Microsoft says the theft of the exploit that led to last week’s ransomware is as bad as that of a Tomahawk missile. Photo by Tim Evanson on Flickr.
You can now sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.
A selection of 12 links for you. Use them wisely. I’m @charlesarthur on Twitter. Observations and links welcome.
Bad malware, worse reporting • Light Blue Touchpaper
Professor Ross Anderson, in typically forthright form:
»
The first point is that there’s not a really lot of this malware. The NHS has over 200 hospitals, and the typical IT director is a senior clinician supported by technicians. Yet despite having their IT run by well-meaning amateurs, only 16 NHS organisations have been hit, according to the Register and Kaspersky – including several hospitals.
So the second point is that when the Indy says that “The NHS is a perfect combination of sensitive data and insecure storage. And there’s very little they can do about it” the answer is simple: in well over 90% of NHS organisations, the well-meaning amateurs managed perfectly well. What they did was to keep their systems patched up-to-date; simple hygiene, like washing your hands after going to the toilet.
The third takeaway is that it’s worth looking at the actual code. A UK researcher did so and discovered a kill switch.
Now I am just listening on the BBC morning news to a former deputy director of GCHQ who first cautions against alarmist headlines and argues that everyone develops malware; that a patch had been issued by Microsoft halfway through March; that you can deal with ransomware by keeping decent backups; and that paying ransom will embolden the bad guys. However he claims that it’s clearly an organised criminal attack. (when it could be one guy in his bedroom somewhere) and says that the NCSC should look at whether there is some countermeasure that everyone should have taken (for answer see above).
So our fourth takeaway is that although the details matter, so do the economics of security. When something unexpected happens, you should not just get your head down and look at the code, but look up and observe people’s agendas. Politicians duck and weave; NHS managers blame the system rather than step up to the plate; the NHS as a whole turns every incident into a plea for more money; the spooks want to avoid responsibility for the abuse of their stolen cyberweaponz, but still big up the threat and get more influence for a part of their agency that’s presented as solely defensive. And we academics? Hey, we just want the students to pay attention to what we’re teaching them.
«
I made my own contribution to the various pieces on this. Decide for yourself whether Anderson would be satisfied with it.
link to this extract
How to accidentally stop a global cyber attack • MalwareTech
The anonymous @malwaretech, who registered the domain that was hard-coded into the Wannacry ransomware:
»
one thing that’s important to note is the actual registration of the domain was not on a whim. My job is to look for ways we can track and potentially stop botnets (and other kinds of malware), so I’m always on the lookout to pick up unregistered malware control server (C2) domains. In fact I registered several thousand of such domains in the past year.
Our standard model goes something like this.
1) Look for unregistered or expired C2 domains belonging to active botnets and point it to our sinkhole (a sinkhole is a server designed to capture malicious traffic and prevent control of infected computers by the criminals who infected them).
2) Gather data on the geographical distribution and scale of the infections, including IP addresses, which can be used to notify victims that they’re infected and assist law enforcement.
3) Reverse engineer the malware and see if there are any vulnerabilities in the code which would allow us to take-over the malware/botnet and prevent the spread or malicious use, via the domain we registered.
In the case of WannaCrypt, step 1, 2 and 3 were all one and the same, I just didn’t know it yet.A few seconds after the domain had gone live I received a DM from a Talos analyst asking for the sample I had which was scanning SMB host, which i provided. Humorously at this point we had unknowingly killed the malware so there was much confusion as to why he could not run the exact same sample I just ran and get any results at all. As curious as this was, I was pressed for time and wasn’t able to investigate, because now the sinkhole servers were coming dangerously close to their maximum load.
«
His full post includes his concern that by registering the domain, he’d actually activated the malware. It’s quite a tale. Plus he has praise for the UK’s National Cyber Security Centre and the FBI, among others.
link to this extract
Revealed: The 22-year-old IT expert who saved the world from ransomware virus but lives for surfing
This has all the details about the guy who found the (first) fix. Didn’t go to university, is self-taught. Of this story, he said “I always thought I’d be doxed by skids [script kiddies] but turns out Journalists are 100x better at doxing”.
link to this extract
Lessons from last week’s cyberattack • Microsoft on the Issues
Brad Smith is Microsoft’s chief legal officer:
»
Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.
The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it’s why we’ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality.
«
Emphasis added. Smith isn’t wrong: the damage this is causing is so hard to estimate, and forecast, that the comparison is apt.
link to this extract
Wcrypt Tracker • Malwaretech
An interactive, live map of where machines being infected by the Wannacrypt (aka #Wannacry – geddit?) are located. At the time of checking, only 74 online, and 203,000 disconnected. It’s going to be updated with newer variants too.
link to this extract
Q&A: Transcript: Interview with Donald Trump • The Economist
More than one editor from The Economist sat down with Trump, who also had Steve Mnuchin, the Treasury secretary. The transcript shows their heroic struggle to get him to answer any question coherently:
»
Q: And are you contemplating things outside of corporate income tax? For example a VAT, which many countries have?
