Writing

With this post, I’m starting to revive my posting on this blog by talking more about my work as a freelance writer. I’ve been writing full-time for about a year and a half and making good progress in reaching better markets. My technical posts will continue to be in Mad File Format Science.

One of the first things I discovered is that writing on spec isn’t a good way to make a living. For a while I was writing for the Foundation for Economic Education, which accepted most of my submissions. They still list me as being on their Faculty Network, but I’ve stopped writing for them because they’ve stopped paying for articles. I’ve submitted some proposals to Reason, but without luck so far. Maybe I’ll get in eventually, but it’s not an easy way to get a regular income.

Fortunately, I have ample skills for writing about tech topics, and I’ve found a lot of work by request. Read the rest of this entry »

Advertisements

Why Bucharest’s Internet is so fast

Bernie SandersHere’s my latest article on the FEE website, on Internet in Romania.

The editor asked me to write a piece on this topic, because of Bernie Sanders’ tweet that Internet speeds in Bucharest are faster than the average speed in the US (which is true). I was flattered by the request and started researching the article right away. I joked to my friends that if you wanted to know about Internet in Romania, obviously I was the person to come to.

What I learned about the ad hoc networks in Romania’s major cities was fascinating; they have lots of competition, while we’re lucky to have a choice between the government-franchised cable company and the government-franchised phone company. The headline writer chose to play on the irony of Sanders’ endorsing a free-market solution, though I thought the solution itself was the really fascinating part. Mentioning Sanders draws more readers than mentioning Bucharest, I suppose. :)

Posted in General. Tags: , , , . Comments Off on Why Bucharest’s Internet is so fast

Apple vs. the surveillance state

“I want you to think!”

“How will your gun make me do that, Mr. Thompson?”

      — Ayn Rand, Atlas Shrugged

The FBI has ordered Apple to undertake a spyware development program. Apple is saying no. I applaud Apple, and I hope that if the FBI gets its way, the developers charged with the task will quit.
Read the rest of this entry »

Posted in General. Tags: , , , . Comments Off on Apple vs. the surveillance state

Tracfone user agreement

I recently updated the Tracfone account application on my phone. The new version requires me to accept the following user agreement:

In addition to managing your Tracfone Account from your phone, this app also includes a feature that automates the functionality of the Wi-Fi radio in your smart phone by enabling/disabling the Wi-Fi radio and connecting you automatically to certain hotspots based upon the settings you choose. The app will also access and use your location and other profile and usage information to customize content. By clicking accept, downloading, installing, or using the app, you indicate that you have read and accepted the terms of the License Agreement above and that you consent to the use of your information in accordance with these terms.

That strikes me as very creepy, and if I don’t accept it, I can’t determine the usage balances on my phone or purchase additional time. The phone already has the capability to connect to Wi-Fi servers; is the app going to override that to connect to hotspots I haven’t approved?

Posted in General. Tags: , . Comments Off on Tracfone user agreement

A modest Java proposal: NationalSecurityException

class NationalSecurityException extends SecurityException;

When a NationalSecurityException is thrown, the catch clause may access any data, regardless of permissions. This applies only to a catch clause which is in the function that threw the exception.

Should any other function catch a NationalSecurityException, it is expected to ignore it and proceed as if it never happened. Specifically, it is not permitted to throw an IllegalStateException or IllegalAccessException after catching a NationalSecurityException. Any attempt to do so will result in a WhistleblowerException.
Read the rest of this entry »

Posted in General. Tags: , , . Comments Off on A modest Java proposal: NationalSecurityException

Chrysler’s computer security disaster

Andy Greenberg and associates demonstrated that they can remotely hijack a Jeep Cherokee, making it do things that could kill everyone in it. Fiat Chrysler is recalling 1.4 million vehicles as a result of this revelation. Greenberg doesn’t fully explain how they did it, for obvious reasons, but he tells us this:

All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone. Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. And thanks to one vulnerable element, which Miller and Valasek won’t identify until their Black Hat talk, Uconnect’s cellular connection also lets anyone who knows the car’s IP address gain access from anywhere in the country.

Every computer on the Internet has an IP address, so the real issue is the “one vulnerable element.” We can only guess about it, but this seems like serious negligence on Chrysler’s part. When a computer system can put people’s lives at risk, you have to pay serious attention to security. According to a Computerworld article, it’s the entertainment system which is open to remote access, but it “is commonly connected to various electronic control units (ECUs) located throughout a modern vehicle. There can be as many as 200 ECUs in a vehicle.”

