A Simple Query, Interesting Consequences

October 15, 2021

The balance between effective tools for law-enforcement and civil liberties is, of course, a tricky one. Forbes discusses the thorny issue of keyword warrants in, “Exclusive: Government Secretly Orders Google to Identify Anyone Who Searched a Sexual Assault Victim’s Name, Address and Telephone Number.” The use of this specific warrant was inadvertently, and temporarily, unsealed by the Justice Department in September. Forbes was able to review the documents before they were sealed again. The write-up gives some relevant details of the Wisconsin case, but basically investigators asked Google for the Google account information and IP addresses of anyone who had searched for the victim’s name, two spellings of her mother’s name, her address, and her phone number on 16 specific days. Before this, we’re told, only two other keyword warrants had been made public. Write Thomas Brewster emphasizes:

“While Google deals with thousands of such orders every year, the keyword warrant is one of the more contentious. In many cases, the government will already have a specific Google account that they want information on and have proof it’s linked to a crime. But search term orders are effectively fishing expeditions, hoping to ensnare possible suspects whose identities the government does not know. It’s not dissimilar to so-called geofence warrants, where investigators ask Google to provide information on anyone within the location of a crime scene at a given time. … The latest case shows Google is continuing to comply with such controversial requests, despite concerns over their legality and the potential to implicate innocent people who happened to search for the relevant terms.”

In this particular case, the warrant’s narrow scope probably prevented that from happening. Still, even the most carefully worded requests set precedent. And others have been broad enough to impugn the merely curious, as with these orders made to Google, Microsoft, and Yahoo during the investigation into 2018’s serial bombings in Austin. Those warrants called for the account information and IP addresses of anyone searching for certain addresses and terms like “low explosives” and “pipe bomb.” As the ACLU’s Jennifer Granick observes:

“Trawling through Google’s search history database enables police to identify people merely based on what they might have been thinking about, for whatever reason, at some point in the past. This is a virtual dragnet through the public’s interests, beliefs, opinions, values and friendships, akin to mind reading powered by the Google time machine.”

As Granick sees it, keyword warrants not only breach the Fourth Amendment’s protections from unreasonable searches, they also threaten the freedom of speech granted by First Amendment: Google users may hesitate to look up information if their search histories could be handed over to the government at any moment. It does not help, she notes, that this is all going down in secret. See the article for more information.

Cynthia Murrell October 15, 2021

Google: Is Duplicity THE Game Plan?

September 27, 2021

I read “Google CEO Sought to Keep Incognito Mode Issues Out of Spotlight, Lawsuit Alleges.” Keep in mind that this is an allegation. The write up reports:

Google Chief Executive Sundar Pichai in 2019 was warned that describing the company’s Incognito browsing mode as “private” was problematic, yet it stayed the course because he did not want the feature “under the spotlight,” according to a new court filing. Google spokesman José Castañeda told Reuters that the filing “mischaracterizes emails referencing unrelated second and third-hand accounts.”

Like the word “unlimited” in “unlimited downloads”, my hunch is that “incognito” has a special meaning to Googlers. Those who are not Googley will not understand that “incognito” is a flag which makes it possible to pay attention to such actions within that browser function.

I am not Googley; therefore, I inferred that incognito meant:

with one’s identity concealed

There you go. A simple error caused because I, like some other people, assume that definitions matter. They do. What’s left out is that super smart executives at some high tech companies speak their own language. Like “diversity” and “Timnit Gebru.”

The Googley don’t make mistakes with words.

Stephen E Arnold, September 27, 2021

DuckDuckGo Email Protection Now in Beta

August 4, 2021

DuckDuckGo has released a new privacy-centric service. The Verge reports, “DuckDuckGo Launches New Email Protection Service to Remove Trackers.” Famous for its non-tracking search platform, the company also offers mobile and desktop browser extensions and is working on its own privacy-focused desktop browser. Metasearch to browser to email: the company aims to protect privacy across the online environment. The article describes how the email service removes trackers, and one can find details on how its other offerings work at its website. It all sounds very effective, and we are glad to see these measures in place. However, we have a question: What about those log files? I suppose we are to assume no admin ever, ever looks at that data.

Writer Dave Gershgorn describes how the Email Protection tool works:

The company’s new Email Protection feature gives users a free ‘@duck.com’ email address, which will forward emails to your regular inbox after analyzing their contents for trackers and stripping any away. DuckDuckGo is also extending this feature with unique, disposable forwarding addresses, which can be generated easily in DuckDuckGo’s mobile browser or through desktop browser extensions. The personal DuckDuckGo email is meant to be given out to friends and contacts you know, while the disposable addresses are better served when signing up for free trials, newsletters, or anywhere you suspect might sell your email address. If the email address is compromised, you can easily deactivate it. These tools are similar to anti-tracking features implemented by Apple in iOS 14 and iOS 15, but DuckDuckGo’s approach integrates into iOS, Android, and all major web browsers. DuckDuckGo will also make it easier to spin up disposable email addresses on the fly, for newsletters or anywhere you might share your email. Tackling email privacy has been a major goal for DuckDuckGo, as the company pushes for privacy-friendly methods for various online tasks.”

