Tag

asshats

Browsing

In a terrifying trend being witnessed quite often, Volkswagon effectively used the courts to gag security researchers from disclosing security flaws in their keyless ignition system for two years (emphasis added):

They took their findings about the weaknesses in the cryptography and authentication protocol to the Swiss manufacturer of the chip in February 2012, giving them nine months to fix the flaw; then they took their research to Volkswagen in May 2013. They had planned to present their research at USENIX 2013, but Volkswagen argued its vehicles would be at risk of theft and filed a lawsuit to block the paper from being published.

Although the code had been available on the Internet since 2009, the UK High Court of Justice awarded an injunction that prohibited the authors, their institutions, and anyone else who might assist them from publishing the research. The British court wrote, “I recognize the high value of academic free speech, but there is another high value, the security of millions of Volkswagen cars.”

So much for doing the right thing by responsibly disclosing the security flaw.

Indeed, so much for doing the right thing. Good guys never win.

The Intercept’s Jenna McLaughlin looks at the many things wrong with Manhattan District Attorney Cyrus Vance Jr’s anti-encryption op-ed in the New York Times (emphasis added):

It’s true that when law enforcement asks for information that is encrypted with the user’s passcode, Apple and Google cannot actually deliver it. But that’s typically not the whole story.

For one: Apple, for instance, copies a lot of that data onto its own cloud servers during Wi-Fi backups, where the company can in fact access it and turn it over to law enforcement.

Plenty of other data is still available from the phone companies: SMS text messages, phone numbers called and phone calls received, and location information.

And then there’s the ability to break in. Responding to Tuesday’s op-ed, ACLU technologist Christopher Soghoian tweeted: “If law enforcement can’t hack the hundreds of millions of Android phones running out-of-date, vulnerable software, they’re not trying.”

Following the rollout of iOS 8, Lee Reiber, a cell phone forensics expert at AccessData, told Mashable that “As secure as the device can be, there’s always going to be some vulnerability that can be located and exploited.” Reiber said it’s “cat and mouse.”

I hate writing about politics almost as much as I hate reading about politics but this just irritated the living shit out of me. The GOP is apparently upset with the Supreme Court of the United States because even though the court has an ostensible conservative majority, Roberts’ crew has ruled completely opposite of what Republicans would like (emphasis added):

But it’s not just the firebrands who have had it with the Roberts court, despite it having one of the most conservative records in history. A Gallup poll released last week shows Republican approval of the Supreme Court at 18 percent, its lowest point in the 15 years surveyed and down 33 percentage points from last summer.

Wednesday’s hearing — titled “With Prejudice: Supreme Court Activism and Possible Solutions” and convened by the Judiciary Subcommittee on Oversight, Agency Action, Federal Rights and Federal Courts, which Cruz chairs — presented the latest wave of efforts to attack the Supreme Court for straying from the high hopes conservatives had after Bush nominated Samuel Alito to the seat vacated by the more moderate Sandra Day O’Connor.

“When I see what’s happened at the Supreme Court level, it strikes me as a foreign, unhistorical approach to law. It’s just breathtaking, some of the things that have happened,” Sen. Jeff Sessions (R-AL) said during the hearing.

One witness, John Eastman — a Chapman University law professor who also serves as the chair of the board for National Organization for Marriage — suggested constitutional amendments allowing states by a majority vote to override “truly egregious” decisions by the court and a supermajority of Congress to do the same.

Another witness, Edward Whelan, president of the Ethics and Public Policy Center, threw out an assortment of ideas, including changes to the constitutional amendment process itself, opportunities to override decisions, more avenues to remove bad judges, and term limits.

“The Court’s extraordinary abuses also call for consideration of extraordinary responses,” he said.

WTFF?

It is like these people completely forgot that we have this little thing called “checks and balances” to ensure that no single branch of our government can acquire too much power, and to ensure each functions within the confines of the US constitution. It’s no wonder people – both Democrats and Republicans alike – consider today’s GOP batshit crazy.

How anyone can suggest allowing states to override “egregious” Supreme Court decisions is unbelievable. So who decides what is egregious?

This is just wrong on so many levels I do not even have the vocabulary to articulate the level of ignorance on display. This makes me sad is really the best thing I can say at this point.

Toyota’a former highest ranking female executive ever learned a tough lesson about mailing drugs to Japan after having spent three weeks in a Japanese prison while the police conducted an investigation into the incident:

Hamp, 55, who resigned as Toyota’s communications officer last week from a Japanese jail, has been detained since her June 18 arrest for allegedly importing prescription painkillers that require prior approval before being brought into Japan. Prosecutors will decide on July 8 whether Hamp, who hasn’t been formally charged, is to be indicted.