A basic principle of secure design is that you grant only as much access as is necessary. It’s hard to imagine why an entertainment system would need access to life-critical components. If it is necessary, perhaps so that a warning of a major malfunction can go to the speakers, the critical component needs a firewall that limits the access it allows. Did Chrysler allow the entertainment system free run of its ECUs, or was the firewall defective? We don’t know yet, and maybe it will never be made public.
Read the rest of this entry »

Dumping my Comcast cable modem

Comcast is one of America’s most reviled companies. It’s not hard to understand its obnoxiousness when you realize it lives off government-granted monopolies. While people conceded vast powers to the FCC because of the questionable threat that it would throttle competing video streams, the real problem has remained untouched: its widespread status as a local cable monopoly. For broadband I have two choices: the cable monopoly (Comcast) or the phone monopoly (Fairpoint). When Comcast raised my rates, I planned on returning to Fairpoint once their strike was over. The delay wasn’t because of moral opposition to strike-breaking, but levels of service that had fallen from poor to almost nonexistent during the strike.

However, after the strike Fairpoint didn’t even say on its website what it’s charging for broadband. Their website says “‘High-speed Internet’ doesn’t even begin to describe it.” That’s true, and that’s all they tell you. Considering that the reason I’d left Fairpoint was its tendency to drop connections, I decided they aren’t interested in new broadband customers. So I’m stuck with Comcast.

However, “stuck” doesn’t mean “totally stuck.” $10 of my $54.99 charge has been for leasing a cable modem. This amount has actually gone up as the device has aged. Once I decided that I wouldn’t escape Comcast quickly, I looked into replacing it with a purchased device. This was pretty easy for me, but describing what was involved may help some others. If you have Comcast Internet service and plan to keep it for a year or more, you should definitely escape that ridiculous lease.

The first step is to look at Comcast’s list of approved devices. There are lots of choices, many of them not too expensive. Just make sure you pick one that will keep up with the service level you’re paying for. You might want to check which manufacturers have been caught putting spyware in their devices, but that’s a matter for a different post.

Linksys DPC-3008 cable modemI bought a Linksys DPC-3008 for about $60 from Amazon and set it up. It has just a single Ethernet port, so to keep things simple I connected my main computer directly to it. At this point you have to be patient. If I’d waited long enough, maybe ten minutes, it would have redirected any URL I entered to the Xfinity activation page and I probably could have done it online. But I thought that it wasn’t going to do that, so I called Comcast service. A successful battle with the phone tree led to a real person, who transferred my call to another person.

One of them, I think it was the first one, asked for the last four digits of my Social Security number (my “social,” as people call it when they’re trying to beguile you into handing over confidential information). I declined firmly and wasn’t pressed on the matter. (Why does Comcast make its customers’ Social Security numbers available to its support people!?) I had a bill at hand, so I gave my account number and they were satisfied with that.

Before connecting the device up, I had already copied the serial number and MAC address from its underside. Having these numbers available is important; it’s annoying to read tiny print off the bottom of a connected device while on the phone.

The woman who handled my setup was initially confused because she had the model number listed as a Cisco rather than a Linksys. Apparently it’s both. After asking some questions to make sure it really was what I was saying, she went ahead and did whatever magic occurs to recognize the device. (Comcast makes no secret of its back door to your modem.) There was a slow reinitialization and then I tested a well-known website (cnn.com, but any reliably accessible site will do), and all was well.

The next step was to get my wireless network working again. I’d previously put my Netgear Wi-Fi router into bridge mode, meaning it simply passed all traffic through to the cable modem. I connected up through it and my computer worked, but my Wi-Fi devices couldn’t find a local network. I went fishing on addresses like 192.168.1.1 and 10.0.0.1 and couldn’t find anything. Then it sank in that this box really was just a modem and had no IP address or browser-accessible service. Not really a problem; I just had to take my router out of bridge mode.

However, putting it into bridge mode had lobotomized it. The router now had no IP address of its own to talk to. The only option was to do a full reset on it, which for some reason took several tries at holding the recessed button in for 10 seconds. I then had to re-enter all the Wi-Fi settings, but it worked.

The last step was to return the Comcast device. Fortunately they have a shop in Nashua, so it was a short trip for me. I brought a recent bill for any account information they might need, and an Ethernet cable just in case they insisted that one belonged with the modem (they didn’t). My bill should now be reduced by $10 a month.

I hope this level of detail has been helpful rather than frightening. I will say that the Comcast people I talked with were polite and competent. They’re probably impressed by anyone who doesn’t take their anger at the company out on them.

