WelcomeWelcome to loopedin.com™, a blog that aims to provide occasional and brief commentary on tech, law, and current topics of interest.
Android’s unique strength and selling point–openness–continues to be a major security issue. From ArsTechnica:
Researchers have uncovered a new type of Android adware that’s virtually impossible to uninstall, exposes phones to potentially dangerous root exploits, and masquerades as one of thousands of different apps from providers such as Twitter, Facebook, and even Okta, a two-factor authentication service.
The researchers have found more than 20,000 samples of trojanized apps that repackage the code or other features found in official apps available in Google Play and then are posted to third-party markets.
Under a model known as sandboxing, for instance, Android apps aren’t permitted to access passwords or most other data available to other apps. System applications with root, by contrast, have super-user permissions that allow them to break out of such sandboxes. From there, root-level apps can read or modify data and resources that would be off limits to normal apps.
One can’t help but wonder if this would be bigger news if it were Apple or Microsoft’s mobile offerings instead of Google’s.
According to this article, it appears that Windows 10 is generating great interest from business. Now, the company needs to make sure that it can capture the interest of consumers in order to stop the exodus to Apple’s Mac and iOS devices.
Meanwhile, the level of interest in Windows 10 from business customers has come as a surprise, according to McQuarrie
“This is the first time in years that they have evinced an interest in the latest OS. Normally, they are fairly conservative, they wait,” he explained.”
Windows 8 was a struggle to convert commercial customers to; they saw no compelling reason to move from Windows 7. But we are seeing an increased interest in moving to Windows 10 against the same period in the run up to the Windows 8 release.”
Having this news hit the wire is unsettling (emphasis added):
Researchers at an HP security division have publicly detailed four code-execution vulnerabilities that can be used to hijack end-user smartphones running the latest versions of Microsoft’s Internet Explorer browser.
The disclosures earlier this week came more than six months after researchers from HP-owned TippingPoint first privately reported the bugs to Microsoft security engineers.
The article goes on to say that it remains unclear why Microsoft hasn’t issued fixes. I suspect that it may be that top talent at Microsoft is focused on delivering a excellent introductory versions of Windows 10 and Windows 10 Mobile, which will include Microsoft’s new browser, Microsoft Edge (aka Project Spartan).
Apparently, Microsoft officials acknowledged the bugs and asked for extensions beyond the four months TippingPoint normally waits before publicly disclosing vulnerabilities. Could it be that Microsoft was hoping to get its new browser on the machines of its users, thereby replacing IE, before the vulnerability went public?
Even so, Microsoft is harming user trust, tarnishing its brand, and losing credibility with unpatched security issues. Apple seems to get the benefit of the doubt with unpatched security issues that arise on OS X and iOS, but Apple currently enjoys the adoration of the masses. Microsoft is not Apple, so it needs to be particularly mindful that security issues affecting its products and services carry greater negativity, at least for now.
Unfortunately, few people ever read the end user license agreement (EULA) for software or cloud-based services. Those that do may find surprises like this gem from Amazon’s AWS cloud contracts.
Basically, AWS is invoking its rights not to be sued for patent infringement by its customers not only for the time you’re using its service, but going forward — in theory — in perpetuity.
. . .
First, neither the Microsoft Azure license nor Google Cloud contracts include similar limitations, the lawyers said. The overall “broad covenant not to sue” is not unusual in and of itself, said a Seattle-based attorney, but the extensions of limitations beyond the term of contract was striking.
. . .
What’s interesting here is that, in theory, this 8.5 provision could allow Amazon to defend itself against customers (or former customers) if it ends up using their IP down the road.
This is a good example of Microsoft’s cutting-edge innovation — something for which it often gets little or no credit.
According to The New York Times, Google isn’t going to let Skype runaway with all the high-tech, language barrier-smashing fun. An upcoming update will allow the app to auto-recognize popular languages and translate them into text in real time.
In addition, Google Translate will also let you take snapshots of signs or menus or whatever, and also translate onscreen.
