In which I am a Dumbass

I put up a recent blogroll update post and asked folks to email me if I hadn't added them.  Boy, howdy, how did I miss these folks?  I mean, they're in my RSS feed and everything.  Err, no fair peeking in the blog post title for the answer ...

The Feral Irishman has been blogging like forever.  I don't expect that I need to introduce him to any of our readers.  So how the heck did I not get him blogrolled?  (yeah, yeah, answer in the post title and all that).

And I've been linking to Comrade Misfit at Just An Earthbound Misfit, I for years and years.  Again, how did I not have her blogrolled?

Hokey smokes, this is embarrassing.  Sorry, guys.  Fixed now.

And as a request to you, Gentle Reader - can you please let me know when I'm being a Dumbass?

You can't Voxsplain away Gillette's advertisement

I've spent a lot of my career working with Marketing and PR types, and have generally found it to be fun and rewarding (as one Marketing VP once told me, "Marketing doesn't change the truth, it just makes it better!").  But along the way some basic concepts have sunk in.  The first rule of PR, for example, is "if you have to explain it, you've failed".  This has actually been a really good challenge in making the message you want to send very crisp and sharp.

Gillette failed at this in a big, big way.  They failed so big that their advert needs to be Voxsplained.  It won't do any good, of course - you can't explain to someone who's been offended that they haven't, you know, been offended.  But good luck with that.

It's actually worse than this, of course.  You need to be extremely careful with your marketing so that you maintain your credibility.  You can come across as a fast talking snake oil salesman, of course, but you shouldn't expect that to build trust in your brand.  Even if what you say is true, if you come across in a negative manner you destroy brand value:

Successful advertising rarely succeeds through argument or calls to action. Instead, it creates positive memories and feelings that influence our behavior over time to encourage us to buy something at a later date. No one likes to think that they are easily influenced. In fact, there is plenty of evidence to suggest that we respond negatively to naked attempts at persuasion.

This is why Voxsplaining won't help Gillette, even though the entire media is hard at work trying to do just that.  Not only did Gillette offend a lot of people (both male and female), but they did it in a ludicrously, transparently obvious manner.  You could see the puppeteer behind the curtain pulling all the strings.

As Napoleon is said to have once remarked about one of his more blood-soaked decisions, it was worse than a tragedy.  It was a blunder.

Gillette blundered twice with this ad.  If you follow the link above you will find a set of excellent advertisements from the past.  They avoid Gillette's blunders, and create positive memories that have been associated with the brand over time.  And if you view the advert that co-blogger ASM826 posted, you will find another excellent one that creates positive memories that will stick with them over time.  Whenever I see the Egard Watch logo in the future, I'll think of this ad.

Gillette's problem is that every time I see their logo, I'll remember their advert.  No matter how much Voxsplaining people try to do.

We are governed by Dumbasses

And when I call them "dumbasses", I must apologize to donkeys for any disaprobation due to being associated with these idiots:

The nation's top voting machine maker has admitted in a letter to a federal lawmaker that the company installed remote-access software on election-management systems it sold over a period of six years, raising questions about the security of those systems and the integrity of elections that were conducted with them. 

In a letter sent to Sen. Ron Wyden (D-OR) in April and obtained recently by Motherboard, Election Systems and Software acknowledged that it had "provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006," which was installed on the election-management system ES&S sold them.

Electronic voting has two computer components: the voting machines (where you cast your ballot) and the election management machines (where the ballots are counted).  The security of the voting machines themselves has been pretty much deplorable, and we've known this for a very long time.  But the saving grace is that to hack the election you need to hack a bunch of voting machines, and you need physical access to do so.  That hakes it hard - not impossible, but hard (read: expensive) and so the risk is mitigated by the real world (im)practicalities of the scenario.

But the election management systems, aye there's the rub.  The votes get dumped from the voting machines into the management systems where they get counted and tabulated.  And those machines were connected to the 'net.

Ooooooh kaaaaaay.  Good thinking.

So riddle me this, Voter Fraud Man.  If you wanted to change an election, would you try to gain physical access to maybe thousands of voting machines in key swing districts, using hundreds of accomplices who might get caught (or blab to the PoPo), or would you target a few dozen of remotely accessible (and poorly protected) election management computers where you just change the counted results by a few percent to swing the election your way?  After connecting from a jurisdiction that doesn't have an extradition treaty with the USA.