Posted in General. Tags: , . Comments Off on Dumping my Comcast cable modem

Clinton’s email server

I try to avoid addressing specifically political issues on this blog too often, since I could easily get carried away with them to no useful purpose. This post is an extended reply to a couple of Twitter responses from a friend; discussing anything complicated on Twitter just doesn’t work. Also, it relates to issues where I have a bit of knowledge.

While she was Secretary of State, Hillary Clinton used a private server for the large majority of her official email. According to the New York Times, she didn’t even have a .gov email address. This doesn’t appear to have violated any laws, but legal isn’t the same thing as reasonable and prudent.

An article on Gizmodo discusses the security risks that may come with a less than expert setup of an email server. She used the domain clintonemail.com, managed by a company called Perfect Privacy, LLC. Perfect privacy sounds good, but names are easy. It’s hardly likely that its security was as good as the State Department’s. (Although, perhaps … she had reasons to think that hostile spy agencies had completely compromised the State Department’s email and she escaped to a private server? These days you can’t be too paranoid, but it isn’t clear how her course would have helped much. Future news developments might yet surprise us.)

The problems with such a system include lack of credible authenticity (If you got a message from “clintonemail.com,” would you think it was from the Secretary of State?), easy confusion with other domains, an uncertain level of security, and a far too convenient ability to delete anything she didn’t want known. Whether President Obama knew she was using this server is very confusing. A Guardian article says, “Barack Obama emailed Hillary Clinton several times at her personal email address, the White House said on Monday, while insisting the US president did not realise his secretary of state was operating an independent email system detached from government servers.” How is that even possible? Whatever Obama is, he isn’t stupid. Would he accept email from any old address that claimed to be his Secretary of State, without even wondering about it?

Maybe I’m just underestimating how tech-stupid most people, even intelligent ones, are. Some email clients, like the inexplicably popular Outlook, do their best to hide the address from which you got any email, showing only the name. When I had to use Outlook at a previous employer, even I found it hard to tell what address a message really came from. (Which isn’t to say that an email address authenticates anything. They’re trivial to forge.) This affair has me wondering just how vulnerable high-level government email communications are. Maybe it isn’t so unreasonable that Obama would be oblivious to an unfamiliar address. There must be clever technical people in Washington constantly begging high-level officials not to do stupid things, and I don’t envy them; who’d want to tell someone at the White House or Cabinet level, “Don’t do that, you idiot” for a living?

When caught, Clinton blustered; that’s a normal politician’s reflex. It only made her look more stupid to me, but not that many people understand the technical issues. I know how to read email headers; most people don’t know anything more than “From” and “To.” I’m regularly surprised when people don’t know things I consider common knowledge, like that Linux is an operating system or that Lenovo shipped Superfish with many of its computers. There are as many things I don’t know that other people take for granted. But somebody, in all that time, should have noticed that Clinton was engaging in seriously bad security and accountability practices. I suppose no one dared raise the issue.

How Lenovo’s spyware works

If you’ve recently bought a Lenovo computer and you’ve been reading about “Superfish,” should you panic? Yes.

Well, no. Panic never produces useful results. But you should definitely act. If you can, return the computer and get a different brand. If you can’t, take prompt steps to remove the spyware.

The best approach is to install Windows (or Linux) from scratch, overwriting the existing operating system, and not using Lenovo’s installation package. The problem isn’t just the spyware; it’s that Lenovo has shown itself to be basically untrustworthy. Even if we assume it accepted Superfish stupidly rather than knowing it was committing a major security breach, Lenovo was notified on January 21 that Superfish used a self-signed root certificate to intercept SSL communications and didn’t respond until the publicity became overwhelming, almost a month later. Update: Superfish was reported for falsifying Google search results on Lenovo’s forums back in September 2014, though that report didn’t note the SSL hijacking.

The root certificate issue may need some explaining. The SSL certificate system, which is central to secure Web communications, relies private/public encryption keys. When you connect with authenticated HTTPS to a server, it queries the server using encrypted data, based on the public certificate. It can respond correctly only if it has the corresponding private key.

But how do you know that the certificate is authentic? The answer is “digital signing.” A key is authenticated with encrypted data from a certificate authority (CA), and the same public-private trick is used to verify the signature’s authenticity.

But isn’t that begging the question? You still need to know whether the CA is authentic. A CA’s certificate can be signed by another CA, and such chains are necessary to handle the vast number of SSL certificates on the Internet. Ultimately it comes down to a trusted source, a “root certificate.” Browsers ship with one or more root certificates, which they trust by default. If a root certificate is compromised, the whole system comes crashing down. It can claim that fake certificates are genuine and allow impersonation of websites that collect your credit card numbers and other personal data.

