Start up: Wi-Fi Sense explained, another giant Android vulnerability, the US’s sleepiest cities, and more


What happens when you create a way for any programmer to analyse peoples’ DNA? (Hint: not good things.) Photo by micahb37 on Flickr.

A selection of 11 links for you. Use them wisely. I’m charlesarthur on Twitter. Observations and links welcome.

Wi-Fi Sense in Windows 10: Yes, it shares your passkeys; no, you shouldn’t be scared » Ars Technica

Sebastian Anthony:

For a start, when a Wi-Fi passkey is shared with your PC via Wi-Fi Sense, you never actually see the password: it comes down from a Microsoft server in encrypted form, and is decrypted behind the scenes. There might be a way to see the decrypted passkeys if you go hunting through the registry, or something along those lines, but it’s certainly not something that most people are likely to do.

Perhaps more importantly, though, just how sacred is your Wi-Fi password anyway? Corporate networks notwithstanding (and you shouldn’t share those networks with Wi-Fi Sense anyway), most people give out their Wi-Fi keys freely. You could even argue that Wi-Fi Sense is more secure: if I ask Adam for his Wi-Fi password, I am free to give it away to anyone. If I receive the password via Wi-Fi Sense, I can still connect to Adam’s network, but I can’t tell anyone else the password.

And it only goes to immediate-circle friends, not friends of friends of.. So probably not such a big thing to worry about.
link to this extract


Why Grooveshark failed » The Verge

Stephen Witt:

The Grooveshark streaming application launched in April of 2008 — several months ahead of Spotify. The service proved explosively popular from the outset. Users, especially younger users, loved on-demand music delivery, and Greenberg left school to focus on Grooveshark full time. But there was a problem: Grooveshark still relied on peer-to-peer infrastructure similar to Napster, Kazaa, and bitTorrent. In other words, although it functioned as a streaming service, it still sourced the music from its users’ file libraries. And to the record companies, that looked like copyright infringement.

Without approval from the labels, Grooveshark struggled to attract venture capital. In its first five years of existence, the company raised just under a million dollars. In the same time, Spotify, with equity buy-in from the music majors, raised a hundred times as much.

It didn’t “look like” copyright infringement; it clearly was infringement, in just the same way that the original Napster was. That’s why it was sued into the ground. Grooveshark never played by the rules (artists demanded their music be removed; Grooveshark staff re-uploaded it, or ignored new uploads). They failed because they could never stay inside the rules.
link to this extract


Drones and spyware: the bizarre tale of a brutal kidnapping » WIRED

Kevin Poulsen with a wonderful tale of how truth is stranger than fiction:

efforts to trace the new emails were in vain. The author boasted that he was using Tor as well as other anonymizing precautions that would withstand even an “Egotistical Giraffe exploit,” a reference to an NSA de-anonymizing technique that surfaced in the Edward Snowden leaks. He sent the messages through the Singapore-based anonymous remailer anonymousemail.com, and shared the photos—stripped of metadata—through the anonymous image sharing site Anony.ws.

Evidently unconvinced, the Vallejo police still insisted the crime was a put-on, but the FBI was also on the case. And, it turned out, despite his sophistication, the kidnapper had left a digital trail.

The kidnapper had slipped by using a disposable Tracfone to call Quinn after the abduction. The FBI reached out to Tracfone, which was able to tell the agents that the phone was purchased from a Target store in Pleasant Hill on March 2 at 5:39 pm. Target provided the bureau with a surveillance-cam photo of the buyer: a white male with dark hair and medium build. AT&T turned over records showing the phone had been used within 650 feet of a cell site in South Lake Tahoe.

But the real break in the case came when the kidnapper evidently struck again.

link to this extract


Trend Micro discovers vulnerability that renders Android devices silent » Trend Micro

Wish Wu (Mobile Threat Response Engineer):

We have discovered a vulnerability in Android that can render a phone apparently dead – silent, unable to make calls, with a lifeless screen. This vulnerability is present from Android 4.3 (Jelly Bean) up to the current version, Android 5.1.1 (Lollipop). Combined, these versions account for more than half of Android devices in use today. No patch has been issued in the Android Open Source Project (AOSP) code by the Android Engineering Team to fix this vulnerability since we reported it in late May.

This vulnerability can be exploited in two ways: either via a malicious app installed on the device, or through a specially-crafted web site. The first technique can cause long-term effects to the device: an app with an embedded MKV file that registers itself to auto-start whenever the device boots would case the OS to crash every time it is turned on.

In some ways, this vulnerability is similar to the recently discovered Stagefright vulnerability. Both vulnerabilities are triggered when Android handles media files, although the way these files reach the user differs.

Seems like the media file handling is where everyone is focussing for Android weaknesses just now.
link to this extract


September 2014: iPhone 6 and Android value » Benedict Evans

From September 2014:

with the iPhone 6 and iOS8, Apple has done its best to close off all the reasons to buy high-end Android beyond simple personal preference. You can get a bigger screen, you can change the keyboard, you can put widgets on the notification panel (if you insist) and so on. Pretty much all the external reasons to choose Android are addressed – what remains is personal taste.

Amongst other things, this is a major cull of Steve Jobs’ sacred cows – lots of these are decisions he was deeply involved in. No-one was quicker than Steve Jobs himself to change his mind, but it’s refreshing to see so many outdated assumptions being thrown out. 

Meanwhile, with the iPhone 6 Plus (a very Microsofty name, it must be said) Apple is also tackling the phablet market head on. The available data suggests this is mostly important in East Asia but not actually dominant even there – perhaps 10-20% of units except in South Korea, where it is much larger.  Samsung has tried hard to make the pen (or rather stylus) a key selling point for these devices, but without widespread developer support (there is nothing as magical as Paper for the Note) it is not clear that these devices have actually sold on anything beyond screen size and inverse price sensitivity (that is, people buy it because it’s the ‘best’ and most expensive one). That in turn means the 6 Plus could be a straight substitute. 