Take your time thinking about it, I'll be right here.

For extra credit, what do you think the password of the PCAnywhere remote access software was?



So we are governed by dumbasses.  No, not the idiots who designed and sold this bleeding turkey of a voting system.  The ones who bought this bleeding turkey of a voting system.

In a younger and more vigorous era of the Republic, the sellers (and buyers) of this smoking train wreck would have been horse whipped through the public square.  Alas, for the decline of the America.

Why users hate security, part XCIII

*Facepalm*

Data, data - who's got the data?

Co-blogger and brother-from-another-mother ASM826 and I keep harping on how you should back up your data.  Like the saying goes about personal defense firearms, two is one and one is none.  More copies of your important data is better, because things go wrong sometimes.

So who do we know doesn't read this blog?  The New York Police Department:

A non-profit organization in NYC called Bronx Defenders wants to study the NYPD’s asset forfeiture records. They filed a request for this information (under New York’s Freedom of Information law) in 2014, and litigation is ongoing. 

The latest revelation? Not only is the NYPD saying they don’t have the technical capability to pull the data Bronx Defenders wants…

New York City is one power surge away from losing all of the data police have on millions of dollars in unclaimed forfeitures, a city attorney admitted to a flabbergasted judge on Tuesday.

Of course, it might be convenient for them to "lose" this data if a Court were to make them give it all back.

Medical CAT scanners hackable from the Internet

It seems that these have web servers (strike one) that are Internet-accessible (strike two) that have an unmatched vulnerability that lets the Bad Guy run any code they want on it (strike three):

Hackers can exploit trivial flaws in network-connected Siemens' medical scanners to run arbitrary malicious code on the equipment. 

These remotely accessible vulnerabilities lurk in all of Siemens' positron emission tomography and computed tomography (PET-CT) scanners running Microsoft Windows 7. These are the molecular imaging gizmos used to detect tumors, look for signs of brain disease, and so on, in people. They pick up gamma rays from radioactive tracers injected into patients, and perform X-ray scans of bodies. 

US Homeland Security warned on Thursday that exploits for bugs in the equipment's software are in the wild, and "an attacker with a low skill would be able to exploit these vulnerabilities." That's because the flaws lie within Microsoft and Persistent Systems' code, which runs on the Siemens hardware, and were patched years ago. 

The patches just didn't make their way to the scanners.

Of course not.  Patches?  We don' need no stencil' patches!

After all, making an Internet playground for shady Black Hats, all inside a huge X-Ray control system - what could possibly go wrong?

New malware bricks Internet Of Things devices

I complain a lot about crummy security on Internet of Things (IoT) devices.  I like to say that not only is security not an after thought, it wasn't thought of at all.  I've also said (repeatedly) that companies who make these devices don't care about security because their customers don't care.  After all, there's no downside to the customer for crummy security.

Until now:

A new malware strain called BrickerBot is bricking Internet of Things (IoT) devices around the world by corrupting their storage capability and reconfiguring kernel parameters.

Detected via honeypot servers maintained by cyber-security firm Radware, the first attacks started on March 20 and continued ever since

"But really, Borepatch," I hear you ask.  "Just how bad can it be?"  This bad:

The end result is a bricked IoT device that will stop working within seconds of getting infected. Experts call these attack PDoS (Permanent Denial of Service), but they are also known as "phlashing."

According to telemetry data, just one of Radware's honeypots has seen 1,895 PDoS attempts in the span of four days.

Welcome to the Internet of (Crummy Security) things.  I can't wait until this hits thousand dollar big screen "Smart" TVs.  But if the malware world follows historical norms, that's coming.

If you own a late model Jeep Cherokee, you're pwned

And by that, I mean pwned:

The result of their work was a hacking technique—what the security industry calls a zero-day exploit—that can target Jeep Cherokees and give the attacker wireless control, via the Internet, to any of thousands of vehicles. Their code is an automaker’s nightmare: software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.

How bad is it?  This bad:

Miller and Valasek’s full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch. The researchers say they’re working on perfecting their steering control—for now they can only hijack the wheel when the Jeep is in reverse. Their hack enables surveillance too: They can track a targeted Jeep’s GPS coordinates, measure its speed, and even drop pins on a map to trace its route.