T: Well, you know, a lot of people consider the border tax a form of VAT.Q: Are you still…
T: Part of the problem with NAFTA is that Mexico’s a VAT. So Mexico is paying almost…we pay 17%. So we are now down 17%, going into Mexico when we trade. So that’s like, you have a football team and every time they play a game, they’re down, you know, 25 points. How can you possibly do good?Q: But would you consider…
T: You could actually make the case, that the 17 is doubled. You can make that case. You know, it’s 17 and it’s really 17 and it’s a double.
Mr Mnuchin: RightQ: Would you consider a VAT for the United States?
T: Well the concept of VAT I really like. But let me give you the bad news. I don’t think it can be sold in this country because we’re used to an income tax, we’re used to a…people are used to this tax, whether they like it or don’t like, they’re used to this tax. I fully understand because I have a lot of property in the UK. And it’s, sort of, not a bad tax. And every time I pay it, they end up sending it back to me. In fact, my accountant is always saying…Q: That’s a good tax.
T: No, it’s really not so bad. Like, I own Turnberry in Scotland. And every time I pay they say, “Yes sir, you pay it now but you get it back next year.” I said, “What kind of tax is this, I like this tax.” But the VAT is…I like it, I like it a lot, in a lot of ways. I don’t mean because of, you know, getting it back, you don’t get all of it back, but you get a lot of it back. But I like a VAT. I don’t think it can be sold in this country, I think it’s too much of a shock to this system. I can tell you if we had a VAT it would make dealing with Mexico very much easier. Because it could neutralise. And I really mean that. Part of the problem with NAFTA, the day they signed it, it was a defective deal. Because Mexico has almost a 17% VAT tax and it’s very much of a hidden tax, people don’t see it. So, but these guys, instead of renegotiating the following week…many years ago, how old is that? 35?«
As I said, heroic. Read it for what he says about the China deal, and then take in the next link.
link to this extract
Critics pan Trump’s ‘early harvest’ trade deal with China • FT
»
The “early harvest” deal rolled out on Friday saw China agree to resume imports of US beef that were suspended in 2003, in a move that US cattle ranchers hailed as “historic” but which Chinese leaders had already agreed to last September.
Beijing also committed to open its market to foreign-owned credit rating agencies and credit card companies — a pledge that addressed long-running US gripes but also resembled previous promises. Ahead of China’s 2001 accession to the World Trade Organisation, it had agreed to open credit cards — or the broader market for electronic payments made in renminbi — to foreign-owned companies such as Visa and MasterCard.
For its part the US has agreed to encourage natural gas sales to Chinese buyers and opened the door to imports of cooked chicken from China.
More importantly, it offered its tacit endorsement for Beijing’s “Belt and Road” project to revive the ancient trade route to Europe by sending a delegation to a Beijing summit that started on Saturday.
That move upended the arm’s-length approach of the Obama administration and left the Trump administration struggling to explain why it was embracing a project many see as Beijing’s latest effort to replace the US as a trading and military power in the Asia-Pacific region…
…[Dan DiMicco, former chief executive of US steelmaker Nucor and a campaign adviser to Mr Trump who has long advocated a tough approach on Beijing] says that with its promise to sell more natural gas to China, the Trump administration risked undermining what is now an important competitive advantage for US industry — cheap energy costs — and the manufacturing renaissance it has promised.
“When the gas exports [to China] get large enough, which they will, it will drive up natural gas prices for our domestic manufacturers, and negatively impact our reshoring efforts,” he says.
«
Another quote:
»
“They got played,” was the blunter assessment of one former US official.
«
Why I don’t believe in blockchain • ongoing
»
I could maybe get past the socio-political issues, the misguided notion that in civilized countries, you can route around the legal system with “smart contracts” (in ad-hoc procedural languages) and algorithmic cryptography.
I could even skate around the huge business contra-indicator: something on the order of a billion dollars of venture capital money has flowed into the blockchain startup scene. And what’s come out? I’m not talking about platforms that are “ready for business” or “proven enterprise-grade” or “approved by regulatory authorities”, I’m talking about blockchain in production with jobs depending on it.
But here’s the thing. I’m an old guy: I’ve seen wave after wave of landscape-shifting technology sweep through the IT space: Personal computers, Unix, C, the Internet and Web, Java, REST, mobile, public cloud. And without exception, I observed that they were initially loaded in the back door by geeks, without asking permission, because they got shit done and helped people with their jobs.
That’s not happening with blockchain. Not in the slightest. Which is why I don’t believe in it.
«
Apple acquires AI company Lattice Data, a specialist in unstructured ‘dark data’, for $200m • TechCrunch
»
What exactly is dark data? Our connected, digital world is producing data at an accelerated pace: there was 4.4 zettabytes of data in 2013 and that’s projected to grow to 44 zettabytes by 2020, and IBM estimates that 90% of the data in existence today was produced in the last two years.
