Start up: who backs the FBI?, Google gets RCS, LG goes modular, Linux Mint backdoored, and more

Does the American public back Apple or the FBI in the fight over encryption? Photo by IceNineJon on Flickr.

You can now sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 11 links for you. Use them wisely. I’m charlesarthur on Twitter. Observations and links welcome.

After Jibe Mobile buy, Google to provide carriers with Android RCS client » TechCrunch

Natasha Lomas is very unimpressed by Google’s announcement with carriers at MWC:

»at the time of the acquisition of [RCS app maker] Jibe [in September 2015], telecoms analyst Dean Bubley suggested Mountain View’s move was actually aimed at building its own Android-to-Android iMessage competitor — a theory he’s still not ruling out, so perhaps Google still has some hopes on that front.

Albeit, Bubley couches Google’s latest RCS pronouncement as “very lukewarm”, noting it has not specified the client will be on all Android devices, for example, even if what is clearly carrier-written PR talks about reaching “all Android devices” — which would encompasses an awful lot of hardware these days, from phones to smart TVs, to smartwatches and more. (We’ve asked Google for some clarity here and will update this post with any response).

A Google spokeswoman said: “Once deployed, the Universal RCS Client will come standard for all Android devices globally, providing a more consistent experience with more advanced features.”  To be clear, that’s ‘standard’ in the sense of OEMs and carriers being able to choose to install it — so not universal, not mandated by Google and thus most certainly fragmented. (Also on fragmentation the spokeswoman confirmed that currently the client only works on phones and tablets, so not all Android devices by any means.)

There’s also no clear timeframe on when Google will be delivering the RCS client. (The spokeswoman had no concrete commitments to impart here, saying only that Google is “planning to launch later this year”.) And, as noted above, without ubiquity it’s going to mean fragmentation keeps RCS-powered messaging apps from building the sought for mass messaging momentum via the platform.

«

Expectations that Google would introduce a sort of iMessage-like app across all Android devices via Google Play seem overblown. It’s also not very private.
link to this extract

 


October 2015: Android 6.0 re-implements mandatory storage encryption for new devices » Ars Technica

Andrew Cunningham in October 2015:

»Shortly after the announcement of iOS 8 in 2014, Google made headlines by saying that it would make full-device encryption mandatory for new Android devices running version 5.0. It then made more headlines several months later when we discovered that the company backed down, “strongly recommending” that Android device makers enable encryption but stopping short of actually requiring it.

Now Google has published an updated version of the Android Compatibility Definition Document (PDF) for Android 6.0, and it looks like mandatory encryption is back with a couple of exceptions. New devices that come with Marshmallow and have AES crypto performance above 50MiB-per-second need to support encryption of the private user data partition (/data) and the public data partition (/sdcard).

«

Still unclear which devices actually implement this. Is there a table or list anywhere?
link to this extract

 


More support for Justice Department than for Apple in dispute over unlocking iPhone » Pew Research Center

»As the standoff between the Department of Justice and Apple Inc. continues over an iPhone used by one of the suspects in the San Bernardino terrorist attacks, 51% say Apple should unlock the iPhone to assist the ongoing FBI investigation. Fewer Americans (38%) say Apple should not unlock the phone to ensure the security of its other users’ information; 11% do not offer an opinion on the question.

News about a federal court ordering Apple to unlock the suspect’s iPhone has registered widely with the public: 75% say they have heard either a lot (39%) or a little (36%) about the situation.

«

Survey of 1,002 adults, so statistically valid (as you’d expect from Pew). The FBI, as we knew, has chosen its fight carefully.
link to this extract

 


Hacker explains how he put “backdoor” in hundreds of Linux Mint downloads » ZDNet

Zack Whittaker:

»The surprise announcement of the hack was made Saturday by project leader Clement Lefebvre, who confirmed the news.

Lefebvre said in a blog post that only downloads from Saturday were compromised, and subsequently pulled the site offline to prevent further downloads.

The hacker responsible, who goes by the name “Peace,” told me in an encrypted chat on Sunday that a “few hundred” Linux Mint installs were under their control [for a botnet] – a significant portion of the thousand-plus downloads during the day.

But that’s only half of the story.

Peace also claimed to have stolen an entire copy of the site’s forum twice — one from January 28, and most recently February 18, two days before the hack was confirmed.

The hacker shared a portion of the forum dump, which we verified contains some personally identifiable information, such as email addresses, birthdates, profile pictures, as well as scrambled passwords.

Those passwords might not stay that way for much longer. The hacker said that some passwords have already been cracked, with more on the way. (It’s understood that the site used PHPass to hash the passwords, which can be cracked.)

«

These days I operate on the default assumption that any site into which I put personal information will get hacked eventually. On that basis I’m parsimonious with such information.