Her experience, and that of others like 26-year-old Carrie Russell, an English teacher held for 18 days in February for possessing prescription drugs sent from the U.S., offers a warning to visitors: Japan has tough laws for possession of prescription drugs, even when those medications may have been recommended by doctors abroad.

“When you get medicine from your physician, you assume it’s OK to bring it with you,” said Russell, who’s been taking medication for attention deficit disorder since she was 10. “I was completely wrong,” she said in a phone interview from Oregon.

Tokyo metropolitan police arrested Hamp of Toyota Motor on suspicion that she had imported the pain medication oxycodone. Hamp had her father send 57 tablets containing oxycodone to a Tokyo hotel where she was staying, according to Kyodo News, citing a Tokyo police representative.

Look, I am no rocket surgeon or brain scientist, but I am quite certain it is common knowledge to never send drugs, prescription or otherwise, in the mail, especially to a foreign country. The fact that the pills were hidden inside jewelry boxes points towards firsthand knowledge and thus I honestly believe she got what she deserved.

If Hemp really required the medication then she should have visited a Japanese hospital. It is likely the doctors would have prescribed her something equivalent without any fuss whatsoever. My experience with the Japanese medical system is that it is exceedingly easy to get a prescription for whatever you need just by talking to your doctor about the need for the medicine. They will generally hand it out like candy, so long as the prescription falls within the quantity guidelines outlined in Japanese law.

So yeah, I do not feel bad for Hemp. She should have known better, especially someone as high ranking as her. Hemp was lucky enough to be let free after the police determined she had no criminal intent and had suffered enough as a result of her arrest and subsequent resignation from Toyota.

The tinfoil hat inside me says someone in Toyota who resented her rising to this position knew of her drug issue and informed the Japanese police about it, knowing she would be arrested and likely would not survive staying at Toyota thanks to the ordeal.

The Next Web has posted what amounts to an advertisement masquerading as an article about how the cyber security industry is a billion dollar scam. The author claims cyber security vendors are purposely selling outdated technology it knows to be ineffective at preventing cyber attacks. First, the author sets the stage by claiming the the current model is broken (emphasis added):

According to Price Waterhouse Coopers, the total number of security incidents has increased 66 percent year-over-year since 2009. In 2014, there were 117,339 incoming attacks a day, an increase of 48 percent over the year before, accompanied by a rise in financial losses. Not only are these attacks more frequent and expensive, but they are also happening on a larger scale – 77 million records stolen from JPMorgan, 80 million records stolen from Anthem, Target, Home Depot, Sony, and the list goes on.

The connection between more cybercrime and more spending is clear. What is not clear is that more spending on security technology has actually done anything to curb the crime. Most of the security products out there use 20th century technology against 21st century foes, and they are obviously failing.

The author follows this by discussing how cyber security vendors are primarily selling products based on antiquated anti-virus technology rather than newer types of unproven solutions possibly more capable of preventing successful attacks (emphasis added):

Tools from mainstream security vendors are primarily based on an outdated, antivirus approach that relies on having prior knowledge of an attack. Threats are detected by comparing a program’s software to known malware in a virus dictionary. If a piece of code matches an entry in the dictionary, this raises the red flag.

Most of the security products available on the market are just a half-step better than old antivirus products. This method fails today because it only works if an attack has been seen before. Modern cybercriminals[sic] are more sophisticated than that. We are no longer looking at kids in a dorm room coming up with annoying little hacks.

While I will not disagree that there is a lot of outdated technology on the market today, that does not mean it is entirely ineffectual. The modern cyber attacker is generally backed by a well funded crime syndicate, or at worst a nation state, and are very good at what they do. Their level of sophistication requires organizations to use advanced cyber defenses to protect their crown jewels. This is well understood by every cyber security professional.

Next, the author rants about how there is this unwritten treaty – whereby treaty he means collusion – between the security vendors and the hackers, leveraging fear, uncertainty, and doubt to force organizations to spend a lot of money on useless technology (emphasis added):

The companies that make these products sell them for millions of dollars, knowing that they won’t work. Then when they fail, the vendors ask for millions more dollars to tell their clients why they failed. It is a racket. Without the “robbers,” the “cops” have no business; the more breaches occur, the more money the cybersecurity companies make.

Why hasn’t this Unholy Alliance between hackers and cybersecurity vendors received more attention? And why do organizations keep buying their products? One factor is secrecy – the security industry is not transparent in an alleged effort to protect security, and this means that these inadequate products continue to sell and continue to fail. Marketing is another factor. It’s not the best product that wins, but the best marketed product.

