The Market Ticker
Commentary on The Capital Markets

A follow-up was posted by the forensic security guy who uncovered Apple's spookware on IOS devices on the 23rd.  Let me point out a few salient points from it (and Apple's attempt at a "response"):

Additionally, this claim that your data is respected with data-protection encryption. The pairing record that is used to access all of this data is sent an escrow bag, which contains a backup copy of your key bag keys for unlocking data protection encryption. So again, we’re back to the fact that with any valid pairing, you have access to all of this personal data – whether it was Apple’s intention or not.

This is the 900lb gorilla in the room.

The keyring is part of the pairing data.

You have to understand how all of this works.  When you turn on your phone it has to load the encryption keys (if it, or any data on it), is encrypted.  Those keys have to be on the device, but you have a "master key" that unlocks the "safe" in which those keys are stored. 

If you use a password management tool like KeePass you know how this works on your PC.  You have a password for your KeePass file, and in that file are lots of passwords.  With the key to unlock the safe, you can get to the actual keys (passwords) for each of the sites you're storing credentials for.

Disk (and file) encryption works more or less the same way.  The key itself is a random (you hope actually random!) series of bits.  That of course would be damned near impossible to memorize, so the computer conveniently "envelopes" that in what amounts to a safe, and your password (or passcode, or whatever) unlocks that safe.

The problem here is that your passcode isn't the actual key itself -- and that key is in the pairing record!  So with a pairing record everything on your device is exposed.

Like Jonathan, my issue here isn't whether the NSA was involved.  I frankly don't care if the NSA was involved in designing and implementing this, if the FBI was involved, or who was involved.  That's not the point.

The point, as I've repeatedly made, is that it is the height of arrogance to believe that you're smarter than everyone else.  To include this sort of back door facility in a piece of software under the belief that nobody but the intended persons will use it (no matter who that is, and under what pretense) is ridiculous, it is grossly negligent and it is unacceptable.

Indeed this is exactly the same crap that the NSA did do when it was alleged they weakened certain public-key generation routines on purpose so they could break them.  To believe nobody else would figure that out and exploit it is ****ing stupid beyond words.  The NSA is not the smartest bunch of guys on the planet, now and forevermore, and neither is Apple.  Someone is always smarter and always able to figure it out.  As soon as you intentionally put in the means to break security someone else, other than the intended people, will do so and use that capability you put in place to screw you.

The real problem with this revelation, as with the NSA's key generation games, are the myriad entities that would love those pairing records that are not governments with a legitimate (or even illegitimate) beef against you.  Consider the value such capability has to criminals, especially when people talk about allowing your phone to be used to work as if it was your VISA card, for instance.  Or, for that matter, how many of you have an app on your phone that accesses your bank?  Note that with access to protected storage while I might not be able to get your password I almost-certainly can get your account and routing numbers, and with that I can drain your checking account.

Do you still think you shouldn't care about things like this because you're not doing anything wrong?

Second, there is the claim that you must "pair" the device to expose the risk.  That's true.  It's also true that as of IOS7 you get asked if you want to trust a plugged-in connected device.  For how many seconds do you have to take your eye off your device while you're somewhere for a person who you don't implicitly trust to jab a connector in the socket and hit the prompt?  Are you sure that's never going to happen?  Remember -- if it does, even once, what the person who does it gains is the ability to break back into your phone any time they're on the same network you are forever, unless you hard-reset the phone back to factory defaults!

At its core the problem this revelation exposes, and the length of time this has been "in the wild" underlines, that there is zero accountability for the so-called security promises that companies make with their products.  You simply cannot claim to have "encryption" as a feature when you give the ******ned keys away without telling the user you're doing it and getting his explicit permission to permanently void his security!


View this entry with comments (registration required to post)

It appears that at least one doctor has had enough of people trying to argue that "the only people who should have guns are government agencies."  Good thing too, or he'd be dead.

Authorities are attempting to determine why a patient fatally shot a caseworker at a suburban Philadelphia hospital complex and whether a psychiatrist who pulled out his own gun and wounded the patient had concerns about him.

The psychiatrist, Dr. Lee Silverman, was grazed in the temple during the gunfight in his office Thursday afternoon with patient Richard Plotts, Delaware County  District Attorney Jack Whelan said.

The patient apparently entered the facility and shot a caseworker.  The psychiatrist drew his own weapon (which policy at the hospital prohibited him from having) and put a stop to the assault.