Now we have Samsung’s results (out by the time you read this) and LG’s results, where the latter specifically says that sales were lower in South Korea than expected. Evans seems to have been borne out: the only differentiator between premium Android and iPhones was screen size.
link to this extract


Busy-ness data on Google search results » Google

Do you ever find yourself trying to avoid long lines or wondering when is the best time to go grocery shopping, pick up coffee or hit the gym (hint: avoid Monday after work)? You’re in luck!

Now, you can avoid the wait and see the busiest times of the week at millions of places and businesses around the world directly from Google Search. For example, just search for “Blue Bottle Williamsburg”, tap on the title and see how busy it gets throughout the day. Enjoy your extra time!

busy-ness data from Google

That’s very clever. (Location data from Android phones, one guesses.)
link to this extract


Android security, bugs and exploits » Google+

Adrian Ludwig is head of security for Android:

There’s common, mistaken assumption that any software bug can be turned into a security exploit.  In fact, most bugs aren’t exploitable and there are many things Android has done to improve those odds. We’ve spent the last 4 years investing heavily in technologies focused on one type of bug – memory corruption bugs – and trying to make those bugs more difficult to exploit. 

A list of some of those technologies that have been introduced since since Ice Cream Sandwich (Android 4.0) are listed here. The most well known of these is called Address Space Layout Randomization (‘ASLR’), which was fully completed in Android 4.1 with support for PIE (Position Independent Executables) and is now on over 85% of Android devices. This technology makes it more difficult for an attacker to guess the location of code, which is required for them to build a successful exploit.

What Ludwig doesn’t mention: the Stagefright bug. Is it right to say it could be used to take over a phone via MMS? Or would ASLR defeat that? You’d hope the head of security for Android would tackle this in a public blogpost talking about security. But he doesn’t. Which tends to make one think the worst.
link to this extract


Which cities get the most sleep? » The Jawbone Blog

Tyler Nolan:

One of the major findings in our study of city sleep was that people living in cities just don’t get enough. No major city in the United States averages above the NIH-recommended seven hours of sleep per night. But it’s only part of the picture. The vast majority of the suburban and rural counties have much healthier sleep numbers.

Geography has a profound effect on the routines we follow and the habits we form. Our sleep cycles adapt to the pace and lifestyle of the world we live in and the world by which we are surrounded. We look forward to further investigating the effects of geography and how it influences UP wearers in all parts of the world.

Technical Notes: This study was based on over one million UP wearers who track their sleep using UP by Jawbone. Less populous counties were blended with neighboring counties to generate significant results. This technique revealed patterns at finer granularity than the state level, such as time zone boundaries. All data is anonymized and presented in aggregate.

One still gets that little tingle of concern that your sleep data could be tracked directly back to you by someone malicious or stalker-y at Jawbone. (The visualisations are lovely, though.)
link to this extract


Brinks’ super-secure smart safes: not so secure » WIRED

Kim Zetter:

Vulnerabilities found in CompuSafe Galileo safes, smart safes made by the ever-reliable Brinks company that are used by retailers, restaurants, and convenience stores, would allow a rogue employee or anyone else with physical access to them to command their doors to open and relinquish their cash, according to Daniel Petro and Oscar Salazar, researchers with the security firm Bishop Fox, who plan to demonstrate their findings next week at the Def Con hacker conference in Las Vegas.

The hack has the makings of the perfect crime, because a thief could also erase any evidence that the theft occurred simply by altering data in a back-end database where the smartsafe logs how much money is inside and who accessed it. If done well, the only telltale sign of an attack would be left on security cameras—if anyone bothered to look.

They’re “smart” because they can tally how much money is put into them. Dumb because they run Windows XP Embedded. And there’s an external USB port for “troubleshooting”.
link to this extract


Retailer Acceptance » Contactless Life

Duncan Stevenson has compiled a gigantic table of which companies accept contactless and Apple Pay payments (and to what amount).

In theory Apple Pay should be accepted at all retailers that accept contactless, and this seems to be the case for Mastercard and Visa cards, however American Express cards are currently experiencing issues with Apple Pay in certain retailers (hence the existence of the “Amex Apple Pay” column).  I have a blog post coming soon covering the issues with American Express Apple Pay in the UK.

(It’s a real HTML table too.)
link to this extract


Your 23andMe DNA can be used in racist, discriminatory ways » BuzzFeed News

This week, an anonymous programmer posted on GitHub an early-stage program called Genetic Access Control. It basically worked as a log-in mechanism. The third-party program was designed to hook up to the company’s API and mine the 23andMe accounts of users who agreed to share their information, as they would agree to let apps connect to their Facebook or Twitter profiles. Websites using Genetic Access Control could scan that data for information about “sex, ancestry, disease susceptibility, and arbitrary characteristics” — and then restrict users’ access to the site based on this information.

For example, people with only the “right” amount of European ancestry would be allowed to access a website that used Genetic Access Control:

Ways to use 23andMe API

But 23andMe shut down the developer’s access to its API on Wednesday, two days after the code was published. 23andMe spokesperson Catherine Afarian told BuzzFeed News the program violated a policy that forbids use of the API for, among other things, “hate materials or materials urging acts of terrorism or violence.”

I think a programmer who actually wanted to cause trouble (as opposed to one, as here, just showing 23andMe how blithely trusting it is) could reasonably point out that they’re not creating hate materials or anything to do with terrorism or violence.

And – whoever they were – succeeded with a beautiful example of why you don’t really want to have open public access to a DNA database. As well as why 23andMe are twits for ever having thought so.
link to this extract


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s