Stop Relying on Obsessiveness and Obscurity - DTNS WEEKLY TECH UPDATE 05/18/2017
Added 2017-05-18 17:59:03 +0000 UTCThis is the weekly newsletter companion to Daily Tech News Show at http://dailytechnewsshow.com/
You can get this newsletter by backing DTNS for $5 a month or more at http://patreon.com/dtns
The ransomware attacks last week and a few other ideas bubbling around in my head led me to this week's column. Essentially it's something we all know. We need to get serious about security. Still. So why haven't we? I have a couple thoughts.
CLOSER LOOK - The Internet is too big to rely on obsessiveness and obscurity to protect it.
That's pretty much it but let me explain a little more.
OBSESSIVENESS
From the earliest time of the Internet there have been obsessives making great use of it. Generally the ones who use it for ill get the most press. But plenty of people use it for good. In fact, white hat obsessives account for the advancement of internet protocols and the rise of open source.
One of the greatest things about Internet culture, is that people who just love doing a thing can do it and help others out. Love messing with file transfer protocols? Great help make FTP! Love figuring out operating system functions? Awesome, join the Linux project. One of the best outcomes of this phenomenon is people who check security. Plenty of folks get their kicks looking for software vulnerabilities and checking terms of service for loopholes. And the rest of us benefit.
In a free and open internet this works really well at least to a certain scale. However in an internet where a government can keep a vulnerability secret the obsessives can't protect us. And as we saw with WannaCry the scale of the Internet is such that even with the white knight of obsessives like MalwareTech, much damage can be done in a small amount of time.
OBSCURITY
The other thing I mentioned was the reliance on obscurity. Security is always about risk management and though "security through obscurity" is derided as a strategy, it is a real factor that helps protect systems. If nobody knows that some random corner of the NHS has some Windows XP machines running, nobody is going to target them.
Except nothing is obscure anymore. Everything on the network can be detected. You can't just say your business or system isn't important because importance doesn't matter. Again the scale of the internet is such that you can hope to infect millions of machines, and even at $300 a pop maybe make money. That didn't happen this time, but many researchers believe it has to do with a poorly created money collection function in Wannacry.
The other factor is that the Internet used to be a place only a few people used. So the damage was limited because there just wasn't as much valuable out there to attack. Now everything is out there to attack.
THE INTERNET IS TOO BIG
The Internet has gotten by until now knowing that a few good obsessives would catch the bugs and attacks and even the few times they didn't, damage would be naturally limited. So some Geocities sites got corrupted. We could recover.
Now the scale is such that there aren't enough obsessives to go around. And not every system administrator is obsessive enough to force the good practices their companies should follow when their bosses cry about the cost.
And with much of the world's population and banking and identity on the network, the prizes are out there to plunder.
So what do we do? We don't shrug off updates. We don't let businesses get away with saying that security is costly and pretend just because they haven't been attacked up until now, that they're safe. The best practices are out there. I know YOU follow them, right? It's time for everyone, especially companies to get serious about following them too.
