Apple and Its Snowden Moment
February 14, 2018
I don’t pay much attention to the antics of Apple, its employees, or its helpers. I did note this story in Boy Genius Report: “We Now Know Why an Apple Employee Decided to Leak Secret iPhone Code.” My take is that the trigger was a bit of the high school science club mentality and the confusion of what is straight and true with the odd ball ethos of clever, young tech wizards.
The cat is out of the bag. Removing content from Github does not solve the problem of digital information’s easy copy feature.
How will Apple handle its Snowden moment? Will the leaker flee to a friendly computing nation state like Google or Microsoft? Will the Apple iPhone code idealist hole up in a Motel 6 at SFO until the powers that be can debrief him and move him to a safe cubicle?
I think the episode suggests that insider threats are a challenge in today’s online environment. With the report that security service providers are suffering from false positives, the reality of protecting secrets is a bit different from the fog of assumption that some have about their next generation systems. I call it the “illusion of security.”
Reality is what one makes it, right?
Stephen E Arnold, February 14, 2018
Russia Considers Building a Garden Wall
February 14, 2018
In a move that could presage the future of the internet, Russia is considering a walled garden for itself and its fellow BRICS members; TechDirt reports, “Russia Says Disconnecting From the Rest of the Net ‘Out of the Question,’ but Wants Alternative DNS Servers for BRICS Nations.” We learn it was the Russian Security Council that recommended its government develop this infrastructure, proposing the creation of a separate, independent DNS backup system. The write-up observes:
Perhaps the most interesting aspect of the story is the following comment by Putin’s Press Secretary, Dmitry Peskov: ‘Russia’s disconnection from the global internet is of course out of the question,’ Peskov told the Interfax news agency. However, the official also emphasized that ‘recently, a fair share of unpredictability is present in the actions of our partners both in the US and the EU, and we [Russia] must be prepared for any turn of events.’ That offers a pragmatic recognition that disconnection from the global Internet is no longer an option for a modern state, even if Iran begs to differ. It’s true that local DNS servers provide resilience, but they also make it much easier for a government to limit access to foreign sites by ordering their IP addresses to be blocked — surely another reason for the move.
The “unpredictability” of the US and Europe? That’s a bit rich. We’re reminded Russia has been trying to localize control over parts of the Internet since at least 2012, and it looks like its fellow BRICS members may be supportive.
Cynthia Murrell, February 14, 2018
Strava: Revealing Secrets
January 28, 2018
I read “Fitness Tracker Heat Map Reveals Sensitive Information about US Soldiers around the World.” The main point is that Strava has aggregated data from a variety of sources. The data from Fitbit-type devices reveals details about certain facilities; for example, military bases. The write up stated:
Strava boasts 27 million users around the world, including people using Fitbit, Jawbone and Vitofit and the company’s mobile app. It posted the Global Heat Map online in November 2017, which shows a pattern of accumulated activity over the two-year period, shows activity in war zones and deserts in countries including Iraq and Syria.
Security risk or a way to identify popular paths and highways?
Stephen E Arnold, January 28, 2018
Encryption and Decryption: A Difficult Global Problem
January 10, 2018
I read “FBI’s Wray Calls for Significant Innovation’ in Accessing Encrypted Data.” The story echoed a statement which appeared in one of the technical product sheets from a company few people reading generalized online content have heard about.
The firm is Shoghi, and it is based in India. The main business of the firm is designing and licensing hardware and software for military and law enforcement use. The company can acquire data from a range of sources, including undersea cables. In the company’s description of its https intercept service, I noted this statement:
“Interception of this secure HTTPS traffic is possible at various point but it is normally not possible to achieve the decryption of the HTTPS traffic due to the secrecy algorithms used for encryption of the data.”
HTTPS poses a challenge. Encrypted hardware poses a problem. The volume of data continues to increase.
When a major lawful intercept company is quite explicit about the difference between intercept (capture) and being able to “read” the information, the problem is not confined to the US. Shoghi has as customers more than 65 countries and, it appears, each has the same problem.
Jumping back to the Fox story and Mr. Wray’s call for innovation, I want to point out that:
- The problem is not just the FBI’s; it is a problem for many authorities
- The “weakening” of the Internet is a powerful argument; however, as the fabric of security continues to fray from insider and outsider activities continues to capture headlines, the Internet has not become weak. The Internet is what it was designed to be: Robust in delivering packets and weak in terms of inherent security.
