The Internet of Things Needs Anti-Virus Protection
As the Internet of Things grows and more devices than ever have network connectivity baked in, you might start to wonder what protects all of these smart home appliances and media streaming dongles against hacks. The answer: pretty much nothing. Companies can release security updates or patches when they learn about vulnerabilities in their devices, but who is going to do a software update on their refrigerator?
The problem is particularly troubling in an industry where there are Internet routers in every office and a Voice over IP phone on every desk. Even if an attacker can’t get into your computer because it’s running anti-virus software, she can still get eyes and ears in your office by hacking an IP phone or video console unit. And since those devices are behind office firewalls, she might even be able to infiltrate network servers from there.
In an attempt to implement a large-scale solution for corporate and government application, a group of Columbia University researchers have started a company, Red Balloon, to sell security defenses for embedded devices—i.e., the little computers in electronics that don’t look recognizably like a laptop, desktop, or server. The group has funding from Columbia and the Department of Homeland Security, and had funding from DARPA for earlier research. Last week at the security summit RSA Conference, Red Balloon presented a new hack of Avaya-brand IP phones and showed how their defense system, known as the Symbiote, can alert a device’s owner to an attack.
“Now that we know that these phones can be hacked and used as eyes and ears by the attackers, it's time we started demanding real security on the phones,” says Ang Cui, Red Balloon’s chief scientist. “These phones, like most other embedded devices I've looked at, are about as protected as my laptop back in 2006, without anti-virus.”
In the past Red Balloon has demonstrated exploits of multiple Cisco IP phones. Combined with the Avaya demonstration, they have now exposed vulnerabilities in products that together represent more than half of total IP phone market share worldwide. That’s a lot of vulnerable phones.
Cui, along with Red Balloon’s director Salvatore Stolfo and the rest of their research team, are offering corporations and government agencies a free pilot license of their package of defense products, AESOP. The goal is to install the product on the large quantity of devices these groups already use to offer protection, but also do recon to see if the devices have already been exploited, and by whom. Long term, the idea is for Red Balloon software to come standard on new devices so they are pre-protected for consumers.
The main component of Red Balloon’s defense, the Symbiote, is a small piece of code that is injected into a “host” device. The product is “operating system agnostic,” meaning it can analyze and protect any device even if it is running a proprietary operating system that Red Balloon couldn’t have accessed and parsed in advance. Once injected, the Symbiote lies in wait, monitoring the system for suspicious activity like modifications in certain parts of the code. If it detects something, the Symbiote alerts the device’s owner and other Symbiotes running on the same network.
The Red Balloon researchers aren’t the only group working on defense solutions for embedded devices, though. At MITRE, a nonprofit that runs federally funded research and development centers, researchers are using work started at Carnegie Mellon University to develop their own approach to system security. Xeno Kovah, MITRE’s information security engineer, explains that the approach he is working on also lives on a device, but isn’t looking for code modifications. Instead it assumes that an attacker has full knowledge of the system she is hacking, and allows her to try to conceal her presence on the device. This very attempt at concealment involves sending requests to the device system that create a detectable change in the amount of time it takes for requests to be answered on a device, indicating the presence of the attacker.
MITRE’s Kovah points out that if Red Balloon’s Symbiote is focused on checking whether code is intact, an attacker could manipulate the system to make the Symbiote think that the system still looks the same when it’s actually been modified. Additionally, Kovah points out that not all attacks involve modifying code. Instead, some are targeted at redirecting the flow of data through a system in deleterious ways.
“The software Symbiote definitely does defeat the type of attackers that are in the wild right now,” Kovah says, but “I don’t have a lot of faith in it long-term.” Kovah worries that if an attacker can control and warp measurements of a system she can make products like the Symbiote send back normal readings even though a device has been compromised.
Cui says that he thinks timing-based attestation is a strong option in some contexts, but is “infeasible for the general case.” And he adds that AESOP, the security software suite, includes a component for evaluating the code that coordinates software and hardware (the firmware) and removing any unnecessary or easily repeatable code that a hacker could infiltrate or hide behind. Most importantly, AESOP is both a pilot of Red Balloon’s products and “a recon mission for us to find real embedded attacks in places we think we'll find them.” The data from the pilot will inform Red Balloon’s next development steps by giving the group more information about who is currently exploiting embedded device weaknesses and why.