NEWS RECAP
Ransomware called WannaCry infected computers in over 99 countries over the weekend, including the UK, US, China, Russia, Spain, Italy, Vietnam, and Taiwan. The malware is distributed on Windows machines on the same network, encrypting drives and requiring a payment of $300-600 in bitcoin to decrypt. WannaCry takes dvantage of the "Eternal Blue" Windows vulnerability MS17-010 in the Windows Server Message Block service, which was patched by Microsoft back in March. The UK's National Health Service, Spain's Telefónica, and FedEx were all partially incapacitated as a result. https://www.wired.com/2017/05/accidental-kill-switch-slowed-fridays-massive-ransomware-attack/
As a result, Microsoft released security patches for out of service versions of Windows, including Windows XP, Windows 8, and Windows Server 2003. https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Spread of WannaCry was slowed however after a malware researcher known as MalwareTech found a gibberish URL in the code for the ransomeware. MalwareTech was able to register the domain. When WannaCry checked the URL and found it active, it would not spread to that system. It is unclear why this URL call was put in place initially. https://www.wired.com/2017/05/accidental-kill-switch-slowed-fridays-massive-ransomware-attack/
HTC announced its 5.5-inch U11 flagship smartphone. It has a 12-megapixel camera with optical stabilization, and bundles in Amazon's Voice Assisant along with its own HTC Sense Companion and Google Assistant. The phone also features “Edge Sense” which lets you squeeze the phone to perform functions like launch the camera or Google Assistant. The U11 uses USB-C for the headphones but includes an adapter. The phone is available for preorder now from Sprint and will be in-store June 9th. Unlocked versions are available on htc.com for $649 and will ship in June. https://www.theverge.com/2017/5/16/15643668/htc-wants-you-to-squeeze-its-new-phone
Qualcomm has filed a complaint against Foxconn, Pegatron, Wistron, and Compal Electronics over unpaid royalties. All four companies contract with Apple which sued Qualcomm in January, claiming overcharging. Apple has instructed the contractors not to pay and agreed to indemnify the manufacturers for any damages. http://www.reuters.com/article/us-apple-lawsuit-qualcomm-idUSKCN18D1EC
US District Judge William Alsup denied Uber’s request to have its trade secrets lawsuit with Waymo moved to arbitration. Judge Alsup referred the dispute over alleged stolen lidar tech to the US Attorney for investigation with a potential trial scheduled for October. Waymo alleges that Uber employee Anthony Levandowski took 14,000 files with him when he left Google’s autonomous car project that later became Waymo. Judge Alsup has yet to rule on Waymo’s request for a preliminary injunction which would limit Uber’s autonomous car research. https://arstechnica.com/tech-policy/2017/05/judge-uber-cant-push-waymo-lawsuit-into-arbitration/
Ride-hailing company Lyft and Alphabet's self-driving car tech subsidiary Waymo entered into an agreement to work on autonomous vehicle pilot projects and product development. While no details were released on upcoming projects, Lyft has previously stated they have no plans to develop their own self-driving car technology. The company has previously partnered with GM to test autonomous Chevy Bolts on it's network. https://www.nytimes.com/2017/05/14/technology/lyft-waymo-self-driving-cars.html
Biz Stone announced on Medium he is returning to Twitter after being asked to do so by Jack Dorsey. Apprently his role will be being Biz Stone. Stone says fellow co-founder Ev Williams said that Biz Stone is "among the best in the world at being Biz Stone." Stone says he is not replacing anyone and his "focus will be to guide the company culture." https://techcrunch.com/2017/05/16/twitter-co-founder-biz-stone-is-returning-to-the-company/
The Fraunhofer Institute, a patent holder for MP3 encoders, announced it will end its licensing program for the audio format, citing more modern audio codecs with better fidelity and features gaining prominence in the market. Their MP3 related patents also expired, leaving little legal framework to continue collecting licensing fees. Mike James at I-Programmer also notes that as a result Red Hat Linux will now ship an MP3 encoder directly in their distribution. http://www.i-programmer.info/news/181-algorithms/10750-mp3-free-at-last.html--- http://gizmodo.com/developers-of-the-mp3-have-officially-killed-it-1795205540
Mark Gurman and Alex Webb at Bloomberg report their sources say Apple will introduce three new laptops at WWDC, including a new MacBook pro with a Kaby Lake processor. https://www.macrumors.com/2017/05/16/new-macbooks-coming-at-wwdc/
John Paczkowski at Buzzfeed reports that sources say the availability of the Amazon video app in Apple TV will be announced at WWDC on June 5th. Amazon will reportedly resume selling Apple TVs as well. https://www.buzzfeed.com/johnpaczkowski/apple-will-announce-amazon-prime-video-coming-to-apple-tv?utm_term=.yw1zYd6AB#.ek34xJXLY
Instagram added eight face filters, including crowns, animals and math equations. They can be used in front or back cameras and in any Instagram shooting mode, including Boomerang. Instagram users can also add hashtag stickers and use a new rewind video effect and eraser. https://www.theverge.com/2017/5/16/15643062/instagram-face-filters-snapchat-facebook-features
FROM GOOGLE I/O
Google made several announcements at its Google I/O conference Wednesday. We'll summarize them for you here.