Backdoors in Linux, though – not good. (Mint is reckoned to be the third most popular distro.)
link to this extract

 


LG’s G5 is a radical reinvention of the flagship Android smartphone » The Verge

Vlad Savov on the “Friends” additions for the LG G5:

»A small key on the side of the phone pops open its lower section, which can be pulled out along with the battery, then the battery is fitted into the next module and that straps back into the phone. The whole process sounds finicky, but there’s nothing flimsy about the way LG has constructed either the phone, its battery, or the extras, so everything can be done quickly and forcefully. And yes, it really does feel like loading a fresh clip into your gun.

The first plug-in module is the LG Cam Plus, which offers an enlarged camera grip for single-handed photography and also contains extra battery power. This Friend is decorated with a physical shutter button, a dedicated video recording key, an LED indicator, and a very satisfying jog dial to control zoom on the G5. You’re still using the two cameras built into the phone itself, but this extra part essentially reshapes the device and gives it extra juice to keep going for 6 to 8 hours longer, expanding the battery from 2,800mAh to 4,000mAh.

The LG Hi-Fi Plus is an external 32-bit DAC and amplifier combo unit, tuned in collaboration with Bang & Olufsen. It supports native DSD playback and will come with a pair of H3 B&O Play earphones. Unlike the Cam Plus, this module doesn’t really affect the shape or ergonomics of the G5. It just makes it a little longer and breaks up its color synchronicity (the Hi-Fi Plus is a matte black, whereas the phones vary between silver, gold, pink, and a graphite shade that LG calls “titan”). Importantly, the Hi-Fi Plus will process and upsample content from any app producing sound on the phone, including YouTube clips.

Also making their debut today are the LG 360 Cam and LG 360 VR headset. The camera is a dual-sensor spherical camera that captures either 16-megapixel stills or up to 2K video and will have immediate support from YouTube 360 and Google Street View.

«

And there’s even a VR headset. Price? “Reasonable,” according to LG, not giving a price. I’m unsure that “Friends” will get enough traction unless they’re available on all LG’s smartphones – but in that case, why would you buy the G5? Modularity in the handset kills premium pricing even faster than OS modularity.
link to this extract

 


Smartphone ownership and internet usage continues to climb in emerging economies » Pew Research Center

»For smartphone ownership, the digital divide between less advanced economies and developed economies is 31 points in 2015. But smartphone ownership rates in emerging and developing nations are rising at an extraordinary rate, climbing from a median of 21% in 2013 to 37% in 2015. And overwhelming majorities in almost every nation surveyed report owning some form of mobile device, even if they are not considered “smartphones.”

«

link to this extract

 


Telegraph suspends comment on relaunched online content » The Guardian

Mark Sweney:

»The Telegraph has suspended online comment on stories and features “until further notice” as part of a review of the way the newspaper engages with its audience.

As part of the relaunch of Telegraph.co.uk, the company is also researching whether to reinstate the facility. The print edition of the newspaper has recently been given a new look.

The roll-out of the new-look site is being done in stages with travel, TV, lifestyle and technology sections already live, but with comments turned off. The parts of the site that have not yet been included in the redesign still allow comments.

A spokesman for the Telegraph said: “In the process of migrating its site to a new online platform, the Telegraph has suspended the comment function in some areas under transition until further notice.

“It’s also undertaking research to understand the best way to support reader engagement, but in the meantime they can continue to comment on and share articles through Telegraph Facebook pages, or via Twitter, in the usual way.”

«

“In the usual way”? Anyway; another one onto the list. I should be totting these up.
link to this extract

 


In search of a business model: the future of journalism in an age of social media and dramatic declines in print revenue » Shorenstein Center

»Nicco Mele [former deputy publisher of the Los Angeles Times] described a deepening crisis in the newspaper industry: although some outlets are seeing the largest online audiences they have ever had, revenue is still shrinking. On a local level, preprint advertising (e.g. coupons) has seen a steep decline as retailers like Wal-Mart and Best Buy face challenges of their own. Paradoxically, print advertising still generates the vast majority of newspaper revenue – an undesirable situation, given the cost of printing.

“If the next three years look like the last three years, I think we’re going to look at the 50 largest metropolitan papers in the country and expect somewhere between a third to a half of them to go out of business,” said Mele.

Mele noted that newer entrants such as Buzzfeed, Vox and Vice rely in large part on venture capital. “None of them are yet true public companies with a clear sense of what their revenue equation looks like,” he said.

And although philanthropic and government funding could be options, Mele stressed the importance of news outlets remaining economically independent from large institutions to better fulfill their duty of holding power accountable.

What is clear is that diversity in revenue streams will be an essential part of the future, said Mele, and part of the mix could include two effective but “underappreciated” options: subscription revenue and native content.

