Category: IT Security

Posted on

Apple’s New Security Policy: Just a PR Stunt?

Apple announced not to be able anymore to hack into IOS8-based devices because of its “privacy-by-design” development strategy. Thank to this choice, according to Tim Cook, quoted by The Washington Post,

it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.

Since the fantasy of both lawyers and judges knows no limit, I wouldn’t be surprised to hear, in the next future, about some claim for “contributory criminal activity” filed against Apple based on the deliberate choice of giving “unbreakable weapons” to terrorist, paedophiles and copyright infringers.

When this scenario will become real, it will be interesting to see whether Apple remains stuck into his “libertarian” position risking a trial for contempt of the court, or negotiates over its users with the powers-that-be.

Then, and only then, we will be able to check if this “privacy commitment” was a genuine attitude or just the next marketing trick.

Posted on

Net-Threats: How To Lie With Statistics, Again

Another example of how a non-statistical-based research is turned by poorly informed journalists into “scientific truth”. Net-Threats is a survey collecting the opinions of a certain number of “experts”: as its authors clearly state:

Since the data are based on a non-random sample, the results are not projectable to any population other than the individuals expressing their points of view in this sample. The respondents’ remarks reflect their personal positions and are not the positions of their employers; the descriptions of their leadership roles help identify their background and the locus of their expertise.

But this part of the survey – that nobody but the concerned people will ever read – is missed in the ? poor journalistic account of the news and the readers will be given the wrong idea that the figures quoted are for real and that the findings are “true”.

By the way, as in the other “statistical” research about the value of personal data, I’ve written about, the findings of this survey might even be acceptable. But there is no need to beef it up with figures and percentage show off that give the general reader a wrong information.

But in this case, the culprit is the journalist.

Posted on

An Italian Data Protecion Authority Secret Report Leak?

According to an Italian newsmagazine, a non-for-public eyes investigation of the Italian Data Protection Act would have found severe security problems in the management of the Internet Exchange Points (the points of the Italian telecommunication network where the various telco networks are mutually interconnected.)

A first remark is that the King is – or might be – naked. If this secret report actually exists (and the IDPA didn’t deny its existence) and has been leaked, the Authority’s information security is not that good, and – therefore – the IDPA should fine itself for this non compliance, instead of just targeting the rest of the (industrial) world.

Coming to the heart of the matter, in the words of the journalists that authored the article:

there is an enormous black hole in the security of the Italian telecommunications. A hole so wide that allows whoever with a proper equipment to have available phone calls, SMS, emails, chat, and social-network posted contents.

The journalists claim that the report verbatim says:

These device are equipped by technical features that can allow the traffic duplication, in real time, of the traffic in transit diverting it to another port (port mirroring)

and that

if somebody wanted to look at the traffic in transit this would be easily done with specific analysis tools …

It is amazing how this article – and the IDPA findings, if proven true – are so poorly legally and technically savvy because:

  • the possibility of performing a port mirroring is necessary to the public prosecution and intelligence agency activities. The point, then, is how and by who these feature are exploited rather than its mere existence, that like-it-or-not are necessary for investigative purposes. One day, maybe, it will be possible to disclose some of the ways traffic data information are asked, but this is another story…
  • there is no evidence of the port mirroring features being abused, misused or cracked,
  • performing a port mirroring in an Internet Exchange Point is not as easy as the article and the IDPA report(?) says: it is not like Independence Day computer virus uploading or Swordfish’s Hugh Jackman “under pressure” hack,
  • there is an easy way, available almost since day one of the pre-internet era to protect users’ communications without caring of what the ISPs do: client-based encryption. But I assume that the Minster of home affair wouldn’t like an IDPA endorsement of the “crypto-for-the-masses” slogan,
  • oddly enough, the IDPA secret report (if true) doesn’t address the serious problem of network devices proprietary firmware and operating systems that prevent an ISP to check on its own the existence of backdoors (as in the recent Cisco affair) and other security flaws.
Posted on

Google Not To Become A US Defense Contractor

Well, the news isn’t actually “new” but there is one interesting and underlooked Google statement about the acquisition of the (military) robotics firm Boston Dynamics: while the current agreements are honored, Google has no plan to become a defense contractor.

This way Google is depriving the US military system of a top-notch technology, keeping in its own and solely hands what is supposed to be a (although future) critical asset for the US security and safety.

Should this trend be confirmed, we might face in the near future the massive accumulation of advanced technologies in the hands of just one company that might become the “one-stop” for defense – and more broadly – public needs.

 

 

Posted on

Stop Apple and Google To Take Over Our Cars

Google just announced its “Android Auto” platform, while Apple already did ? it with Carplay. Both platforms require an Internet connection and, it is just matter of time, will become more and more deeply interconnected with the car control system.

But software do fail. It fails because there’s no such thing as a bug-free software, it fails because people do mistakes, it fails because the software house’s roadmap not necessarily matches the final users’ safety.

And I don’t care about the usual PR stunts such as “as soon as we discovered the bug we did our best to fix it the fastest way” or “since the xyz library is licensed and proprietary we can’t keep responsibility for the way the software behave” or, finally, “if you just read the EULA you will find that it is clearly stated that we don’t take any responsibility for blah, blah, blah…”

This is a price we cannot afford to pay.