So now we are starting to get to the heart of the authors issue: organizations continue to spend money with the same vendors who previously sold them products that were ostensibly inadequate in preventing a breach. What the author fails to even remotely address is the complex nature of the problem, and more importantly, that buying expensive technology is not going to be one hundred percent effective in preventing every cyber attack. There will never be a time when this will be true.

Preventing successful cyber attacks requires a multi-faceted approach, combining technology, highly trained cyber security personnel, and an educated workforce, among other things. If an organization believes buying a security tool will solve all their security needs then they are sadly mistaken, and likely did not ask the right questions.

The author seems to take issue with marketing as well, and I can sympathize with this position. There are two particular security vendors – Palo Alto Network and FireEye – who spend a lot of time, money, and effort on marketing their known inferior products. There are plenty better technologies being sold today but as a result of their marketing campaigns, organizations believe they need to buy tools from these companies to stay protected.

Nothing could be further from the truth.

But here is the kicker – the part where we finally understand the context for this essentially pointless, baseless rant of an advertisement purporting to be an actual well researched, well written article (emphasis added):

In order to be effective, security software can’t rely on prior knowledge. It has to somehow figure out what is happening without looking at a list, because that list is inevitably going to be stale and incomplete. A better approach is to use Big Data and machine learning, which make it possible to identify patterns and predict discrepancies in real-time based on actual circumstances, not old or useless information.

The major security vendors are not taking this approach because it is in their best interest to keep the breaches happening. For this, they are just as culpable as the hackers themselves. In addition to developing new, better approaches for preventing attacks, startups also have an opportunity to realign the goals of the security industry to put customers’ best interest at the core.

I do not even have to address the sheer stupidity of the baseless claim that the major security vendors are not taking the approach the author outlines because there is some ostensible conspiracy to keep the industry status quo so the old guard can continue to generate revenue. Saying the vendors are the problem is to claim handgun manufacturers are at fault when an adversary shows up to a fight with a tank. The author seems to have no problem telling lies of his own so long as they suit his narrative.

Finally, the big data and machine learning comment is really the crux of this advertisement: at the bottom of the article, the author is listed as John Prisco, the CEO of Triumfant Security. Guess what types of cyber security products Triumfant makes? From their very own about page (emphasis added):

Our advanced analytics and intelligent, precision-based technology enable us to detect, analyze and immediately resolve attacks that bypass traditional, signature-based defenses.

Self-learning and continuously evolving, Triumfant’s endpoint protection technologies pick up where others leave off – effectively closing the gaps left by firewall, antivirus, sandbox technologies and Intrusion Prevention Systems. Triumfant not only captures data and detects malicious activity in real time, but it also verifies, contains, investigates, remediates and prevents future attacks.

So basically, this entire article was one big tear-down of the existing cyber security industry to make some claim that his company produces superior technology. The author basically calls into question both the ethics of those in the cyber security industry, and then claims there is a big conspiracy between the actors and vendors. His solution is for the world to stop using the technology from his competitors and to start using the very technology his company is known for creating. But because his company does not have a large marketing budget, they are losing out to the likes of PAN, FireEye, Fortinet, and other cyber security vendors who are knowingly selling ineffective tools.

Shame on The Next Web for publishing this in such a way it looks like an actual article rather than framing it for what it is: a well written advertisement purporting to be an actual well researched article on the state of overspending in the cyber security industry.

Shame on the author, CEO John Prisco of Triumfant, for his claims of collusion, and claiming the cyber security industry knowingly selling defective products, when I guarantee he knows otherwise. Rather, he uses this ruse as a red herring to better position his company’s technology.

Here’s a protip for John: if your machine learning, data analytics, and predictive analysis are that good then why dont you actually demonstrate how well these tools are at detecting and preventing cyber attacks? Do not use TNW to bash the very industry your company is apart of only to try and sell the next best security product. Let your technology speak for itself and show its effectiveness and reliability. Once you do that, then the industry will take you seriously.

I should point out that I agree – machine learning and predictive analysis is where the industry needs to go and where it is currently headed. However, no company has yet to realize the potential of these ideas and produce usable, reliable technology truly capable of meeting the marketing rhetoric. We need better AI for this to happen, and we are close, but it is still a few years out before we will really have an effective tool of this nature.

Until then, companies like Triumfant should work on improving and perfecting their imperfect technology rather than penning pointless drivel like this article. The industry respects results not rhetoric.

Disclaimer: I work for Intel Security, one of those companies John Prisco claims to be knowingly selling defective tools, and one in that conspiracy circle of hackers and cyber security vendors he accuses exists.

TheNextWeb on Samsung jackassery whereby they are surreptitiously disabling Windows Update on their computers, preventing users from leveraging the standard automated security patch installation feature Windows has offered for quite some time:

The app, conspicuously named Disable_Windowsupdate.exe, is installed automatically without the owner’s knowledge. According to a support representative, it’s there to stop the computer from automatically downloading drivers from Windows Update that could be incompatible with the system or cause features to break.