According to this 2017 study, more than 70 percent of email lists employ trackers that tell advertisers when, where, and on what device a message is opened. This information, of course, is then used to build advertising profiles. DuckDuckGo knows switching email addresses is a hassle most users would be unwilling to endure, so it came up with this intermediary layer. Naturally, the tool integrates with the company’s browser extensions. One limitation—while a user can respond to email that comes in to their @duck.com address, one cannot use it to initiate a new email thread. Email Protection is currently in beta; no word on when we can expect the tool to be released to the public.

Cynthia Murrell, August 4, 2021

Microsoft: China Fingers Data Collectors

May 21, 2021

I read “China Says ByteDance, Baidu, and Microsoft Improperly Collected User Data.” The story reports:

China Cyberspace Administration also named American tech giant Microsoft and its two products Bing and LinkedIn in a statement.

Bing and LinkedIn. What about Windows 10, the nifty Office system, and the ever Bob Windows Defender and its file monitoring and remembering capability?

The story pointed out nothing more.

China’s Internet Watchdog Says ByteDance, TikTok, Microsoft Collected User Data” noted that  Kuaishou (a social media platform) was snagged in the monitoring sweep. Apparently about 100 other applications and vendors were identified. This story said:

The authorities reportedly said that the apps violated several laws and had even infringed personal information through illegal access, over-collection and excessive information. The notice, reportedly, was shared to a notice on its WeChat official account. Earlier in April, Chinese regulators had called on 13 online platforms to adhere to stricter regulations in their financial divisions as a push to rein in China’s tech giants.

More information (maybe disinformation) will appear, but it seems as if China wants to send a message to technology companies. Executive changes, financial penalties, and mind games are likely to be fellow travelers for this government move. My take is that China will focus on the senior management of certain firms. High technology companies’ senior managers operate without fear of government action in the US and elsewhere. If China flexes its muscles, those relaxing cruises up the Yangtze River may provides some passengers with unexpected destinations. Fancy Qincheng Prison, anyone?

Stephen E Arnold, May 21, 2021

Hard-to-Detect Cybercrime Bots Target Young and Old

April 2, 2021

A recent report from research firm LexisNexis emphasizes bad actors’ growing reliance on bots to pull off their attacks. Not only that, these bots are becoming harder to catch. As TechBullion states, “Cybercrime Report Highlights the Need for Greater Security Visibility.” Reporter Oren Rofman writes:

“While hacks and attacks primarily driven by humans tend to be more sophisticated, bot attacks are not much easier to detect and remediate. Former Akamai security expert Ido Safruti, who is now CTO at PerimeterX, describes new bot attacks as invisible invaders that are becoming more difficult to detect. … Having evolved over the decades, these attacks have become more sophisticated than ever. While previous bots can be detected because of their inability to perform tasks humans are expected to do easily, advanced bots are now capable of doing complex actions and can even interact with humans. They can latch onto host users like parasites and perform actions that make them appear as human users.”

Since bot attacks tend to infect multiple devices, IP blacklists do little against them. Application firewalls and similar defenses are also ineffective because attacks successfully mimic legitimate users. Instead, we’re advised, companies must boost their security visibility so they can react to threats promptly. Rofman suggests continuous security validation as an effective approach. He writes:

“This entails the use of multiple strategies including behavioral detection solutions, SIEM/SOC validation, full-kill chain APT simulation, and purple team automation. The creation of the MITRE ATT&CK framework also helps in dealing with the most recent bot attacks, as it provides comprehensive and up-to-date threat intelligence along with detailed descriptions and information on attack patterns and processes. Many security solutions already integrate ATT&CK in their systems.”

Another important, though perhaps obvious, point is the role age plays in user vulnerability—those over 75 are more likely to fall victim because they are less familiar with technology in general. Those under 25, on the other hand, are profitable targets due to their lack of experience and tendency to forgo security best practices. The report also found that mobile e-commerce transactions are especially vulnerable, and that streaming media has opened new opportunities for hackers. One thing is clear—the problem of cybercrime is only getting worse, and users of all ages need to learn, and follow, security best practices.

