irrespective of the fact that among the various "chat" systems on mobile devices it is quite-clearly the nicest and best-intergrated that I've seen of any of them. I also assumed that the cross-platform opening of the product would lead to only modest demand for it in the marketplace.
Wrong. There clearly are an unbelievable number of people who want it on Android and will use it heavily -- 1.1 million sideloads in 8 hours is simply beyond anyone's wildest expectations and implies an immediate uptake of 20 million users or more, and that is among only Android (not counting anything from the IOS world.) I don't yet have a decent guess on what this means for the valuation of BlackBerry as a company, but it is clear that a decent amount of value in fact is here, and once the dust settles and this problem is sorted out it will be interesting to see what the download and user count looks like.
Update 10:29 CT -- Looks like Google removed the fake apps (again); we'll see if they stay gone and what, if anything, is done proactively going forward. Unfortunately from my point of view the damage on this is done; this has almost-certainly been going on at a lower level forever, and it was only the high profile nature of this particular app release that brought it out where everyone could see it. How Google fixes this on a forward basis from a corporate and government security point of view is going to be interesting -- any bets on the response, if any, from them that makes it into the public view?
On another forum (Crackberry) there are claims that these "fake" apps are simple trolls to drive advertising. Nonetheless and whether each of those apps was in fact nothing more than this the point of this article stands -- if there is no screening of the applications to verify that they even facially appear to perform as claimed before being approved (that is, nobody actually loads them on a device and sees that if it claims to be "BBM Messenger" it actually appears to be exactly that, or even takes a trivial look at what it claims to be and who is publishing it) the underlying issue is exactly as stated -- it's the literal "wild west" should you allow a device to have privileged access to your network that can load such "applications." That which is not vetted is not, by definition, vetted!
Another update, 9/22 12:26 PM CT: I have managed to grab one of the fakes on my Samsung tablet. Note carefully the permissions list it is asking for -- including the ability to run in background, including automated start on boot along with access to protected content. It also wants system access to be able to modify shortcuts and change them which means it can hide itself once executed the first time and can kill other apps, including so-called device management software or anti-virus intended to protect you or your corporate network from threats.
No, I did not let it load, and this example makes a ****ing joke of the so-called "automated screening" that Google claims to do on applications for "Security Issues" before releasing them to the PlayStore.
IF THIS PARTICULAR APP HAS MALWARE IN IT YOU'RE ****ED ONCE IT LOADS AND NO, I DID NOT LET IT EXECUTE TO FIND OUT HOW BAD IT REALLY IS. WORSE, THAT APP, JUST A SHORT WHILE AFTER IT WAS POSTED, NOW HAS 5,600 REVIEWS, WHICH MEANS SOME MULTIPLE OF THAT NUMBER OF PEOPLE ARE LIKELY IRRETRIVABLY SCREWED (SHORT OF A WIPE/HARD RESET) AND DON'T KNOW IT.
There's an old saying that goes something like this:
It is better to be thought of as a fool in silence than to open your mouth and remove all doubt.
The recent NSA revelations by Snowden and others give rise to much in the way of legitimate protest and concern, but then there are those who simply go off the rails and look for bogeymen in places where they're not.
It would be an enormous competitive advantage for an IBM salesperson to walk into a government or corporate IT department and sell Big Data servers that don’t run on Windows, but on Linux. With the Windows 8 debacle now in public view, IBM salespeople don’t even have to mention it. In the hope of stemming the pernicious revenue decline their employer has been suffering from, they can politely and professionally hype the security benefits of IBM’s systems and mention in passing the comforting fact that some of it would be developed in the Power Systems Linux Centers in Montpellier and Beijing.
Alas, Linux too is tarnished. The backdoors are there, though the code can be inspected, unlike Windows code. And then there is Security-Enhanced Linux (SELinux), which was integrated into the Linux kernel in 2003. It provides a mechanism for supporting “access control” (a backdoor) and “security policies.” Who developed SELinux? Um, the NSA – which helpfully discloses some details on its own website (emphasis mine):
The author, sadly, doesn't understand what he's talking about.
SELinux was indeed developed by the NSA. But one must be careful to differentiate between security through policy and that through cryptography.
They're very different things.