I've been talking about this for years and years.  Here's an example from four years ago:

The rush to computerize your car is basically over, which means the rush to pwn it has begun in earnest.  Fortunately (for the Bad Guys), security was never part of the design - for example, all of the non-critical components (like cell phones, music players, and GPS nav units) are on the same network as the critical ones (brakes, throttle, transmission control).

I mean, what could possibly go wrong?

Sigh.

It looks like the automakers are fixin' to learn what software companies learned decades ago:

• If a software developer finds a security bug right after he wrote the code, it costs a few bucks to fix.
• If QA finds the security bug a couple months after the developer wrote it, it costs hundreds of dollars to fix.
• If the customer finds the security bug years after the developer wrote it, it costs thousands of dollars to fix.

Oh, and the rest of you who don't have Jeep Cherokees?  You're probably pwned too.  That's another reason to ride a Harley.  Or one of these:

Remotely hackable cars are a PR nightmare, but I expect there will be a bunch of these stories over the next few years.  The rush to market with lousy security designs will cost the automakers millions of dollars.  All I can say is that stupid is expensive.

All your light bulbs are belong to us

Yeah, I've been saying forever that security for the "Internet Of Things" isn't an afterthought, it's not thought of at all.  It seems that some of the Smart Lads decided to have a go at one of the new fangled WiFi enabled light bulbs.  Hilarity ensued:

Loading the firmware image into IDA Pro, we could then identify the encryption code by looking for common cryptographic constants: S-Boxes, Forward and Reverse Tables and Initialization Constants. This analysis identified that an AES implementation was being used.

AES, being a symmetric encryption cipher, requires both the encrypting party and the decrypting party to have access to the same pre-shared key. In a design such as the one employed by LIFX, this immediately raises alarm bells, implying that each device is issued with a constant global key. If the pre-shared key can be obtained from one device, it can be used to decrypt messages sent from all other devices using the same key. In this case, the key could be used to decrypt encrypted messages sent from any LIFX bulb.

Those of you who deal with Tech are already in full Face Palm mode.

References to the cryptographic constants can also be used to identify the assembly code responsible for implementing the encryption and decryption routines. With the assistance of a free software AES implementation [7], reversing the identified encryption functions to extract the encryption key, initialization vector and block mode was relatively simple. [My emphasis - Borepatch]

Shared secret is bad, mkay?



Le sigh.

[Uses the patient voice reserved for talking to beloved but slow children]

You see, Punkin, this is why we can't have nice things on the Internet.

The intersection of "Smart Diplomacy facepalm" and "NSA facepalm"

It's a twofer!

Normally, Daniel Bangert's Facebook posts tend to be of the serious variety. The 28-year-old includes news items and other bits of interest he encounters throughout the day. "I rarely post funny pictures," he says.

Recently, though, he decided to liven up his page with something a bit more amusing -- and decided to focus on the scandal surrounding the vast Internet surveillance perpetrated by the US intelligence service NSA. He invited his friends on an excursion to the top secret US facility known as the Dagger Complex in Griesheim, where Bangert is from.

...
Bangert's doorbell rang at almost the exact same time. The police on the telephone told him to talk with the officers outside of his door. Bangert quickly put on a T-shirt -- which had a picture of NSA whistleblower Edward Snowden on it along with the words "Team Edward" -- and answered the door. His neighbor was outside too so as not to miss the fun.

The police wanted to know more about what exactly Bangert had in mind. "I couldn't believe it. I thought: What? They are coming for such nonsense?"

"Team Edward" FTW!  And I guess we now know where the room temperature IQ Stasi guards are working these days:

The officers, says Bangert, were unimpressed and called him a "smart aleck," before hinting strongly that he should obtain a demonstration permit before he embarked on his outing. They then told Bangert not to post anything about their visit on the web.

Good idea there, Fritz.  Seems foolproof.  Oh, wait ...

There's so much fail in this that I fail in my attempt to describe it, other than this:

As we used to joke Back In The Day at Three Letter Agency, "In God we trust; all others we monitor."  OK, can we stop now?

And can I just say that nothing good can possibly come out of the intersection of NSA and the German Authorities.  Srlsy.  Just don't go there.

Bootnote: This right here is my most favoritist part of the whole article:

The police spokeswoman sought to play down the incident.

Because playing it up would be bad, mkay?  No wonder they lost The War.

