Fortunately, there’s no possible way that…

could…

go…

wrong.

Tesla driver stranded in the desert after smartphone app failure
A Tesla driver was stranded in Red Rock Canyon near Las Vegas after the car’s keyless control app suddenly stopped working.

Interested in testing a feature that lets Tesla owners unlock and power their car using their smartphone, Ryan Negri decided to leave his keys at home when he went for a drive around the canyon yesterday.

Nope. Not an app failure. Put the blame where it belongs: primarily with the idiot for using it, and then not realizing that a communication app would need… comm to reach the car. Secondarily with Tesla for making the “feature” available.

Not being in the Tesla set, I had no idea the company had done something as monumentally stpid as…

The keyless smartphone feature, which is available through Tesla’s iPhone and Android apps, lets users remotely monitor and control their Tesla Model S without their key. One of the main features of the app is the ability to “unlock and drive Model S without your key”.

I haven’t researched this, so I’m guessing and giving Tesla benefit of the doubt. You have to know the car’s phone number. It should only accept commands from the owner’s phone number. It’s probably an SMS system that sends a PIN code.

So now car thieves just need to figure out what number blocks Tesla uses in an area, look up the an owner’s phone number, and text random numbers until the car unlocks and starts. Is any other company doing this?

I fully expect to start getting weird text messages on my phone containg random strings and Tesla commands as folks start war-dialing for cars.

This is either bull shit

…or scary as hell.

U.S. intelligence agencies release analysis of Russian cyber espionage
U.S. intelligence services don’t often release the details of their analysis, but Thursday they did as part of an ongoing effort to pull back the curtain on what U.S. officials believe is malicious Russian cyber activity code named Grizzly Steppe

And they still haven’t released a detailed analysis. Read that “Joint Analysis Report.” In fact, it’s simply yet-another unsubstantiated assertion. No detail in that report supports the claim that the Russian government did this. Maybe they did, but you can’t tell from that doc.

I’m not a pro at this, so I welcome input from someone who is such. As I read it, the JAR simply states that “APT 28/29” used a botnet to send spearphishing emails, which lured dumbasses to a fake web site hosted on a machine that didn’t belong to the “hackers,” and that web site passed the harvested data to yet another neutral machine which, in turn, relayed the data to the actual hackers.

To be able to honestly and definitely say that the Russians did it, the feds (FBI/CIA/NSA/whoever) had to have admin access to the web site host to see what neutral machine the site sent data to. That could come from server logs and/or database files.

Once the next machine is identified, the feds had to have admin access to it, too. They could then analyze server logs or the malicious code to see where it sent data. If you assume that it went straight from that zombie machine to the hackers, you now know the hackers’ IP address, and maybe you can make some claims.

But if the zombie sent the data to another relay between it and the hackers, you have another machine to compromise and analyze. And so on ad infinitum.

Are the feds admitting that they have that many innocent machines on the Internet compromised?

Alternatively, they could have this from human intel: leakers, snitches, spies. But intel from such sources would have to be verified, so we loop back to accessing machines.

Let’s try another scenario. Remember the NSA’s little partnership with AT&T, in which the snoops got to parallel all data running through at least one major Internet backbone router? And then there was the program to intercept routers during shipment and install spyware.

So maybe the NSA simply watched all this happen in near realtime.

Worried yet? Oh, what the heck? It’s only “metadata.”

At any rate, to substantiate the “Russians-did-it” claims, the feds would have to have admin level access to a scary number of Internet servers or routers. To prove the claim, they may have to admit to continuing to do things they’ve sworn up and down they stopped doing.

Words matter

Yahoo Mega-Breach Exposes More Than 1 Billion Accounts
Yahoo is closing 2016 with a bang — and not in a good way. More than 1 billion Yahoo accounts may have been exposed after a third-party hacker hit the internet company in a separate attack from the one that was revealed in September.

I think that qualifies as a GIGA-breach.

Why did you THINK Uber wants to track you?

Earlier today, Claire Wolfe congratulated Uber for encrypting data when raided, but wondered why the data wasn’t encrypted all the time.

Uber Employees Accused of Using Data to Stalk Exes and Celebs
“Uber’s lack of security regarding its customer data was resulting in Uber employees being able to track high profile politicians, celebrities, and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends, and ex-spouses,” according to legal documents filed by ex-employee Ward Spangenberg in October and reported by The Center for Investigative Reporting on Monday.

That’s why. And why did you think they expanded tracking time to see where you go after they drop you off?

Win10 S&M Pro Edition

Seriously, either nail down Win7 (for those who need legacy stuff that won’t play well in Wine), or install Linux already.

Windows 10 Anniversary Update breaks most webcams
The Windows 10 Anniversary Update, aka version 1607, has been found to leave many webcams inoperable. The update prevents the use of webcams in applications such as Skype and Open Broadcaster Software (OBS), along with all manner of custom CCTV programs. Extremely popular hardware, such as Logitech’s C920 and C930e cameras, in conjunction even with Microsoft’s own Skype, will fail to properly broadcast video.

Yeah, MicroShaft-you is big, but why hasn’t someone sued them into oblivion with a class action suit? Or for the Win10 HIPAA violations?

Microsoft: Screwing up since Day 1

You know how those technologically-ignorant idiots in DC think we need to backdoor encryption for the children, to stop terrorists and speeding drivers?

This is one of the many reasons we’ve been telling them that it’s a truly bad idea.

Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea
Redmond races to revoke Secure Boot policy
Microsoft leaked the golden keys that unlock Windows-powered tablets, phones and other devices sealed by Secure Boot – and is now scrambling to undo the blunder.