Cynthia Murrell, April 2, 2021

How about Those Cyber Security Awards? Great in the Wake of SolarWinds and the MSFT Exchange Issues

March 26, 2021

The Cyber Defense Awards, hosted by Cyber Defense Magazine, has released its list of “InfoSec Awards for 2020-Winners.” The introduction reads:

“These InfoSec Awards are in their 8th year and specifically focused on finding innovative infosec players who have a presence in the United States and other countries. With over 3,200 cybersecurity companies worldwide, only a small number – roughly 10% – are highlighted as InfoSec Awards 2020 winners, based upon independent judging and analysis.  This year, we’ve continued to expand our coverage of some of our winning Women in Cybersecurity who will be rolled into our annual update, highlighting some of the innovative women helping taking cybersecurity to new heights.”

It is nice that the awards are recognizing the contributions of women in the male dominated field, and the post presents us with an impressive list of companies. However, we note one name seems to be missing—FireEye, the firm whose smart human analyst (non AI infused) actually caught the widespread SolarWinds’ attack. After that debacle, the effects of which the cyber-security community is still unraveling, we wonder whether these awards are justified. Perhaps they should have taken the year off.

Be that as it may, those interested in the cyber security field may want to check out the full list. It and a description of the judges’ approach can be viewed at the link above.

Now the $64 dollar question: How many of these “winners” detected the SolarWinds and Exchange breaches? Choose one: [a] None, [b] Zip, [c] Zero, [d] Nada.

Cynthia Murrell, March 26, 2021

Microsoft: Losing an Appetite for Chinese Take Out?

March 16, 2021

I read “Microsoft Claims They Are under Attack by China.” Last month, Microsoft was under attack by Russia. In this most recent round of finger pointing, the Giant Freakin Robot states:

Microsoft says this hack actually began months ago, maybe as early as January with the hackers masking their efforts along the way and prying deeper into the base systems that stand up these email servers. Once it was noticed in early March, the company worked on a fix.

The bad actors have done significant harm. Attributing the attack to a nation state suggests that companies based in the US and deploying software and services worldwide are targets of value.

Several questions come to mind:

  1. With an attack which began months ago, why weren’t existing cyber security systems able to discern the breach and issue alerts?
  2. How long is “months ago”? What if the Exchange breaches occurred three, six, a year or more before being detected? Microsoft “defender” should have defended, but what about third party cyber security systems?
  3. Will the patches remediate the problem? Microsoft issued a Windows 10 update which caused some print functions to fail? Are Microsoft’s “fixes” introducing new vulnerabilities?

Net net: The bad actors (whether kids in McDonalds) or trained cyber warriors in bunkers may not be the actual problem.

What’s the problem?

Microsoft’s core business processes maybe?

The move to the cloud, background updates, flawed quality checks, and an eagerness to blame others could be contributing factors to the Redmond giant’s spate of woes.

What countries will be blamed for attacking Microsoft? I think Liechtenstein looks suspicious, don’t you?

Scrap the Chinese lunch order for today too.

Stephen E Arnold, March 16, 2021

Quantum Computing: The Solution to SolarWinds and Microsoft Security Gaps

March 12, 2021

I am an optimist. I have been waking up with the idea that life is good and my work might make the world a slightly better place. However, I don’t put much trust in unicorns (nifty horses with a long pointy horn or the Silicon Valley type), fairies, or magical mermaids. When new technology comes along, I view the explanations of the technology’s wonders with skepticism. Mobile phones are interesting, but the phone has been around for a while. Shrinking chips make it possible to convert the “phone” into a general purpose thumbtyping machine. Nifty, but still a phone on steroids.

I thought about the human tendency to grasp for silver bullets. This characteristic runs through Jacques Ellul’s book The Technology Bluff. Its decades-old explanations and analyses are either unknown or ignored by many informed individuals. My hunch is that the Murdoch-owned Wall Street Journal assumes that its writers are responsible for understanding certain topics.

I read “Effective Cybersecurity Needs Quantum Computing.” Perhaps I should send a copy of Dr. Ellul’s book? But why? It’s not like the hippy dippy books included in the Murdoch book reviews. Dr. Ellul likes interesting words; for example, Mancipium. Does Mr. Murdoch’s oldest son know the meaning of the word? He should he lives in a mancipum-infused environment.

The essay asserts that a new and essentially unworkable technology will deal with the current cybersecurity challenges. How many years will be required to covert baby step lab experiments into a scalable solution to the business methods employed at outfits like SolarWinds and Microsoft? One, maybe five, or a more realistic 25 years?

The problems caused by flawed, short cut riddled, and uninformed approaches to coding, building, deploying, and updating enterprise software are here-and-now puzzles. For a point of reference, the White House sounded an alarm that a really big problem exists and poses threats today.