«

The point about Buzzfeed, Vice and Vox is pretty keen: they’re still amped up on the sugar of VC money.
link to this extract

 


A skeleton key of unknown strength » Dan Kaminsky’s Blog

Kaminsky is a security researcher of some renown; here is his take on the bug in glibc, a very widely used C library:

»Patch this bug.  You’ll have to reboot your servers.  It will be somewhat disruptive.  Patch this bug now, before the cache traversing attacks are discovered, because even the on-path attacks are concerning enough.  Patch.  And if patching is not a thing you know how to do, automatic patching needs to be something you demand from the infrastructure you deploy on your network.  If it might not be safe in six months, why are you paying for it today?

It’s important to realize that while this bug was just discovered, it’s not actually new.  CVE-2015-7547 has been around for eight years.  Literally, six weeks before I unveiled my own grand fix to DNS (July 2008), this catastrophic code was committed.

Nobody noticed.

The timing is a bit troublesome, but let’s be realistic:  there’s only so many months to go around.  The real issue is it took almost a decade to fix this new issue, right after it took a decade to fix my old one (DJB didn’t quite identify the bug, but he absolutely called the fix).  The Internet is not less important to global commerce than it was in 2008. Hacker latency continues to be a real problem.

What maybe has changed over the years is the strangely increasing amount of talk about how the Internet is perhaps too secure.  I don’t believe that, and I don’t believe anyone in business (or even with a credit card) does either.

«

Wonder whose commit it was.
link to this extract

 


Customer Letter – FAQ » Apple

Apple has added on some answers to its “Customer Letter” from last week:

»Q: The government says your objection appears to be based on concern for your business model and marketing strategy. Is that true?

A: Absolutely not. Nothing could be further from the truth. This is and always has been about our customers. We feel strongly that if we were to do what the government has asked of us — to create a backdoor to our products — not only is it unlawful, but it puts the vast majority of good and law abiding citizens, who rely on iPhone to protect their most personal and important data, at risk.

Q: Is there any other way you can help the FBI?
A: We have done everything that’s both within our power and within the law to help in this case. As we’ve said, we have no sympathy for terrorists.

We provided all the information about the phone that we possessed. We also proactively offered advice on obtaining additional information. Even since the government’s order was issued, we are providing further suggestions after learning new information from the Justice Department’s filings.

One of the strongest suggestions we offered was that they pair the phone to a previously joined network, which would allow them to back up the phone and get the data they are now asking for. Unfortunately, we learned that while the attacker’s iPhone was in FBI custody the Apple ID password associated with the phone was changed. Changing this password meant the phone could no longer access iCloud services.

«

“It’s not our fault they acted like bozos.”
link to this extract

 


Can the government compel Apple to speak? » Lawfare

Andrew Keane Woods (assistant professor of law at the University of Kentucky College of Law, formerly at Stanford as a cybersecurity fellow) on the 1st Amendment implications of the Apple/FBI case:

»code can be a form of speech. The lock-swapping mechanism required in this case would require Apple’s engineers to sit down at a computer and start writing.  And that action, as courts recognized long ago, is speech. In Bernstein v. Department of Justice, the Electronic Frontier Foundation successfully argued that Daniel J. Bernstein, then a graduate student at Berkeley, had a constitutionally protected right to publish his source code, despite the government’s efforts to block it. (Fittingly enough, the code was for encryption software, which the government tried to suppress on the theory that encryption software is a munition subject to export controls.)

If code is speech, and the government is compelling Apple to code, then it looks an awful lot like the government is compelling speech. That does not resolve the issue, of course, but it opens up a new field for debate – one that has not receive enough attention. The government will respond to this claim by noting that Apple’s code is a far cry from the pledge of allegiance, and therefore does not raise the Establishment Clause concerns that applied in [the case of] Barnette [where schoolchildren were being required, against the constitution, to recite the Pledge of Allegiance]. Maybe. Apple will reply that their word is their most important asset, and that the federal government is compelling them to say something they do not believe.

«

This point hasn’t been much mentioned, but is sure to be brought up. The ramifications of this case really are fascinating.
link to this extract

 


Errata, corrigenda and ai no corrida:

3 thoughts on “Start up: who backs the FBI?, Google gets RCS, LG goes modular, Linux Mint backdoored, and more

  1. “Still unclear which devices actually implement this. Is there a table or list anywhere?”

    The current generation Nexus devices (Nexus 6P and 5X) have full disk encryption (FDE) set from the factory. Of the new instruction sets introduced with ARMv8, support for AES is included, so I would hazard a guess that any smartphones introduced with ARMv8/64-bit ARM SoCs probably meet the performance thresholds to fall under Google’s mandatory FDE rule.

  2. Pingback: Start up: LinkedIn’s extra bidders, LG’s mobile shakeup, Google Maps v Apple Maps, cracking Android, and more | The Overspill: when there's more that I want to say

  3. Pingback: Start up: Facebook’s news problem, LG dumps modular, the IoT’s weak spots, Ikea’s economics, and more | The Overspill: when there's more that I want to say

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s