Pwn the Nightly News

The Gaijin emails to point to this epic pwnage:


As the Gaijin says, Yes, it's wrong.  But you'll probably laugh anyway.

"Secure voting" via credit card?

HAHAHAHAHA:

Former President Nicolas Sarkozy’s political party, already enfeebled by a chaotic national leadership election last year, faces further ridicule in a Paris town hall primary election which ends tonight.

An “online-primary”, claimed as “fraud-proof” and “ultra secure”, has turned out to be vulnerable to multiple and fake voting.

...


What was already shaping up as a tense and close election was thrown into utter confusion at the weekend. Journalists from the news site Metronews proved that it was easy to breach the allegedly strict security of the election and vote several times using different names.

To register their vote on-line, Parisians were supposed to make a credit-card payment of €3 and give the name and address of someone on the city’s electoral roll. Metronews said that one of its journalists had managed to vote five times, paying with the same credit card, using names, including that of Nicolas Sarkozy.

...

The narrowly defeated candidate,  the former Prime Minister, François Fillon, accused the winner, the party secretary general, Jean-Francois Copé of “fraud on an industrial scale”.

Man, that's one locked tight security system.  A veritable electronic Maginot line, even.

RIAA: All your computers are belong to us

The Entertainment industry wants the legal right to put trojans on your computer and hold your files hostage.  Srlsy:

The hilariously named "Commission on the Theft of American Intellectual Property" has finally released its report, an 84-page tome that's pretty bonkers. But amidst all that crazy, there's a bit that stands out as particularly insane: a proposal to legalize the use of malware in order to punish people believed to be copying illegally. The report proposes that software would be loaded on computers that would somehow figure out if you were a pirate, and if you were, it would lock your computer up and take all your files hostage until you call the police and confess your crime. This is the mechanism that crooks use when they deploy ransomware.

Because the RIAA would never make a mistake and think that a Grandmother was pirating rock 'n roll music:

On Friday, the Recording Industry Association of America withdrew its lawsuit against Sarah Seabury Ward of Newbury, Massachusetts, after the 66-year-old grandmother said she had never used or even downloaded any peer-to-peer file-sharing software. Bolstering her claim is the fact that Ward and her husband own a Macintosh computer, which is incompatible with the Kazaa file-sharing network they're accused of using to share more than 2,000 songs.

Another reason to run Linux, if that there law gets passed.

Climate Scientists burn skeptical book

I really don't know what to say other than scientists photographed themselves burning a book skeptical of the warming hysteria.  The took the picture in their office at the University, and posted it on the Meteorology Department's campus web site:

Idiots.  Can anyone please explain to me how these Professors are smarter than you and me?  I sure don't see it.

Of course, now they're famous on teh Intarwebz, and so they flushed the picture down the memory hole.  Dudes - Ctrl+PrtScn takes a screenshot.  Just a helpful tip.

WEATHER, n. The climate of the hour. A permanent topic of conversation among persons whom it does not interest, but who have inherited the tendency to chatter about it from naked arboreal ancestors whom it keenly concerned. The setting up official weather bureaus and their maintenance in mendacity prove that even governments are accessible to suasion by the rude forefathers of the jungle.

- Ambrose Bierce, The Devil's Dictionary

Security facepalm

Android handset maker HTC has just signed a settlement agreement with the FTC, an agreement designed to improve the security of their handsets.  It's pretty eye opening:

Under the terms of the deal HTC admits no guilt, but the list of things that it has agreed to do suggests that there wasn't much security work being done by the Taiwanese manufacturer. The full settlement gives the company seven core tasks which you would have thought it would have done already.

These include actually assigning someone in the company to be responsible for security, doing a risk assessment on its current coding practices and handsets, designing safeguards against flawed code, and training in-house staff on good security practices, such as where to get updates and patches.

[blink] [blink]

You wonder just what they were doing about security.  Actually, you don't (well, I don't).

It goes without saying that any of all y'all with HTC cell phones should upgrade to Android 4.0, stat.

NOTE: This agreement concerns software created by HTC for their handsets, not Android in general.  However, I have to say that Apple has a much cleaner update mechanism for iOS - you get new security updates via iTunes, directly from Apple.  With Android, the flow is Google fixes Android, then (maybe) the handset vendor updates the software for the phone, then (maybe) the carrier makes the fix available.  It's a clunky process with a lot of failure points.