Google Assistant is available for iPhone now and Google has added the ability to type questions and responses to Google Assistant in addition to voice. Products with Google Assistant built in are coming from several manufacturers with a badge on the box that indicates Google Assistant is built in. Google also extended its third-party Google Actions platform from Google Home to Android and iOS. Google also added Assistant support for more languages including Spanish, French, Japanese, German, Korean, Italian. http://www.pcworld.com/article/3197358/google-io/the-new-google-assistant-hands-on-with-the-supercharged-chatbot.html
Google Photos has added machine learning to suggest people from your contacts you might want to share photos with. Suggestions will collect in a new tab called Sharing. Shared Libraries can also automatically add photos to a friend or family member's library, based on criteria like who's in the photo, where it was taken or when. Photos can also help you select the best photos to print in a photo book available for $10 in softcover and $20 in hardcover. https://arstechnica.com/gadgets/2017/05/updates-to-google-photos-ensure-youll-actually-see-those-party-photos-youre-in/
Google also announced a function called Lens coming to several applications starting with Photos and Assistant. Lens can do things like tell you what's in a picture or use OCR to take written info, say from a theater marquee, and add the event to a calendar or buy tickets. https://www.wired.com/2017/05/google-lens-turns-camera-search-box/
Google Home is coming this summer to Canada, Australia, France, Germany, Japan. A new function called proactive Assistance can alert you with lights if traffic is getting heavy or your flight is delayed. Hands-free calling lets you call from Google Home to any landline in the US or Canada. And Home has more integrations to send video to a Chromecast to see videos and information like weather or map routes on a TV. https://www.cnet.com/news/google-home-to-the-amazon-echo-anything-you-can-do/
A few features were announced for Android O, including picture-in-picture, notification dots on app icons, smart text selection and Google Play Protect which collects security information in one place. Google also supports the Kotlin language for app development. The first beta release is available at android.com/beta. https://techcrunch.com/2017/05/17/android-o-beta-is-available-today/
All future Android releases starting with O will have a version called Android Go optimized for basic smartphones with 1GB of memory or less. The OS includes carrier settings to make it easy to monitor data and buy more and apps optimized for low-quality and metered connections.
https://www.theverge.com/2017/5/17/15649380/google-budget-android-phone-program-announced-io-2017
Qualcomm has built a reference design standalone Daydream VR headset, and HTC and Lenovo will have models for sale by the end of the year. The second project Tango AR phone, the Asus ZenFone AR will go on sale this summer. https://backchannel.com/inside-googles-slow-mo-vr-moonshot-c1c739d310aa
Google is adding Google for Jobs to its search engine to make it easier to find jobs suited to your location and skill level. https://www.usatoday.com/story/tech/news/2017/05/17/google-io-google-for-jobs-sundar-pichai/101768492/
And Google is collecting all its AI offerings together at Google.ai. Its Tensor Processing Units are available on the Google Compute Engine with 180 trillion floating point operations per second for Machine Learning training and inference. Google is giving 180 petaflops of Tensorflow to academics and researchers for free. And TensorFlow Lite is open source and will be available for Android developers later this year. http://www.pcworld.com/article/3197426/data-center-cloud/googles-standalone-vr-and-vps-address-the-clutter-and-clumsiness-of-virtual-reality.html
Google to update Daydream VR platform later this year with 2D function panel overlay, Chrome, screen capture, Google Cast support, and morehttp://www.theverge.com/2017/5/18/15656870/google-daydream-vr-euphrates-update-browser-cast-io-2017