In doing so he almost-certainly saved lives, although he was hit (but not seriously) in the exchange of gunfire.

Indeed, had he been unarmed the patient could have simply wandered through the facility shooting people until he ran out of ammunition of the police arrived. He would have run out of ammunition first, of course.

Enough with the BS "gun control" garbage.  As I have repeatedly noted people with criminal intent don't give a damn what the law is, including the laws related to firearms.  

The only thing that stops a murderous bastard with a gun is a good guy with gun, and the closer the good guy is, no matter who he is, the better the chance of minimizing or preventing the loss of innocent life.

View this entry with comments (registration required to post)

I said it before and I'll say it again: The only way to stop ruinous extraction of money from you when it comes to your freedom of movement in this country is to go to a model of assumed risk as regard to the use of the public roads.

Here's an illustration of why:

Two insurance companies have made an unusual argument in a Michigan case: They’re insisting that the drivers of motorized mobility scooters should be required to get the same insurance as car and truck owners.

The case involves the claims of a paralyzed man who was hit by an SUV while crossing the street on his way to a doughnut shop. The insurance companies’ position? Because the man didn’t have auto insurance on his scooter, they shouldn’t have to pay for any damage caused to him by the SUV.

Remember, this is in a state with a "No Fault" law -- that is, your insurance pays your physical harm irrespective of fault, but if the other party is uninsured then if you injure someone your insurance pays.

In other words you're entitled to recover from someone "at fault" and if they have insurance then they cover it.

This led the companies to try to claim that they shouldn't have to pay because a "mobility scooter" has four wheels and thus ought to be considered a "car" -- and thus have mandatory insurance.  As in "buy it or go to jail" -- like all other mandatory things.

The insurance companies, in short, are once again arguing for sticking a gun up people's noses and forcing them to buy coverage from them, thereby inventing a market out of whole cloth that does not otherwise exist.

There's a simple solution to this and the state that picks it up and runs with it (and by the way, due to McCarren-Ferguson they can do it too and there's nothing the Feds or insurance lobby can do about it) will see massive economic shifts in their direction, which will bring jobs and prosperity on a relative basis to that state.

It's this: ASSUMED RISK.

Let me define this for you.

Public roads and associated facilities (e.g. sidewalks, etc) are declared to be known dangerous places.

YOU, by deciding to go upon a public road, accept the risk of injury or property damage by your mere presence in those places.  That is, you accept that not only may God do bad things (e.g. flood a road, drop a tree across it, etc) but also that humans are fallible and that travel upon public roads is an inherently dangerous activity that cannot be made safe.

Therefore when you choose to go upon such a road, an entirely voluntary act, by doing so you personally accept the risk of property destruction and/or injury that may occur as a result.  Write this into law.

That instantly and fundamentally changes the nature of said "insurance" from a mandatory thing to a voluntary one, where each person using the road chooses for themselves how much risk they wish to expose their person and property to on a financial basis.

If there is an accident your insurance is thus responsible, 100%, for the replacement of your property and injures within the limits of your policy.  You decide how much insurance to carry on your property and person, as it will never be paid to anyone other than you and you can choose to carry zero insurance and accept the risk to your person or property in its entirety.  This also instantly stops the duplication of coverage -- if you have accidental injury coverage in your health insurance (and most people do) why do you need it in a car insurance policy as well?

There is only one exception: An act charged criminally as a felony, which upon conviction voids the assumed risk doctrine.

So if I commit vehicular assault or homicide because I am intoxicated, and I am convicted of driving while drunk and injure or kill you with my vehicle, you (or your estate) may sue me for recovery.

But if the collision did not occur as a consequence of a felony act, that is, it's what we today call an accident, even when the accident results from an error in following traffic laws, unless the conduct rises to the level of felony misconduct you cannot sue the other party because they assumed the risk of mistakes by others in being there.

Folks, we have to stop looking to others to solve our problems.  I've been on the road since I was 16 with a driver license and have a metric ton of close calls, including some that but for the grace of God would have turned out very badly.  

But to a large degree -- in fact, in virtually every case auto accidents are avoidable. 