- The technical innovation referenced in the write up is what Shoghi wants its licensees to do: Figure out how to make sense of the captured data.
- The solution may reside with specialist firms which have developed technologies which perform date and time stamp analysis, clustering, digital fingerprinting of handles (user names), link analyses, and other text processing methods.
To sum up, Mr. Wray has identified a problem. Keep in mind that it is one that exists for countries other than the US. From my point of view, identifying specialists with non-intuitive ways of approaching the encryption problem warrant additional funding in the efforts to crack this “problem.”
My Dark Web Notebook team has compiled a list of companies with orthogonal approaches. We do make this information available on a fee basis. If you are interested, write benkent2020 at yahoo dot com for more information. Also, the January 23, 2018 “Dark Cyber” video includes a segment about the encryption problem for lawful intercept and surveillance vendors.
Stephen E Arnold, January 10, 2018
Machine Learning Becomes Major Battle Ground
December 14, 2017
It has been known for a while that machine learning is the next great platform for tech visionaries to master. While this ground level opportunity gives many a chance to make a mark, the big names in tech are catching up quick. We got a hint about this competition from the recent Recorded Future press release, “Recorded Future Expands Automated Threat Intelligence Solution With Analyst-Originated Intelligence.”
According to the story:
By adding current and finished threat intelligence to the broadest compilation of machine learning and natural language processing generated intelligence, only Recorded Future can provide organizations with the relevant expert insights and analysis they need for operational improvements and targeted risk reduction.
This new analyst-originated information provides customers with access to new insight as well as additional third-party intelligence research on threat actors, vulnerabilities, malware, and other indicators of compromise (IOCs). It is available in multiple formats to suit the diverse needs of customers.
Recorded Future has a bright future, no doubt about it. But we’d be leery of putting all our money on this horse. At this very moment, Amazon is gearing up to get a serious foothold in the world of machine learning. Seeing the merchandising giant getting into this arena is a terrifying threat to any startup. Be on the lookout.
Patrick Roland, December 14, 2017
Instant Messaging Security Is Becoming a Serious Issue
November 29, 2017
It might sound like a problem from twenty years ago, but the security of instant messages is a serious concern. We didn’t even know it was a thing, but once we started digging—yikes. We started this journey with the Make Use Of article, “Signal Desktop Brings Secure Messaging to Your PC.”
According to the story:
Signal, the messaging app which values privacy above all else, now has a standalone desktop app. Signal Desktop, which is available for Windows, MacOS, and Linux, replaces the Signal Chrome app. The app itself isn’t very different, but having a dedicated desktop offering is always welcome.
While most of the big messaging apps are starting to take your privacy seriously, Signal has made this its number one priority. This has made it popular with people for whom privacy is of the utmost importance, such as politicians and journalists. All of whom can now use Signal Desktop.
Sounds like Signal is hitting the desktop market just in time. A recent study found that doctors are sharing sensitive patient information via instant messaging software. Whoa. If anything should be secure, it’s that. Let’s hope they get onboard soon.
Patrick Roland, November 29, 2017
Experts Desperately Seeking the Secret to Big Data Security
November 28, 2017
As machine learning and AI becomes a more prevalent factor in our day-to-day life, the daily risk of a security breach threatens. This is a major concern for AI experts and you should be concerned too. We learned how scary the fight feels from a recent Tech Target article, “Machine Learning’s Training is Security Vulnerable.”
According to the story:
To tune machine learning algorithms, developers often turn to the internet for training data — it is, after all, a virtual treasure trove of the stuff. Open APIs from Twitter and Reddit, for example, are popular training data resources. Developers scrub them of problematic content and language, but the data-cleansing techniques are no match for the methods used by adversarial actors…
What could solve that risk? Some experts have been proposing a very interesting solution: a global security framework. While this seems like a great way to roadblock hackers, it may also pose a threat. As the Tech Target piece states, hacking technology usually moves at the same speed as a normal tech. So, a global security framework would look like a mighty tempting prize for hackers looking to cause global chaos. Proceed with caution!