Everyone agrees, though, that embedded devices “have negligible security,” as Kovah says. “At least the Red Balloon approach gives you some ability to detect whether or not there’s manipulation of the device. That’s the kind of capability that’s not widely available.
Hollywood's Copyright Lobbyists Are Like Exes Who Won't Give Up
You know when you break up with someone and they just don’t get the message? A few months later, they’re trying again, testing the waters with a few small things that just keep getting bigger. They friend you again on Facebook. They start liking your posts. They show up at a party they expect you to be at. They ask you for drinks, just to “catch up,” you know? And then they talk about the way things used to be, and if only you two could try again. And you’re like, “What part of ‘I never want you to be a part of my life’ did you not understand?”
The copyright lobbyists in D.C. are following this ex-boyfriend playbook.
Let’s begin with the breakup. Under the 1998 Digital Millennium Copyright Act, Tumblr, YouTube, Reddit, WordPress, and Facebook aren’t responsible for the copyright infringement of each of their millions of users, so long as they take down specific posts, videos, or images when notified by copyright holders. But copyright holders thought that wasn’t good enough. They wanted to take down whole websites, not just particular posts, and without ever going to court. In 2011, they proposed a bill that would let them do just that.
It was called SOPA.
This Drummer Has a Third Arm
It would be pretty amazing to have three arms, but it would feel even stranger to go from one to three. At Georgia Tech, a music technology researcher, Gil Weinberg, is taking the work he's done on robot musicians and using it to create prosthetics for amputees. Rick Allen from Def Leppard is back!
The prosthetic is really two arms in one. The first uses a computer to process physical inputs from the wearer as she flexes her muscles. But the second portion moves autonomously, improvising along with music. There is currently one prototype of the prosthesis that was made especially for drummer, Jason Barnes. Barnes lost his right arm below the elbow two years ago in an accident. Since he is a student at the Atlanta Institute of Music and Media, he had the resources to build himself a prosthesis, but it was limited, and he couldn't really play the drums while wearing it, even though he could move the elbow of the device.
The Georgia Tech prosthesis is different because its sensors respond to fine differences in Barnes' bicep muscle movements, which translate to more precise control over the drumstick. “Now I can flex and send signals to a computer that tightens or loosens the stick and controls the rebound,” said Barnes in a press release.
Since the second “arm” moves and drums on its own, Barnes has control over whether he wants to use it at a given time. Weinberg said in the press release, “Jason can pull the robotic stick away from the drum when he wants to be fully in control. Or he can allow it to play on its own and be surprised and inspired by his own arm responding to his drumming.”
Having a third arm at all is weird to think about, much less one that thinks and drums on its own, but for someone dealing with the loss of an arm it's kind of cool to get a bonus. “I’ll bet a lot of metal drummers might be jealous of what I can do now,” Barnes said. The cyborgs shall inherit the earth.
But Wait, There’s More (Winter)
A storm currently crossing through the Pacific Northwest will join forces with yet another Arctic blast pushing south from the still-frozen Canadian Shield. Snowstorm number infinity of this legendary winter comes courtesy of a phasing of energy from the jet stream and an ample supply of cold air perfectly positioned for maximum effect. (Phasing is a term meteorologists use when low pressure centers merge, which tends to amplify their effects.)
That’s what is headed our way on Wednesday, to bring a superfluous coating of flakes from Chicago to Maine. This may be the storm that breaks the all-time snowfall record in places like Indianapolis and Detroit.
Aggressive Hackers Brought Meetup Down. Here's How It Came Back.
Last weekend, the event coordination site Meetup was down. If you've ever seen the part in The Social Network where fictionalized Mark Zuckerberg says, "We don't crash ever! If the servers are down for even a day, our entire reputation is irreversibly destroyed," you know how dramatic this stuff can be. It took Meetup from Feb. 27 to March 3 to completely restore service stability. So what happened?
Meetup was hit with a distributed denial-of-service attack (DDoS), in which an attacker uses a virus to take over a number of computers, then uses those comuters to send an extremely high volume of packets to a server until its switches are too overwhelmed to process actual user traffic. DDoS attacks are a classic and common hack but have gotten much more severe in recent months. Jag Bains, the chief technology officer at the security firm DOSarrest, told Reuters, "It's really a game of cat and mouse. I'd like to say we are ahead, but I just don't think it's true."
On Thursday, Feb. 27, Meetup began experiencing a DDoS attack, and Meetup's CEO, Scott Heiferman, received an email attempting to extort $300 from the company to stop it. Meetup was reluctant to negotiate with criminals, but the amount the hacker was asking for was also so small as to be suspcious. The team was concerned that if the company paid the money, it would be further exploited and would also send the signal that such a ransom demand could work on other companies.
"When someone steals a credit card, the first thing they do is try a four- or five-dollar charge and see if that goes through," says Brendan McGovern, Meetup's CFO and co-founder. "Once they’re successful there, they know that they have an open pipe, and that’s when they hit you for a few thousand dollars. So we decided early on to not engage at all, to not respond, and not pay. And, in the long term, that served us. If everyone is not paying, and these types of attacks are just not successful, then perhaps they’ll stop."
Meetup's CTO Gary Burns says that the most important lesson was that companies should foster close connections with their Internet service provider because the attacks can't really be controlled without the ISP's help. On a day-to-day basis, Meetup has been able to deal with unusual traffic by doing things like blocking IP addresses that generate heavy traffic or setting up firewalls. But in this case the amount of traffic was too overwhelming.
"The traffic that was sent to us was large enough that it started to be a problem for the ISP, the level above us," Burns says. "So there wasn't a lot we could do to try and mitigate the attack because it wasn't within our control. What's really important is the relationship you have with your ISP and the flexibility you have there." Meetup is also ensuring that all of its systems and partners' systems are fully upgraded and patched to reduce network vulnerabilites. But Burns warns that patching weaknesses needs to be an Internet-wide effort to truly be effective.
McGovern says that Meetup's losses will be in the hundreds of thousands of dollars, between extending all organizer subscriptions by seven days (subscriptions are about $15 per month), losing out on new subscription sales while the site was down, and spending money to mitigate the attacks.
"It’s significant but, and I’m actually authentically being serious about this, it paled in comparison to the amount of pain that was suffered by the Meetup members and organizers in the community. We’ll take a big hit financially, but to see all the people who had a really rough four or five days while they were relying on us is a much more painful number." Humanity emerges in times of crisis.
It's Surprisingly Easy to Make a Cryptocurrency
Future Tense covers a lot of cryptocurrency news because the topics are interesting but also complicated. It's hard to know exactly what the implications of cryptocurrency are and who should be using it, if anyone. But keep in mind that the code that underlies bitcoin, the world's biggest and oldest cryptocurrency, is open source. That means that "altcoins" can use the bitcoin code as a jumping-off point to develop their own currencies. To figure out what it takes to start a cryptocurrency, the staff of the tech blog Ars Technica started arscoin.
Business editor Cyrus Farivar led the initiative. He writes, "As the new year began, I found myself writing about several new (and often ridiculous) altcoins ... It got me thinking: if anyone can just up and create a new altcoin, how hard can it be?" Because it's for education, the arscoin system is locked down so people can't exchange arscoins for goods outside Ars Technica channels. But they can use them to buy things like colorful usernames on the Ars site or digital username hats. You also pay to change or remove your username color or hat.
Arscoin is a normal cryptocurrency in the sense that more arscoins enter the system by mining them, and the more arscoins that exist, the more computing power it takes to mine one. Farivar writes:
Arscoins, like any altcoins, are worth whatever the market will bear. This is worth emphasizing: they’re worth whatever someone is willing to pay for them, whether it's $5, $500, or $5 trillion. One evening early in our experiment, I asked my wife what she would trade for 5,000 Arscoins. Her answer: “A kiss?” Boom! A market had been created.
The Ars Technica team went from puzzling over the bitcoin source code to a make-your-own altcoin service called Coingen.io to mining and setting up a storefront that accepts arscoins. "After experimenting with Arscoin, we learned that it's fairly easy to get a cryptocurrency going," Farivar writes. But that doesn't mean you should. The piece points out that more altcoin currencies means less "digital scarcity," aka less value and usefulness. But it also notes that making altcoins easy to create could lead to interesting microeconomies and more diversity. If it's all still seeming abstract and esoteric, join the arscoin community and mess around.
Judge Clears Path for Beer-Delivery Drones—Almost
For many dark, droneless years, breweries and other companies have been stymied from developing airborne delivery to consumers by the Federal Aviation Administration’s insistence that commercial drones are illegal. But in a victory for beer-drone justice, the National Transportation Safety Board, the federal entity that hears appeals of FAA enforcement actions, overturned the FAA’s $10,000 fine against Raphael Pirker. In 2011, Pirker flew a drone over the University of Virginia in Charlottesville to shoot a promotional video for commercial purposes. On Thursday, Judge Patrick Geraghty found that “there was no enforceable FAA rule” against Pirker’s aircraft.
So soon we’ll be able to have a six-pack of our favorite brew flown to our doorstep, right? Not so fast.
Though the ruling looks good for commercial drone operators, Geraghty expressly limited the scope of his decision to “model aircraft.” Any unmanned aircraft systems, or UAS, that exceed that definition would not be not covered by the ruling.
Geraghty’s opinion also falls short of stating affirmatively that the FAA does not have the authority to regulate drones. In reviewing FAA documents governing UAS, the judge wrote that the documents were not substitutes for any regulatory process and were only meant for internal FAA guidance, not the general public. In a 2007 Federal Registry publication, the FAA attempted to “set forth the current FAA policy for UAS operations,” according to its policy statement section. But because this intent was self-defined as a statement of policy, “it cannot be considered as establishing a rule or enforceable action, since … policy statements are not binding on the general public,” Geraghty said. The FAA can appeal Geraghty’s ruling.
I suspect that Geraghty is conscious of both the fragile legal foundation for the FAA’s current drone regulation and the need for the FAA to regulate drones. As I wrote earlier this week, the FAA arguably does not have the authority to create its current permitting and regulatory system for drones. However, it is possible that there will be tens of thousands of drones in the air in the next 10 years. We don’t want them flying around—and into the ground—with no oversight. Of all federal entities, the FAA should have the authority to regulate them, and the apparent intent of the FAA Modernization and Reform Act of 2012 was to grant the FAA that authority and remove the existing doubt.
What the current controversy confirms is the need for us to update and amend our laws to accommodate technological breakthroughs—drones, autonomous technology, artificial intelligence, etc.—that do not conform to the assumptions of our existing laws. If we don’t, our laws will become ineffective in the face of change with potentially serious consequences. And that will drive anyone to drink.
U.K.’s “War on Porn” Leader Arrested on Allegations Related to Child Porn
Earlier this week, amid increasing media pressure, the U.K. prime minister’s office confirmed that authorities arrested top David Cameron aide Patrick Rock on Feb. 13 on suspicions related to child pornography. Authorities have not yet formally charged Rock, citing the ongoing investigation as the reason behind the prolonged silence at 10 Downing St. Details surrounding the arrest timeline have fueled speculation that Rock, who resigned from his position on Feb. 12, may have been tipped off by colleagues before his arrest. But that isn’t the only troubling circumstance surrounding the already disturbing scandal. For those in the tech community, Rock is well-known as one of the main proponents of the U.K.’s controversial “war on porn.”
Apparently the Media Are Pursuing the Bitcoin Guy in a Car Chase Across Los Angeles
This morning, Newsweek outed Bitcoin creator Satoshi Nakamoto as a 64-year-old man from Temple City, Calif. who goes by Dorian S. Nakamoto. Some feared for the privacy of a man who clearly preferred to be left alone, while others shrugged. But I think it's safe to say at this point that privacy is no longer in the cards for Nakamoto.
At present, the poor guy—sorry, wrong word—the rich guy is apparently being pursued across Los Angeles by a pack of ravenous media. Nakamoto is in the lead car with an Associated Press reporter whom he agreed to meet for sushi after a large group of journalists staked out his home today. Behind him are all the other reporters he scorned in favor of the AP reporter. (Hell hath no fury like a journalist scorned.) All of this is according to Los Angeles Times deputy business editor Joe Bel Bruno, who has been live-tweeting the O.J.-like spectacle as it unfolds.
I should note upfront that it is perhaps conceivable that Bel Bruno is putting us all on, and that I'm making myself complicit in a hoax—something I often scold other reporters for—by republishing his tweets here. If that's the case, I will apologize. But Bel Bruno is a real guy, he seems to be getting firsthand information, and this whole affair is just too wild and 21st-century-ish not to share. Stay tuned for updates, or better yet, stay tuned to Bel Bruno's Twitter feed. Tweets are the new news choppers.
UPDATE, 5:07 p.m.: Nakamoto is apparently safely ensconced in the AP's Los Angeles bureau office. And Bel Bruno has now posted pictures of the scene outside. Meanwhile, he reports that Nakamoto is denying being the creator of Bitcoin.
Previously in Slate:
Privacy Group Calls for Federal Investigation of Facebook's $19 Billion WhatsApp Deal
An information-privacy nonprofit is asking the Federal Trade Commission to investigate and possibly even block Facebook’s $19 billion acquisition of the wildly popular messaging service WhatsApp.
The complaint comes from the Electronic Privacy Information Center, a Washington, D.C.-based research group that has also filed complaints in the past over things like Google’s acquisition of the ad service Doubleclick, Microsoft Passport, and changes to Facebook’s privacy policies.
EPIC’s complaint about the Facebook/WhatsApp acquisition alleges that WhatsApp has made data-privacy promises to users that it will be unable and/or unlikely to keep now that it’s owned by Facebook. Julia Horwitz, EPIC’s lead lawyer on the case, told me via email:
WhatsApp users rely on WhatsApp to maintain the privacy of their communications. Facebook has a proven record of collecting user data form companies that it acquires. So users are worrying about what happens to their data now that Facebook and WhatsApp have announced the deal. Our complaint urges the FTC to investigate whether there are sufficient privacy protections in place to continue to shield the data of WhatsApp users from access by Facebook—which (for many users) was the very feature that made WhatsApp so appealing in the first place.
The complaint asks the FTC to investigate WhatsApp and block the Facebook deal until the issues it raises are resolved. If the deal does go forward, EPIC further asks that the FTC to “order Facebook to insulate WhatsApp users’ information from access by Facebook’s data collection practices.”
Note that this is not a lawsuit—just a complaint filed with the FTC, with the same legal standing as any complaint an individual consumer might file about a company’s trade practices.
EPIC notes that the FTC has “responded favorably” to several of its complaints in the past. That said, the FTC did approve Google’s Doubleclick acquisition over EPIC’s privacy objections. And generally speaking, mergers and acquisitions are reviewed for their effects on competition, not consumer privacy. It would therefore be unusal for deal like this to be a blocked on privacy grounds.
The FTC does, however, have the authority to bring a suit against a company for unfair or deceptive trade practices, under the Federal Trade Commission Act. Typically the FTC will not confirm or deny its investigations until they’re over, and sometimes not even then if it decides not to bring a case.
Facebook has insisted in the wake of the deal that it will leave WhatsApp alone, at least for the time being. And Facebook chief Mark Zuckerberg says he has no plans to bring ads to the messaging service. Still, critics point out that privacy was one of WhatsApp’s biggest selling points, whereas Facebook makes billions by mining its users’ data. Some WhatsApp users simply don’t trust Facebook to keep its hands off their messages.
As communications scholar and privacy blogger Nicholas John has pointed out, WhatsApp’s terms of service clarify that they don’t keep the contents of your messages: “Once a message has been delivered, it no longer resides on our servers,” the terms say. “The contents of any delivered messages are not kept or retained by WhatsApp.” But they do keep your metadata: "WhatsApp may retain date and time stamp information associated with successfully delivered messages and the mobile phone numbers involved in the messages, as well as any other information which WhatsApp is legally compelled to collect."
John speculates that Facebook could use that information to figure out which of your friends you’re genuinely close to. That could be a big asset in the company’s quest to build the world’s most comprehensive social graph.
Asked for comment on the complaint, a Facebook spokesperson sent me the following statement:
Facebook's goal is to bring more connectivity and utility to the world by delivering core internet services efficiently and affordably—this partnership will help make that happen. As we have said repeatedly, Whatsapp will operate as a separate company and will honor its commitments to privacy and security.