Unfortunately for Samsung it also appears to change the user’s update settings and disables Windows Update entirely. Once installed, the app even disables Windows Update after the user re-enables it.

Samsung’s software update service doesn’t actually ship with the application installed, it’s silently downloaded in the background at a later time from a non-HTTPS server and installed without asking the user.

Disable_Windowsupdate.exe is signed with Samsung’s security certificate, confirming the company did create it.

There is no worldly reason why a computer manufacturer should prevent users from installing security updates. None. At. All.

Lisa Vaas of Naked Security on a cyber insurance provider saying they “don’t cover stupid” and is fighting a payout against obviously ignorant actions by the insured:

Good thing the healthcare provider had insurance to cover such a data breach, eh?

Well, it would have been a bit of a relief, if the insurer hadn’t scratched its head and shrugged its shoulders, pointing to a clause in the policy that means it doesn’t have to pay out when the insured party has been bone-headed about its security.

Cottage’s insurer, Columbia Casualty, earlier in May filed a complaint against Cottage Health System, claiming that whatever money it had to pay out under the policy would have to be paid right back to it, for the same reasons that the class action lawsuit had been filed: because the healthcare provider allegedly failed to follow “minimum required practices” as spelled out in the insurance policy.

Specifically, the insurer is claiming that Cottage “stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who ‘surfed’ the internet.”

The patient data had been exposed for about about two months, starting in October 2013.

It’s not like the company was jumped on by cyber attackers, per se. Rather, the data was accessible via the public internet and to Google search.

That makes it tough to know who might have accessed the data.

This is where cyber security insurance is going to be interesting to watch; expect more and more cases like this in the future to help shape the scope of cyber insurance payout requirements.

This article about how Monsanto’s worst fear may be coming true is quite fascinating, both for their position on why Monsanto must be concerned but also because of the explanation of the science behind GMO’s:

The decision of the Chipotle restaurant chain to make its product lines GMO-free is not most people’s idea of a world-historic event. Especially since Chipotle, by US standards, is not a huge operation. A clear sign that the move is significant, however, is that Chipotle’s decision was met with a tidal-wave of establishment media abuse. Chipotle has been called irresponsible, anti-science, irrational, and much more by the Washington Post, Time Magazine, the Chicago Tribune, the LA Times, and many others. A business deciding to give consumers what they want was surely never so contentious.

The media’s heavy criticism of Chipotle has an explanation that is important to the future of GMOs. The cause of it is that there has long been an incipient crack in the solid public front that the food industry has presented on the GMO issue. The crack originates from the fact that while agribusiness sees GMOs as central to their business future, the brand-oriented and customer-sensitive ends of the food supply chain do not.

The brands who sell to the public, such as Nestle, Coca-Cola, Kraft, etc., are therefore much less committed to GMOs. They have gone along with their use, probably because they wish to maintain good relations with agribusiness, who are their allies and their suppliers. Possibly also they see a potential for novel products in a GMO future.

However, over the last five years, as the reputation of GMOs has come under increasing pressure in the US, the cost to food brands of ignoring the growing consumer demand for GMO-free products has increased. They might not say so in public, but the sellers of top brands have little incentive to take the flack for selling GMOs.

From this perspective, the significance of the Chipotle move becomes clear. If Chipotle can gain market share and prestige, or charge higher prices, from selling non-GMO products and give (especially young) consumers what they want, it puts traditional vendors of fast and processed food products in an invidious position. Kraft and McDonalds, and their traditional rivals can hardly be left on the sidelines selling outmoded products to a shrinking market. They will not last long.

I do not feel one bit of sympathy for Monsanto and their sue-happy business model.

I have never heard of Tiversa so I am completely unfamiliar with their products or services. However, ex-employee Richard Wallace, has accused the company of staging cyber security breaches so Tiversa can extort more money out of their clients:

Richard Wallace, one of its former investigators, has recently testified against the firm in a Washington DC courtroom. During the proceeding, he claimed Tiversa’s employees would hack potential clients to force them to pay for the firm’s services. The CEO, Bob Boback, would apparently even order them to look for IPs of known identity thieves using Tiversa’s close ties to law enforcement agencies. They’d then tell the companies they were targeting that those IPs are breaking into their computers as an additional scare tactic.

Utterly shameful.

It is this exact type of behavior that causes people to distrust cyber security firms; it’s what they fear most – being “hacked” and extorted. This only ends up distancing real cyber security professionals from the public.

Disclosure: I work for a cyber security vendor – Intel Security – and I guess we could conceivably be considered competition.