Cryptography relies on mathematics. Mathmatics operates in the realm of proofs, where one earns their chops by showing through formulaic evidence published in the open where other smart people can look at it that your assertions are correct. Cryptography rests at the algorithmic level at developing mathematical formulas that through some process allow you to "scramble" data and then recover it providing you have the key, and through no other means. If someone who is similarly intelligent discovers a way to "short circuit" your formulaic way of performing the scrambling and unscrambling such that they don't need the key then your encryption method is broken.
Because this is an inherently-open process and there are a lot of smart people the state of the art in this regard advances over time. But this state of the art has gotten good enough that it is usually, in today's context, easier to get out a drill and threaten to use it on the key-holders hands (or eyes) to extract a key than it is to break the cryptography. The other approach is to weaken the generation of the key itself; most cryptography relies on very good random number generation. If you can predict the numbers that a so-called "random" number generator produces then it is trivial to break most cryptography; for this reason the quality of that generation is one of the most-important factors in modern cryptographic development. Most people don't have access to things like atomic decay-based random generators (which are really high quality and damned hard to tamper with for obvious reasons.)
But SELinux, which this article garfs on is about policy, specifically, compartmentalizing access within the computer's environment. This (mostly) is about things such as mandatory access controls (MAC.) You can think of MAC as a set of permissions that the operating system enforces that go well beyond the usual Unix "user, group and other" tri-bit permission set. In other words MAC allows me to say "Joe, and only Joe, can have read access to my Powerpoint presentation for Thursday, but he may not change it and each time he accesses it I want that fact logged."
MAC also enforces auditing policy, so if you change access controls who did it and when it was done can be proved later on, along with (if desired) who accessed the particular resource and, in most cases, from where and how (e.g. by what program or process the access occurred, etc.)
Snowden proved exactly how stupid most of the world (including the NSA) is when it comes to such "frameworks." There is an awfully-pervasive view that such are somewhere from "pretty good" to "damn near bombproof" when it comes to enforcement. Nothing could be further from the truth if anyone with the ability to administrate those controls is untrustworthy. The simple fact of the matter is that someone has to administer and maintain these electronic systems, and if that someone wants to play games with you given that he has to have administrative permission -- that is, the ability to override what I have granted to do his job you're gonna get screwed.
Think about it for a second -- absolutely-bomb-proof MAC prevents backups from being taken. If the administrator, using his privileges, cannot access the file he can't save a copy of it so it is recoverable in the event the computer breaks. This is unacceptable in most contexts when one considers that computers, like all other things man designs, do indeed malfunction.
TCM is, as the article points out, a crock. Trusted, in this case, means the vendor doesn't want you to be able to override their decisions. Think of it as "Access Controls" (or "MAC") applied by someone other than you to what your machine runs.
That's right -- it's your computer (you bought it) but Microsoft wants to choose what you can run on it, when patches and changes are (or aren't) loaded and even whether you can determine what those changes are and what they do.
"Trusted", in this case, means trust me (the vendor.)
My one-word response: No.
Security by definition means that I have to be able to be the ultimate source of trust, which means I have to be able to look. As soon as you obscure my ability (as a duly-authorized administrator) to look at what someone else is doing there is no longer any security at all as I am no longer an actual administrator!
Security in any context is a process, not a product. The NSA's potential (and likely actual) "corruption" in some areas of that process is in fact serious. The abuse of process (such as TCM) to effectively force you to load a cryptographic piece of code that has a back door in it and which you (1) cannot prevent, (2) have no access to and thus can't examine is certainly a reason to say "screw you" to the vendors who would try to sell you same (e.g. Microsoft, Windows 8 and TCM.)
This, however, is very different than bleating on about how MAC in the context of enforcement of policy is somehow nefarious -- which is what the author of the cited piece alleges, even if indirectly.
You know the one....
See, quite some time ago I got into a pitched debate about Tor, the so-called "anonymous" browsing method that bounces data around the Internet, ostensibly with strong encryption in each hop to prevent anyone from figuring out where you're going -- and presumably, what you're doing.
I said that this was a false God, and that predicated on some fairly-simple analysis I was very sure that it was insecure -- specifically, insecure against government interests.
In other words, if you wanted to browse some random web site and keep the owner from knowing you were there, it will do that job. But if you want to keep The FBI (or any of the other big letter agencies) from knowing, well, The Black Suburbans are pulling in your driveway, bud.
Last month, we learned that the anonymity protocols that are Tor’s reason for existence had been hacked, apparently by the Federal Bureau of Investigation, which was investigating an alleged purveyor of child pornography.