Lenovo’s Superfish installs a rogue root certificate. It uses it to intercept your secure communications and modify them. It “self-signs” the certificate, so your browser will trust it. You think you have a secure, private channel to a site like Google, but Superfish is listening to every bit you transfer. This is what’s known as a “man in the middle” attack. It decrypts your data, does things with it, and then re-encrypts the modified data and sends it on its way.

Lenovo is intercepting secure communication by feeding users false data. I’m no lawyer, but shouldn’t that be grounds for criminal charges?

The private key is on the computer which runs Lenovo’s subverted version of Windows. It’s password protected, but a little reverse engineering of the software has turned up the password, which is a rather weak one and is now all over the Internet. This means that others can impersonate the impersonator, doing far worse things than injecting ads into your browser.

The CA system is inherently fragile. Superfish isn’t the first to have thought of this scam. There are lots of opportunities for criminals and governments (pardon the redundancy) to steal information this way.

It appears that Lenovo’s removal package, introduced after intense public pressure, removes the Superfish software but not the bogus certificate.

Lenovo has been shamelessly lying:

There has been significant misinformation circulating about Superfish software that was pre-installed on certain Lenovo laptops. The software shipped on a limited number of computers in 2014 in an effort to enhance the online shopping experience for Lenovo customers. Superfish’s software utilizes visual search technology to help users achieve more relevant search results based on images of products they have browsed.

Despite the false and misleading statements made by some media commentators and bloggers, the Superfish software does not present a security risk. In no way does Superfish store personal data or share such data with anyone. Unfortunately, in this situation a vulnerability was introduced unintentionally by a 3rd party. Both Lenovo and Superfish did extensive testing of the solution but this issue wasn’t identified before some laptops shipped. Fortunately, our partnership with Lenovo was limited in scale. We were able to address the issue quickly.

Where do we start? Lenovo makes unspecified claims about “false and misleading statements” without denying anythying in particular. The issue isn’t merely a “security risk,” but an actual, willful breach. Whether it shares the intercepted data with a third party is irrelevant. The claim that a software bug “unintentionally” created the forged certificate and man-in-the-middle interception is ludicrous.

The “third party” in question is a company called Komodia, which devised the interception technology and used its own name as the password for the bogus certificate. According to Forbes, Komodia’s founder, Barak Weichselbaum, “was once a programmer in Israel’s IDF’s Intelligence Core.” Komodia used to offer an “SSL hijacker,” no longer on their website although the Internet Archive still has the page. Komodia explains that “the hijacker uses Komodia’s Redirector platform to allow you easy access to the data and the ability to modify, redirect, block, and record the data without triggering the target browser’s certification warning.” Purely unintentionally, of course.

Just by the way, here’s a filk on the subject:

Superphishin’

Words: Gary McGath, Copyright 2015

Music: “Superchicken”

When your data is in danger,
When it’s picked up by a stranger,
And they never asked for your permission,
There is someone you can blame
For putting spyware on your disk:
Lenoooooooooovo’s Superphishin’!
 
If it looks like you have well and truly caught it,
You should have known it was infected when you bought it.
 
Now you understand the risk
Of SSL faked on the disk;
A painful death for them is what you’re wishin’.
There is someone you can blame
For putting spyware on your disk:
Lenoooooooooovo’s Superphishin’!
Lenoooooooooovo’s Superphishin’!

Posted in Tech. Tags: , , , . Comments Off on How Lenovo’s spyware works

Review: Swann Viewcam

Looking for something to augment my home security, I picked up a Swann Viewcam. It’s offered as a basic home security camera with local storage and Wi-Fi capabilities. The idea is good, and the camera itself doesn’t seem too bad, but the software makes it a disaster. First I downloaded the Mac application. It’s unintuitive, without text labels on its controls. It provides no reliable status indication for the device. Sometimes it would say the device was “off,” but at other times it would just show the last image received. If it’s monitoring an empty room, it can take a while to realize that nothing is being updated. The camera’s Wi-Fi range is poor, even in a relatively small home like mine.

The iOS application is even weaker, and it bombards you with ads. (Have they forgotten that the people using it have just paid them a fair amount of money for the device?) It doesn’t provide any status indication beyond showing incoming video or not. It required me to log in repeatedly; that isn’t even a security feature, since it pre-loaded the user and password fields and just made me tap “Log in” to continue.

All this wouldn’t be fatal if the device and software performed their basic function of storing video. Last night I noticed no files were being stored, but I let it run overnight just to be sure. This morning there were still no files stored in the folder I’d designated. I’d put a Micro SD card into the device to store video locally; that likewise had nothing on it.

Zero stars. This device will soon be going back to the store.

Posted in General. Tags: , . Comments Off on Review: Swann Viewcam