Patrick Roland, November 28, 2017
AIs Newest Hurdle Happens When the Machines Hallucinate
November 27, 2017
Artificial Intelligence has long been thought of as an answer to airport security and other areas. The idea of intelligent machines finding the bad guys is a good one in theory. But what if the machines aren’t as clever as we think? A stunning new article in The Verge, “Google’s AI Thinks This Turtle is a Gun and That’s a Problem,” made us sit up and take notice.
As you can guess by the title, Google’s AI made a huge flub recently:
This 3D-printed turtle is an example of what’s known as an “adversarial image.” In the AI world, these are pictures engineered to trick machine vision software, incorporating special patterns that make AI systems flip out. Think of them as optical illusions for computers. You can make adversarial glasses that trick facial recognition systems into thinking you’re someone else, or can apply an adversarial pattern to a picture as a layer of near-invisible static. Humans won’t spot the difference, but to an AI it means that panda has suddenly turned into a pickup truck.
This adversarial image news is especially concerning when you consider how quickly airports are implementing this technology. Dubai International airport is already using self-driving carts for luggage. It’s only a matter of time until security screening goes the same way. You’d best hope they iron out adversarial image issues before we do.
Patrick Roland, November 27, 2017
Amazon: The New Old AT&T
November 22, 2017
I read “AWS Launches a Secret Region for the U.S. Intelligence Community.” The write up does a reasonable job of explaining that Amazon has become a feisty pup in the Big Dog in the upscale Potomac Fever Kennels.
The main idea, as I understand it, is that Amazon is offering online services tailored to agencies with requirements for extra security. Google is trying to play in this dog park as well, but Amazon seems to have the moxie to make headway.
I would point out that there are some facets to the story which a “real” journalist or a curious investor may want to explore; specifically:
- AT&T of Ashburn fame may be feeling that the attitude of the Amazon youthful puppy AWS is bad news. AT&T with its attention focused on the bright lights of big media may be unable to deal with Amazon’s speed, agility, and reflexes. If this is accurate, this seemingly innocuous announcement with terms like “air gap” may presage a change in the fortunes of AT&T.
- IBM Federal Systems, the traffic disaster in Gaithersburg, may feel the pinch as well. What happens if the young pup begins to take kibble from that Beltway player? A few acquisitions here and few acquisitions there and suddenly Amazon can have its way because the others in the kennel know that an alpha dog with tech savvy can be a problem?
- The consulting environment may also change. For decades, outfits like my former employer, the Boozer, have geared up to bathe, groom, and keep healthy the old school online giants like AT&T, Verizon, et al. Now new skills sets may be required for the possible Big Dog. Where will Amazon “experts” come from? Like right now, gentle reader.
In short, this article states facts. But like many “real” news stories, there are deeper and possibly quite significant changes taking place. I wonder if anyone cares about these downstream changes.
Leftover telecom turkey anyone?
Stephen E Arnold, November 22, 2017
Ichan Makes It Easier to Access the Dark Web
November 17, 2017
A new search engine for the Dark Web may make that shady side of the Internet accessible to more people. A piece at DarkWebNews introduces us to “Ichidan: A New Darknet Search Engine.” Writer Richard tells us:
Ichidan is a brand new darknet search engine platform that lets users search and access Tor-powered ‘.onion’ sites. The format and interface of the platform bear much similitude with the conventional search engines like Bing and Google. However, the darknet search engine has been designed with an entirely different purpose. While Google was created with the aim of collecting user information and analyzing the behavior across several platforms, Ichidan specifically aims to render selfless services to the users who access the darknet and are looking for some particular Tor site to get the necessary information. Owing to its simplicity and ease of use, the darknet search engine has now managed to be an incredibly helpful tool for individuals using the dark web. Security research professionals, for instance, are quite happy with the services of this new darknet search engine.
The article notes that one way to use Ichan seems to be to pinpoint security vulnerabilities on Dark Web sites. A side effect of the platform’s rise is, perhaps ironically, its revelation that the number of Dark Web marketplaces has shrunk dramatically. Perhaps the Dark Web is no longer such a good place for criminals to do business as it once was.
Cynthia Murrell, November 17, 2017
-
- Subscribe to Beyond Search
Feature archive
News archive
-