Six months ago, Microsoft has unveiled Skype Translator, a real time translator tool that can be used to bridge two people from different parts of the world by allowing them to speak with one another using their native language. You can try the feature as part of a preview program, but it is limited to Spanish and English for voice translation, and 40 languages for text messaging.
Google is not being indifferent about Microsoft’s move, as it is reportedly working on a significant update for its Google Translate app for Android. Currently the app offers text translation for over 80 languages, including English, Arabic, Chinese, French, German, Hindi, Russian and Spanish, and voice translation for just a few of them.
Unintended consequences; overreaching laws and zealous enforcement impacting important security research
The Computer Fraud and Abuse Act (CFAA) essentially deals with unauthorized access of computers and the Digital Millennium Copyright Act (DMCA), among other things, protects copyrighted material through criminalizing efforts to circumvent digital rights management. Each offers important protections; however, in a recent article, lawyer Jonathon W. Penney writes about how these laws are shaping the ethics of code and security research. For me, this illustrates how difficult it is to balance the legitimate interests of various stakeholders. Legislators, judges, and lawyers routinely struggle with rules and their varied exceptions.
In late July 2014, the information security world was on edge. Researchers from Carnegie Mellon University—who work “closely with the (US) Department of Homeland Security”—were scheduled to give a talk at the Black Hat USA information security conference on a simple method to “de-anonymize” Tor users.
. . .
But the talk never happened. It was pulled from the conference program at the last minute, with the CMU researchers, as reported in the Washington Post, claiming the materials they planned to present had “not yet been approved by CMU/SEI for public release.”
. . .
Expansive laws like the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act, coupled with aggressive enforcement by state authorities and corporate interests, have subjected an increasing array of online activities to criminal and civil penalty. What was once considered “full disclosure” may today constitute a criminal act under the CFAA or DMCA.
. . .
“Code is law,” the aphorism Larry Lessig popularized, spoke to the importance of computer code as a central regulating force in the Internet age. That remains true, but today, overreaching laws are also increasingly subjugating important social and ethics questions raised by code to the domain of law. Those laws—like the CFAA and DMCA—need to be curtailed or their zealous enforcement reigned; they deter not only legitimate research but also important related social and ethics questions.
via CFAA reform: How laws are determining the ethics of code. Check out Mr. Penney’s entire piece — it’s worth reading.
Since 1986, technology has advanced at breakneck speed while electronic privacy law remained at a standstill. The outdated Electronic Communications Privacy Act (ECPA) allows the government to intercept and access a treasure trove of information about who you are, where you go, and what you do, which is being collected by cell phone providers, search engines, social networking sites, and other websites every day.
The ACLU has put together this eye-opening infographic that succinctly demonstrates the need to update outdated laws.
The longer that existing laws remain unchanged, the harder it will be to change them later. A certain inertia develops when the status quo is maintained.
Free speech is the cornerstone of democratic governments, so it is troubling when a government’s actions results in chilling free speech.
The latest survey found that writers living in liberal democratic countries “have begun to engage in self-censorship at levels approaching those seen in non-democratic countries, indicating that mass surveillance has badly shaken writers’ faith that democratic governments will respect their rights to privacy and freedom of expression, and that—because of pervasive surveillance—writers are concerned that expressing certain views even privately or researching certain topics may lead to negative consequences.”
If you use Apple Mail in Yosemite, beware of the following issue:
A glitch in the search software in Apple’s OS X Yosemite can expose private details of Apple Mail users, revealing their IP address as well as other system details to spammers, phishers and online tracking companies.
. . .
At the moment, the only way to work around the issue seems to be to uncheck the “Mail & Messages” box for Spotlight in System Preferences. When this option is disabled no mails are returned in Spotlight’s search results, and thus, no preview is shown.
It’s a dangerous, malware infested world out there.
Malware detections by AV-Test, a company that tests the effectiveness of antivirus software, spiked in 2014 to more than 143 million, up 72 percent from last year, according to a report released Thursday.
To put that in perspective: there was more malware found over the last 2 years than in the previous 10 years combined.
. . .
“At the pace we’re going, that’s just not feasible [to defend against] anymore,” said Jérôme Segura, senior security researcher at Malwarebytes.