There are exceptions, of course, where even excellent situational awareness won't help you.  I nearly got rear-ended a couple of months ago sitting at a red light with a gal who approached at highway speed from my rear while texting (I could see the phone in her face in my rear-view mirror!) and I had zero in the way of choices -- there was cross-traffic coming through the intersection controlled by the light I was stopped at.  If she hadn't looked up she would have nailed me and other than bracing for impact (which I did!) there was nothing I could have done about it.  But those situations are very rare; most of the time if you get caught in a pile-up 10 or 15 seconds earlier, and sometimes more, you could have done something differently had you been paying attention and avoided it.

We will never stop the encroachment of these "industries" into our pockets on a "guns up the nose" basis until we accept responsibility for those risks that we voluntarily assume each and every day.  This is just one of many, but it's an important one -- and one where due to how insurance law is structured one state can make this decision and do it on their own.

Which state wants the jobs and economic prosperity that will come from grossly-increased purchasing power for its residents by breaking this monopoly game? 

View this entry with comments (registration required to post)

You didn't have that in your portfolio when it was halted, right?

Sucks to be you, if so.

View this entry with comments (registration required to post)

There are all sorts of articles flying around talking about The Internet of Things (IOT), usually in reference to devices like "smart" thermostats, refrigerators and other devices around your home, office, car and similar.

It all sounds very dreamy, but before you buy into the hype machine surrounding this nonsense please do sit back and think a bit.

Consider the recent security issues disclosed with IOS devices and the Chromecast dongle.  Then consider that today, your Internet connectivity "risks" are mostly associated with your computer and/or phone.

Tomorrow those risks are going to be something else entirely, and given the lack of care (and outright insertion of code that has no reasonable proper purpose, such as the recent IOS disclosures) you'd have to be nuts to allow devices like that in your home and office.

I know I've pointed this out before, but now you have something real to think about with a real -- not hypothetical -- example.


Ars Technica claimed the other day that a forensic investigator has discovered multiple pieces of pre-loaded spyware in IOS, present because Apple put them there.  Their intention is of course not known with certainty but their function has been decoded; they allow transfer, without a password, of pictures, your address book, a log of where you've been, all network traffic and more.

So now you pair that device with your brand new "Internet of Things" thermostat so you can control it from the phone.  Said thermostat has access to your WiFi network.  Unknown to you there's a "flaw" in said device, and some nasty person (maybe in the government, maybe a private party, maybe a spy, maybe just a nasty hacker) uses that pairing relationship along with the built-in spying capability in your phone to siphon off everything you do in a day whenever you happen to be close enough to the thermostat for the phone to connect to it -- or whenever your phone can get to it while you're out and about, which would be any time it has a cellular or wifi signal!

Still think this is a good idea, eh?

Now think about this -- we're not just talking about a thermostat.  We're talking about virtually every device, in some people's view of the world, that is in your house.  Your oven, dishwasher, refrigerator, coffee maker and clothes dryer for openers.  

Any one of them could have something nasty in it and all of them, as with your iPhone, are going to be provided software you can't get into and examine, nor will anyone else be easily able to do so.

How long has that spying software been in IOS?  We don't know from the Ars Technica piece, but it's probably fair to say it's been there for a while, probably years -- and it wasn't put there by some random "bad guy" either.  As near as can be determined it was placed there by the manufacturer on purpose!

Internet of Things only makes sense if any intentional act like this results in the instant dissolution of the firm involved in placing such a back door in the device and the imprisonment of all of the executives of said firm for life on felony criminal charges.  But you know damn well that won't happen -- we don't even lock up a single bankster when we catch them ripping off billions.  In addition to be rationally secure unintentional flaws of this sort would have to come with strict liability for the firms involved, including replacement of the offending devices at their full retail price and expense irrespective of how much time had passed and full responsibility for any harm done (such as unauthorized disclosure of your personal information.)

Neither of those standards will ever be imposed.

But without them the so-called Internet of Things is nothing more or less than a surveillance state that will catalog your every move in your life for any random group of people or government that wants it, right down to how many times you take a crap in the privacy of your own home.

The sad part of this saga is that I can see a whole bunch of you -- in fact, virtually everyone -- being willing to put up with this crap.  Indeed, the Ars Technica article should be sufficient, standing alone, to destroy Apple as a company as the only logical consequence of the intentional inclusion of such programs in their software by Apple should be the immediate and permanent shunning of their equipment by consumers worldwide.

It hasn't happened, has it?

View this entry with comments (registration required to post)

Main Navigation
Full-Text Search & Archives
Archive Access
Get Adobe Flash player
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.


The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be reproduced or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media or for commercial use.

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.