Oh it gets better:
For a site whose glory has long been the image of the courageous freedom fighter in, say,Syria bravely sending messages to the world, the results were depressing: “Of the top twenty most popular Tor addresses, eleven are command and control centres for botnets, including all of the top five. Of the rest, five carry adult content, one is for Bitcoin mining and one is the Silk Road marketplace. Two could not be classified.” It gets even worse: “The FreedomHosting address is only the 27th most popular address,” according to Technology Review.
"Tor addresses", for the uninformed are "funky" URLs that are ".onion" names. Well, not really names; they're alpha-sorta-numeric hashes that are automatically generated, and constitute an 80-bit number that comes into creation when a hidden service is set up. If you know the key you can get there on the Tor network. If you don't, you can't.
So, as it turns out, Tor winds up protecting those who want to spam and attack other hosts, who want to trade in drugs that some governments don't like, and who want to trade in various sorts of porn, including most-especially kiddie porn (after all in most western jurisdictions trading in ordinary porn is perfectly legal for adults.)
And it's insecure on top of it.
I hate it when I'm right.
Twitter has apparently dropped an S-1 to go public.
Of course the 140-character "Tweet" format is going to be just great in terms of delivering this thing called "profit", right?
Oh, I know, it'll be advertising. Which you will pay to have to delivered to your mobile device, just as Facefart is.
This is not going to work folks. Oh sure, it'll likely suck all the oxygen out of the room for a while, and I suspect people will file in and put money on the table. After all, who doesn't Tweet, right?
But remember folks, Twitter was one of the few firms that has actually pushed back against over-broad subpoenas and similar. As you saw Marissa ("I'm just followin' orders!") Mayer and Zuckerberg bray about their "compliance" with the NSA spying instead of putting their foot down and saying "no" (and yes, you can do that without breaking the law) you can bet that Twitter's resistance to such things will disappear like a fart in the wind the day the S-1 becomes effective.
I have to wonder what the impetus for this is, other than early investors desire to get out while the getting is good -- and before the ads start*****ing people off. I know people think Facebook has cracked the mobile ad market wide open and it will "work", but color me not only skeptical but downright cynical on that mark. I don't buy it, in short -- the case hasn't been made that they've actually managed to deliver anything as of yet with a P/E of over 200!
What I see is a monstrous asset bubble, of which the "new tech" stocks are a big part. Look at who's been doing the crazy outperformance of late, then look at their P/Es and dividend ratios (most of which are zero) -- then get back to me.
NEW YORK (AP) -- T-Mobile said Friday that it is temporarily eliminating upfront payments on new phones, but it is increasing the prices for some models through higher monthly payments.
Unlike rival carriers, T-Mobile charges the full retail price of phones, spread over two years, but reduces monthly service fees for voice, text and data. AT&T, Verizon, Sprint and others typically charge $200 or so up front for high-end phones and make up for the rest of the phone's cost through higher service fees over the life of a two-year contract.
I noted the "Zeros" over the weekend -- but didn't recognize that it was across the board.
So what can we learn from this?
Well, a bit of perusal tells the tale; demand tends to drive price, you see.
The GS4, Samsung's "flagship", apparently isn't selling so well. The price is coming down about $30. The iPhone, which T-Mobile just got, hasn't moved -- so demand appears to be about what was expected.
Nor have prices moved on the BlackBerry BB10 devices. They're right where they were.
What does this tell me? Plenty -- that the "zero" hook works, you see.
One thing you can count on -- Boobus Americanus remains as well-educated as you might all expect.
Is the GS4 a flop? Maybe. What's pretty-certain is that while it rates a "staff pick" (might that be due to Samsung paying some spiffs to the staff, one wonders?) on the T-Mobile page it's well down the list, which suggests that it, and the GS3, simply aren't selling that well.
Incidentally while AT&T and Verizon allegedly "matched" T-Mobile's "no contract" view of phones and plans be careful -- you're still paying a much higher price for your service with those two carriers and as a consequence you're getting screwed twice -- you are paying full-price for the phone and you're still paying the implied subsidy in your monthly bill!
In my recent travels I also have noted that T-Mobile's LTE service continues to expand its footprint both in quality and reach.
Competition, in short, is good.
Where We Are, Where We're Heading (2013) - The annual 2013 Ticker
The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.
NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.
The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.
Looking for "The Best of Market Ticker"? Check out Ticker Classics.
Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.
The Market Ticker content may be reproduced or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media or for commercial use.
Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.