Sure, let’s kick back and wait for the entities of nifty technology to deliver solutions. IBM, Google, and other firms are beavering away on the unicornesque quantum computing. That’s fine, but to covert expensive, complex research and development projects into a solution for the vulnerability of that email you sent a few minutes ago is just off the wall. Sure, there may be a tooth fairy or a wizard with a magic wand, but that’s not going to be the fix quantum computing allegedly will deliver.

The WSJ essay states:

The extraordinary sensitivity of qubits reveals interference instantly and unfailingly. They would alert us when hackers read, copy or corrupt transmitted files.

Sure, if someone pays attention. I want to point out that exactly zero of the cybersecurity systems monitoring the SolarWinds’ misstep sounded an alarm. Hooking these systems into a quantum system will result in what, another two to five years of development. Walking by today’s quantum computers and waving an iPhone close to a component can create some excitement. Why? Yep, sensitivity. But why worry about trivial details.

The Murdocher does admit that quantum computers are years away, there is zero value in kicking today’s security disasters down the road like a discard can of Pabst Blue Ribbon beer. Funding is fine. Conflating the current radiation poisoning of digital systems with quantum computing is like waiting for an Uber or Lyft driver to come by in a chariot pulled by a unicorn.

Stephen E Arnold, March 12, 2021

Palantir and Anduril: Best Buds for Sure

March 12, 2021

I read “Anduril Industries Joins Palantir Technologies’ TITAN Industry Team.” In the good old days I would have been zipping from conference to conference outputting my ideas. Now I sit in rural Kentucky and fire blog posts into the datasphere.

This post calls attention to an explicit tie up between two Peter Thiel-associated entities: Palantir Technologies and Anduril. The latter is an interesting company with some nifty smart technology, including a drone which has the cheerful name “Anvil.”

For details about the new US Army project and the relationship between these two companies, the blog post was online as of March 8, 2021. (Some information may be removed, and I can’t do much about what other outfits do.)

Information about Anduril is available at their Web site. Palantir is everywhere and famous in the intelware business and among some legal eagles. No, I don’t have a Lord of the Rings fetish, but some forever young folks do.

Stephen E Arnold, March 12, 2021

The Microsoft Supply Chain Works Even Better Going Backwards

March 4, 2021

Do you remember the character KIR-mit.  He once allegedly said:

Yeah, well, I’ve got a dream too, but it’s about singing and dancing and making people happy. That’s the kind of dream that gets better the more people you share it with.

I am not talking about Jim Henson’s memorable character. That frog spelled its name Kermit. This is KIR-mit, an evil doppelgänger from another universe called Redmonium.

Respect Kermit! (DevilArtemis Universe): respectthreads

This KIR-mit is described in “Microsoft Is Using Known Issue Rollback (KIR) to Fix Problems Caused by Windows 10 Updates.” I learned that KIR

enables Microsoft to rollback changes introduced by problematic patches rolled out through Windows Update. KIR only applies to non-security updates.

Does the method expand the attack service for bad actors? Will weird calls to senior citizens increase with offers to assist with KIR-mit modifications? Will questionable types provide links to download KIRs which are malware? Yes, yes, and yes.

The article points out:

Known Issue Rollback is an important Windows servicing improvement to support non-security bug fixes, enabling us to quickly revert a single, targeted fix to a previously released behavior if a critical regression is discovered.

KIR is something users have said they wanted. Plus Microsoft has had this capability for a long time. I recall reading that Microsoft had a method for verifying the “digital birth certificate” of software in order to identify and deal with the SolarWinds-type of supply chain hack. I point this out in my upcoming lecture for a law enforcement entity. Will my audience find the statement and link interesting? I have a hunch the cyber officers will perk up their ears. Even the JEDI fans will catch my drift.

Just regular users may become woozy from too much KIR in the system. Plus, enterprise users will be “in charge of things.” Wonderful. Users at home are one class of customers; enterprise users are another. In between, attack surface the size of the moon.

Several questions:

  • Why not improve the pre release quality checks?
  • Why not adopt the type of practices spelled out by In Toto and other business method purveyors?
  • Why not knock off the crazy featuritis and deliver stable software in a way that does not obfuscate, mask, and disguise what’s going on?

And the answers to these questions is, “The cloud is more secure.”

Got it. By the way a “kir” is a French cocktail. Some Microsoft customers may need a couple of these to celebrate Microsoft’s continuous improvement of its outstanding processes.

Don't mess with Kermit - Album on Imgur

As KIR-mit said, “It’s about making people happy.” That includes bad actors, malefactors, enemies of the US, criminals, and Microsoft professionals like Eric Vernon and Vatsan Madhava, the lucky explainers of KIR-mit’s latest adventure.

Stephen E Arnold, March 4, 2021

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta