Thursday, February 18, 2016

Gadarene swine

I've been ranting about the way we, possessed by the demons of the Internet of Things, are rushing like the Gadarene Swine to our doom. Below the fold, the latest rant in the series, which wanders off into related, but equally doom-laden areas.

Harvard's Berkman Center recently published a study entitled Don’t Panic: Making Progress on the ‘Going Dark’ Debate. The study group was convened by Matt Olsen, Bruce Schneier, and Jonathan Zittrain, and the New York Times reports:
Among the chief authors of the report is Matthew G. Olsen, who was a director of the National Counterterrorism Center under Mr. Obama and a general counsel of the National Security Agency.

Two current senior officials of the N.S.A. — John DeLong, the head of the agency’s Commercial Solutions Center, and Anne Neuberger, the agency’s chief risk officer — are described in the report as “core members” of the group, but did not sign the report because they could not act on behalf of the agency or the United States government in endorsing its conclusions, government officials said.
Two of the report's conclusions are:
  • Networked sensors and the Internet of Things are projected to grow substantially, and this has the potential to drastically change surveillance. The still images, video, and audio captured by these devices may enable real-time intercept and recording with after-the fact access. Thus an inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel.
  • Metadata is not encrypted, and the vast majority is likely to remain so. This is data that needs to stay unencrypted in order for the systems to operate: location data from cell phones and other devices, telephone calling records, header information in e-mail, and so on. This information provides an enormous amount of surveillance data that was unavailable before these systems became widespread.
The intelligence community agrees:
James Clapper, the US director of national intelligence, was more direct in testimony submitted to the Senate on Tuesday as part of an assessment of threats facing the United States.

“In the future, intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials,” Clapper said.
Xeni Jardin at BoingBoing points out that:
The war on encryption waged by the F.B.I. and other intelligence agencies is unnecessary, because the data trails we voluntarily leak allow “Internet of Things” devices and social media networks to track us in ways the government can access.
Not to mention that yesterday's revelation of a buffer overflow in glibc means that much of the IoT is vulnerable and is unlikely to be patched. This bug won't be the last of its kind, so the agencies are likely to retain their ability to spy even if IoT vendors clean up their act.

The intelligence agencies aren't the only ones enjoying their new-found surveillance capabilities. J.M. Porup at Ars Technica reports:
Shodan, a search engine for the Internet of Things (IoT), recently launched a new section that lets users easily browse vulnerable webcams.

The feed includes images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores, according to Dan Tentler, a security researcher who has spent several years investigating webcam security.
And sleeping babies.

Cory Doctorow at BoingBoing starts a recent book review:
Nitesh Dhanjani's 2015 O'Reilly book Abusing the Internet of Things: Blackouts, Freakouts, and Stakeouts is a very practical existence-proof of the inadequacy and urgency of Internet of Things security.
...
Abusing the Internet of Things is structured just like one of those cookbooks, only the recipes explain the (relatively simple) steps you need take to compromise everything from a smart lightbulb -- one recipe explains how to plunge a smart lighting system into permanent, irrevocable darkness -- to a smart baby-monitor (this was published months before a family in San Francisco woke to discover a griefer terrorizing their toddler through his bedside monitor) to a smart TV to -- what else? -- a smart car.
Of course, companies can avoid any liability for harm caused by their shoddy security practices by copying VTech and disclaiming responsibility in their terms and conditions. Commisioner Julie Brill of the FTC addressed these problems in her closing plenary of the Fall 2016 CNI meeting. But Cory Doctorow points out the pressure on the FTC not to do anything:
Companies that use and trade in personal information rely on the people involved not discovering what's going on. For example, one data-broker sells its services to retailers as a means of getting the home addresses and other information of their customers in secret, avoiding "losing customers who feel that you’re invading their privacy."
Of course, many of these information leaks are accidental, but the sad truth is that the pervasive surveillance enabled by the Internet, and especially by the Things in it, is not just the favored business model of government agencies but also of pretty much any company that can figure out how to collect and sell information. Conor Friedersdorf at The Atlantic has the example of a company that has, Vigilant Solutions:
Throughout the United States—outside private houses, apartment complexes, shopping centers, and businesses with large employee parking lots—a private corporation, Vigilant Solutions, is taking photos of cars and trucks with its vast network of unobtrusive cameras. It retains location data on each of those pictures, and sells it.
...
The company has taken roughly 2.2 billion license-plate photos to date. Each month, it captures and permanently stores about 80 million additional geotagged images. They may well have photographed your license plate. As a result, your whereabouts at given moments in the past are permanently stored. Vigilant Solutions profits by selling access to this data (and tries to safeguard it against hackers). Your diminished privacy is their product.
...
Supreme Court jurisprudence on GPS tracking suggests that repeatedly collecting data “at a moment in time” until you’ve built a police database of 2.2 billion such moments is akin to building a mosaic of information so complete and intrusive that it may violate the Constitutional rights of those subject to it.
...
Many powerful interests are aligned in wanting to know where the cars of individuals are parked. Unable to legally install tracking devices themselves, they pay for the next best alternative—and it’s gradually becoming a functional equivalent. More laws might be passed to stymie this trend if more Americans knew that private corporations and police agencies conspire to keep records of their whereabouts.
You are paying for this technology through your taxes:
During the past five years, the U.S. Department of Homeland Security has distributed more than $50 million in federal grants to law-enforcement agencies—ranging from sprawling Los Angeles to little Crisp County, Georgia, population 23,000—for automated license-plate recognition systems,
And also because police forces are either paying Vigilant for access to its data or giving them a piece of the action:
Vigilant Solutions, one of the country’s largest brokers of vehicle surveillance technology, is offering a hell of a deal to law enforcement agencies in Texas: a whole suite of automated license plate reader (ALPR) equipment and access to the company’s massive databases and analytical tools—and it won’t cost the agency a dime.
...
Vigilant is leveraging H.B. 121, a new Texas law passed in 2015 that allows officers to install credit and debit card readers in their patrol vehicles to take payment on the spot for unpaid court fines, also known as capias warrants. When the law passed, Texas legislators argued that not only would it help local government with their budgets, it would also benefit the public and police.
...
The “warrant redemption” program works like this. The agency is given no-cost license plate readers as well as free access to LEARN-NVLS, the ALPR data system Vigilant says contains more than 2.8-billion plate scans and is growing by more than 70-million scans a month. This also includes a wide variety of analytical and predictive software tools. Also, the agency is merely licensing the technology; Vigilant can take it back at any time.

The government agency in turn gives Vigilant access to information about all its outstanding court fees, which the company then turns into a hot list to feed into the free ALPR systems. As police cars patrol the city, they ping on license plates associated with the fees. The officer then pulls the driver over and offers them a devil’s bargain: get arrested, or pay the original fine with an extra 25% processing fee tacked on, all of which goes to Vigilant.
Alex Campbell and Kendall Taggart's The Ticket Machine is a must-read, in-depth look at how this works. Yves Smith at naked capitalism points out how the private equity (PE) and security worlds have become intertwined:
And a contact who knows the private equity world pointed out (emphasis mine):
Morgan Stanley’s PE arm lists [Vigilant Solutions parent, Digital Recognition Network] as an investment, which is a good example of how enmeshed PE has become in the security/intelligence state. The spooks, I am sure, love the secrecy of PE compared to public markets. And the love goes both ways, as it is my experience that PE people love the spooks because returns are able to be generated by influence peddling behind closed doors, and also because they just find them intellectually interesting.
In other words, proprietary opposition research, which is often hard to distinguish from blackmail.
No-one is in a position to make educated trade-offs between the societal and personal costs and benefits of the Things they connect to their own Internet. How much worse is it when they had no say in what the Things were and where they were deployed?

Notice the similarities between this rush to exploit technical capabilities without regard for the possible downsides and the escalation of cyberwar. James Ball at Buzzfeed reports that Alex Gibney's new documentary Zero Days reveals that:
The United States hacked into critical civilian and military infrastructure in Iran to allow its operatives to disable the country with a devastating series of cyberattacks at a moment’s notice,
...
The targets of the U.S. hacking operations, covered by the code name “NITRO ZEUS,” include power plants, transport infrastructure, and air defenses, the film will state, with agents entering these protected systems nightly to make sure the attacks were still deployable.
...
the U.S.-Israel “Stuxnet” worm — which destroyed around 1 in 5 of the centrifuges used in Iran’s nuclear program — was just a small part of a much larger set of offensive capabilities developed against the nation.
The cyberwarriors don't seem to have paid much attention to the possible downsides:
The State Department was seen by those in other agencies as a “wet blanket” when it came to operations for expressing concerns about violating the sovereignty of third-party nations’ cyberspace, or about operations that could have significant impact on civilians.
...
one confidential source expressed concerns to Gibney about the extent of NITRO ZEUS, saying some planners had “no fucking clue” as to the consequences of some of the proposed attacks.

“You take down part of a grid,” they told him, “you can accidentally take down electricity in the entire country.”
At least Michael Hayden seems to have a "f**king clue":
Michael Hayden, a former director of both the CIA and the NSA, told Gibney the U.S. action risks creating new international norms of cyber warfare.

“I know no operational details and don’t know what anyone did or didn’t do before someone decided to use the weapon, all right,” he said. “I do know this: If we go out and do something, most of the rest of the world now thinks that’s a new standard, and it’s something they now feel legitimated to do as well.
Exactly. And why would anyone think that the US was less vulnerable than Iran to these kind of attacks? But USA Inc's terms and conditions mean that the cyberwarriors bear no liability for the foreseeable consequences of their actions.

David Sanger and Mark Mazzetti at the New York Times have other details of the NITRO ZEUS program.

Similarly, the NSA has a program called SKYNET that uses machine learning techniques on data collected from Pakistan's phone network to target for assassination by drone or death squad people whose behavior is deemed characteristic of terrorists. Machine learning experts estimate that it may have killed thousands of innocent people. Cory Doctorow's response on Dave Farber's IP list is a must-read analysis of the problem:
At root, this is a story about the problems that occur in the absence [of] adversarial peer review. NSA and GCHQ cut corners in their machine-learning approach, and no one called them on it, and they deployed it, and it kills people.

But is also a microcosm of the spy services' culture of secrecy and the way that the lack of peer review turns into missteps.

You could ask for no better proof that the NSA believed its actions would never be subjected to public scrutiny than the fact that they called the program SKYNET.
We all remember how that turned out, right?
Skynet launched nuclear missiles under its command at Russia, which responded with a nuclear counter-attack against the U.S. and its allies. Consequent to the nuclear exchange, over three billion people were killed in an event that came to be known as Judgment Day.

13 comments:

David. said...

I mentioned the glibc vulnerability in passing above. Dan Kaminsky's A Skeleton Key of Unknown Strength is a must-read explanation of the vulnerability and its consequences.

As far as we know the glibc vulnerability was an accident. Last Thursday's IoT disaster, detailed in Brain Krebs This is Why People Fear the ‘Internet of Things’ is deliberate and ongoing:

"This is the nightmare “Internet of Things” (IoT) scenario for any system administrator: The IP cameras that you bought to secure your physical space suddenly turn into a vast cloud network designed to share your pictures and videos far and wide. The best part? It’s all plug-and-play, no configuration necessary!"

A Chinese company, ThroughTek, is providing IoT manufacturers with on-by-default, hard-to-disable, firewall-piercing P2P technology that is showing up in everything frrom "smart plugs" to DVRs:

"ThroughTek did not respond to requests for comment. A ThroughTek press release from October 2015 announced that the company’s P2P network — which it calls the Kalay Network — had grown to support more than seven million connected devices and 100 million “IoT connections.”"

This is another very bad problem:

“Given the seemingly cavalier attitude and the almost certain lack of automatic updates, it is almost certain that these devices are remotely exploitable,” he added. “It is no wonder that Director of National Intelligence James Clapper is worried about the Internet of Things, how many government officials have or may unwittingly install potential spies like this in their home.”

And it isn't just that they are exploitable, James Clapper is probably also worried that continuous video surveillance of government official's homes is ending up in the hands of a Chinese company. Of course, this also applies to Chinese government officials, which is why it is a feature not a bug from the Chinese government's point of view. But the devices are probably exploitable, which means that both sides have it all. Mutually Assured Destruction is a great idea, to get back to Skynet.

Another must-read is Robert Epstein's The new mind control. Its long and you have to read to the end to understand the oint but, trust me, its worth your time.

I hope to have more to write on these posts soon.

David. said...

Robert Epstein gave an EE380 talk The Search Engine Manipulation Effect (SEME) and Its Unparalleled Power To Influence How We Think last October 28. Video is available on YouTube.

David. said...