These skeleton keys can be used to install non-Redmond operating systems on locked-down computers. In other words, on devices that do not allow you to disable Secure Boot even if you have administrator rights – such as ARM-based Windows RT tablets – it is now possible to sidestep this block and run, say, GNU/Linux or Android.

What’s more, it is believed it will be impossible for Microsoft to fully revoke the leaked keys.

For the record, I can confirm that Linux Mint 18 installs just as easily as 17.1 and 17.3, and works very nicely. True, this particular clusterfuck seems to affect mobile devices that Mint won’t help with, but it will start weaning you from the idiots at MSFT.

Seriously. Who has trusted MicroCeph since the _NSAKEY fiasco of ’99? What; you believed them?

Data Collection

Under this framework, the problem with wholesale data collection is not that it is used to curtail your freedom; the problem is that the collector has the power to curtail your freedom. Whether they use it or not, the fact that they have that power over us is itself a harm.
– Bruce Schneier

I hate to tell them this…

Hackers use Congressman’s iPhone to demo ability to listen into calls, monitor texts, track location [Updated]
Apple may take iOS security so seriously that it’s willing to do battle with the FBI over it, but German hackers have demonstrated that all phones – even iPhones – are susceptible to a mobile network vulnerability that requires nothing more than knowing your phone number. Armed with just that, hackers can listen to your calls, read your texts and track your position.

…but that’s essentially the same thing as the mandated CALEA phone tapping capability that they forced on the industry. The only difference is that the Feds are provided their own channel into the network. This “hack” (which isn’t a hack) just uses a standard SS7 channel for access.

Sid Scriptkiddy isn’t going to sit in his mom’s basement and tap President Barrycade’s phone (unfortunately). This requires direct access to the SS7 network. You have to be part of the network. So you either build an SS7 server and get a contract with a common carrier to connect, or you have to find some open line into the SS7 system; the latter would be a hack.

SS7 providers should make sure access to their network is secure; no open dialups (believe me, it happens), no unsecured SCADA links. But “fixing” this “flaw” in the SS7 protocol itself…

…is impossible without either 1) eliminating much of the functionality that allows cell networks to operate, or 2) breaking CALEA. I’m all for the second option.

BTW, the articles make a big deal about this affecting iPhones, but read the fine print and you’ll realize that it affects all phones. Not all smartphones, but all telephones including that dinosaur wired to the wall in your kitchen. They won’t get the location data that a cell network has, but everything else is a go. They’re exploiting standard SS7 functions like Caller ID and call forwarding.

Glad I’m not that guy

So how did the FBI/Apple kerfluffle really start?

San Bernardino Shooter’s iCloud Password Changed While iPhone was in Government Possession
The filing states, “the owner [San Bernardino County Department of Public Health], in an attempt to gain access to some information in the hours after the attack, was able to reset the password remotely, but that had the effect of eliminating the possibility of an auto-backup.”
[…]
The auto reset was executed by a county information technology employee, according to a federal official. Federal investigators only found out about the reset after it had occurred and that the county employee acted on his own, not on the orders of federal authorities, the source said.

 

Questions, questions.

• If he changed the password to access information, why isn’t the FBI rubber-hosing the password out of him?
• What information did this guy suddenly need when the Feds took the phone?
  • Was he merely curious?
  • Did he not realize the Feds would notice?
  • Was he looking for incriminating information?
  • If so, why not leave it to LE?
• If there was incriminating data he knew about, what kind? Was he an accomplice in the attacks, or merely lower level county corruption?

Seriously. At the very least, he had to realize resetting the password on evidence in a federal investigation would be felony “impeding an investigation.” At a minimum, he had to know he’d be suspected as an accomplice in a terrorist attack. What did he need to see so badly to make it worth the obviously inevitable consequences?

If he was deliberately hiding something, what could be worse than a definite felony, and being a terrorist suspect for the rest of his life? At best.

Maybe he really is just a curious dumbass with an IQ lower than whale shit. He is (was?) a government employee, after all.

Look, either the guy knew the new password, or he deliberately randomized it to keep investigators out. If the first, the Feds shouldn’t be making demands of Apple.

In related news:

DOJ would allow Apple to keep or destroy software to help FBI hack iPhone
The Obama administration told a magistrate judge Friday it would be willing to allow Apple to retain possession of and later destroy specialized software it was ordered to create to help federal authorities hack into the encrypted iPhone belong to Syed Rizwan Farook.

 

Looks like someone finally took cognizance of the point I’ve been making: Letting the Feds get that FBiOS is dangerous. I’ve said all along that the correct way to do this would have been to turn the phone over to Apple for forensic extraction. They unlock it, then return the unlocked phone without the security breaking code installed to the Feds.

The FBI absolutely should never get their dirty paws on the countdown bypassing and remote access code. They can’t be trusted.

And if you believe that

I’ve got a slightly used bridge for sale on eBay.

Recently Bought a Windows Computer? Microsoft Probably Has Your Encryption Key
ONE OF THE EXCELLENT FEATURES of new Windows devices is that disk encryption is built-in and turned on by default, protecting your data in case your device is lost or stolen. But what is less well-known is that, if you are like most users and login to Windows 10 using your Microsoft account, your computer automatically uploaded a copy of your recovery key — which can be used to unlock your encrypted disk — to Microsoft’s servers, probably without your knowledge and without an option to opt out.
[…]
Users can choose to delete recovery keys from their Microsoft accounts…

Everyone who believes that will completely delete the key from MacroSnoop’s servers, raise your hand.

Seriously, folks. I’ve heard of some alleged freedom lovers who claim to love Win10. Why?