But between 70% and 80 percent of that data is unstructured — that is, “dark” — and therefore largely unusable when it comes to processing and analytics. Lattice uses machine learning to essentially put that data into order and to make it more usable.
Think of it in terms of a jumble of data without labels, categorization or a sense of context — but with a certain latent value that could be unlocked with proper organization.
The applications of the system are manifold: they can be used in international policing and crime solving, such as this work in trying to uncover human trafficking; in medical research; and to help organise and parse paleontological research. It could also be used to help train AI systems by creating more useful data feeds.
It’s unclear who Lattice has been working with, or how Apple would intend to use the technology. Our guess is that there is an AI play here.
«
As guesses go, it’s not a hard one.
link to this extract
Is the gig economy working? • The New Yorker
Nathan Heller looks at the intersection of politics and the gig economy:
»
the place we find ourselves today is not unique. In “Drift and Mastery,” a young Walter Lippmann, one of the founders of modern progressivism, described the strange circumstances of public discussion in 1914, a similar time. “The little business men cried: We’re the natural men, so let us alone,” he wrote. “And the public cried: We’re the most natural of all, so please do stop interfering with us. Muckraking gave an utterance to the small business men and to the larger public, who dominated reform politics. What did they do? They tried by all the machinery and power they could muster to restore a business world in which each man could again be left to his own will—a world that needed no coöperative intelligence.” Coming off a period of liberalization and free enterprise, Lippmann’s America struggled with growing inequality, a frantic news cycle, a rising awareness of structural injustice, and a cacophonous global society—in other words, with an intensifying sense of fragmentation. His idea, the big idea of progressivism, was that national self-government was a coöperative project of putting the pieces together. “The battle for us, in short, does not lie against crusted prejudice,” he wrote, “but against the chaos of a new freedom.”
Revolution or disruption is easy. Spreading long-term social benefit is hard. If one accepts Lehane’s premise that the safety net is tattered and that gigging platforms are necessary to keep people in cash, the model’s social erosions have to be curbed. How can the gig economy be made sustainable at last?
«
It starts out as your average examination of “the sharing economy” but swerves off into the question of politics.
link to this extract
Predictably profitable, unpredictably valuable • Asymco
Horace Dediu on the relationship between Apple’s capital spending, product shipment numbers, and share price:
»
When looking through the [spending and revenue] data, quarter after quarter, year after year, there is a consistency and reliability to the spending/revenue relationship which implies, to me at least, a high degree of certainty.
This predictability, however, has not detracted from the volatility in Apple’s share price–an instrument designed to embody precisely this prediction.
Apple’s share price continues to see swings of more than 70% in any given 52 week period. In the latest 52 week period the shares traded between $89.47 and $154.88, a 73% swing.100% is not unheard of. Incidentally, S&P 500 volatility ranges around 45%. Apple is by far the largest company in the world and fairly old by large company standards. It should attract a certain premium of stability.
And yet it doesn’t. Skepticism around the company is continuously evident. It’s in the headlines written every day which concoct convoluted reasons to doubt future performance. It’s in the conversations I have with investors who question the tiniest of details in the design of a product (like headphone jack or home button) in order to gauge their impact on the survival of the firm. It’s in the continuous parade of “disruptive entrants” or “established giants” ready to knock the company off its perch by virtue of simply existing.
«
As one commenter points out, competitors to Apple have a strange tendency to focus on those tiny product details as if they were the clue to outselling Apple. (Google, for example, made much of the Pixel having a headphone jack.) That just isn’t how it works.
link to this extract
Apple will announce Amazon Prime Video coming to Apple TV at WWDC • Buzzfeed
»
Sources in position to know tell BuzzFeed News that Amazon’s Prime video app — long absent from Apple TV — is indeed headed to Apple’s diminutive set-top box. Apple plans to announce Amazon Prime video’s impending arrive to the Apple TV App Store during the keynote at its annual Worldwide Developers Conference (WWDC) on June 5 in San Jose, California. A source familiar with the companies’ thinking say the app is expected to go live this summer, but cautioned that the hard launch date might change. Amazon had previously declined to even submit a Prime Video app for inclusion in Apple’s Apple TV App Store, despite Apple’s “all are welcome” proclamations.
Recode earlier reported that Apple and Amazon were nearing an agreement that may finally bring the Prime Video app to Apple TV. It’s now official.
As part of the arrangement between the two companies, Amazon — which stopped selling Apple TV devices two years ago, when it also banned Google’s Chromecast devices from its virtual shelves — will likely resume selling Apple’s set-top box. In October 2015, Amazon forbade third-party electronics sellers from selling Apple TVs and Google Chromecasts through their Amazon storefronts, arguing that the devices inspired “customer confusion.”
«
Some headlines have said “the feud is over”, but feuds involve two sides fighting. There’s no sign of Apple having treated Amazon any differently than any other developer. Amazon just hasn’t wanted to play. Now it does.
link to this extract
Errata, corrigenda and ai no corrida: none notified
The Overspill: when there's more that I want to say 