Intel's Dirk Hondel interviewed Linus Torvald at the Linux Foundation's 2016 Embedded Linux Conference & OpenIoT Summit:

Torvalds continued, "Job one is to get the job done. In a new industry things will get done without security. Security plays second fiddle. It will be slightly distressing if someone hacks into my home furnace and turns up my heat to 95, I'll be bothered."

Torvalds added, "In theory open source can be patched. In practice vendors get in the way." Anyone who follows the gap between Google's Android security patches and when vendors ship the patches--if ever--knows what he's talking about.

Still, Torvalds said, while "not all Linux devices get the love they deserve, in proprietary systems, you're often left with old security holes. For example, the iPhone 4 was released in 2010 but by 2014 Apple was no longer supporting it with operating system and security patches.

David. said...

Kieren McCarthy at The Register reports on a Green Paper from the Commerce Dept asking for input into developing Federal policy about the IoT

David. said...

Today's IoT vulnerability affects every Thing in Samsun'd SmartThings ecosystem. Two separate vulnerabilities discovered by researchers at U. Mich provide the bad guys capabilities such as"

"unlock doors, modify home access codes, create false smoke detector alarms, or put security and automation devices into vacation mode"

David. said...

Todays IoT nightmare is a pair of attacks on Programmable Logic Controllers, such as the ones in power stations. The Register has confirmed that they can be combined. Attack #1:

"The programmable logic controller (PLC) worm is the brain child of German hackers Ralf Spenneberg and Maik Brüggeman ... and, unlike any past attacks, is able to spread from devices without the need of an infected laptop or desktop.

All other PLC malware such as Stuxnet relied on having an infected computer to spread to other controllers, meaning an infection could be stopped from proliferating by removing those machines.

Spenneberg and Brüggeman claim the attack spreads like cancer between default Siemens S7 1200 PLCs, and could be reworked to target other systems."

Attack #2:

"IOActive researcher Alexander Bolshev told The Register his work allows frequency and amplitude modifications in waves generated by control PLCs to allow an attack to be masked.

The research, which he conducted alongside Honeywell security boffin Marina Krotofil, means an attacker could, for example, break into a remote station along a major gas line, determine normal frequency patterns, and repeat those waves with high-frequency components added to cloak a destructive intrusion."

David. said...

Jean-Louis Gassée weighs in on the risks of cars in the Internet of Things.

David. said...

And so does Jonathan Gitlin at Ars Technica with The connected car may be the dumbest idea ever, but it’s not going away.

David. said...

And at The Register Joe Fay reports on Josh Corman's talk to the Building IoT conference:

"Corman zeroed in on our increasingly connected cars and medical devices as key targets. The consequences of mass compromising of connected vehicles, for example, would be confidence in vehicle manufacturers, transport infrastructure and knock-on effects at the GDP level."

David. said...

Cory Doctorow at BoingBoing reports on a paper in World Nuerosurgery that discusses the dystopian security issues posed by brain implants. People's brains becoming Things in the Internet; what could possibly go wrong?

David. said...

Joanna Stern at the WSJ has a must-read piece that starts:

"Let’s play a game. Which of the following is a real smartphone-connected product?

A) A bottle that tracks your H2O intake
B) A bowl that tracks your dog’s H2O intake
C) An umbrella that reminds you not to leave it behind
D) A tampon that reminds you when it is time for a change

It is actually a trick question. All four of these “smart” items have either been announced by startups or are already shipping."

and continues:

"There is even greater irony: Instead of solving the hassles of everyday life, they create more of them. I’ve been testing many products that simply don’t work as promised."

The stories of how they don't work are hilarious:

"he did still think it was necessary to build a $700 juice machine that won’t make juice if your Wi-Fi is down. I repeat: No juice if your Wi-Fi is down."

But there isn't a single mention in the story of what could happen when the bad guys compromise your tampon, umbrella, juice machine, egg tray, water bottle, or smart bra.

David. said...

Yet more evidence that anonymizing data from the Things in the Internet doesn't work, Karl Bode at Ars Technica reports that 15 minutes of data from only the brake pedal can identify a driver.

David. said...

Of course, it isn't just the bad guys who are interested in exploiting the insecurity of the Things in the Internet, the "good" guys are too:

"[NSA deputy director] Ledgett isn’t the only intelligence official to identity the growing Internet of Things as a possibility for global spying. The Director of National Intelligence himself said during a Senate hearing on worldwide threats in February that interconnected devices could be useful “for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.”"