The Daily Parker

Politics, Weather, Photography, and the Dog

Two unhappy articles about your phone

First, two unidentified have discovered malware on 38 Android devices that could only have been installed after manufacture but before distribution to retailers:

An assortment of malware was found on 38 Android devices belonging to two unidentified companies. This is according to a blog post published Friday by Check Point Software Technologies, maker of a mobile threat prevention app. The malicious apps weren't part of the official ROM firmware supplied by the phone manufacturers but were added later somewhere along the supply chain. In six of the cases, the malware was installed to the ROM using system privileges, a technique that requires the firmware to be completely reinstalled for the phone to be disinfected.

"This finding proves that, even if a user is extremely careful, never clicks a malicious link, or downloads a fishy app, he can still be infected by malware without even knowing it," Check Point Mobile Threat Researcher Daniel Padon told Ars. "This should be a concern for all mobile users."

Padon said it's not clear if the two companies were specifically targeted or if the infections were part of a broader, more opportunistic campaign. The presence of ransomware and other easy-to-detect malware seems to suggest the latter. Check Point also doesn't know where the infected phones were obtained. One of the affected parties was a "large telecommunications company" and the other was a "multinational technology company."

But malware and password stealing doesn't always need software. Sometimes it just needs a suspicious border guard:

Data provided by the Department of Homeland Security shows that searches of cellphones by border agents has exploded, growing fivefold in just one year, from fewer than 5,000 in 2015 to nearly 25,000 in 2016.

According to DHS officials, 2017 will be a blockbuster year. Five-thousand devices were searched in February alone, more than in all of 2015.

The more aggressive tactics of the past two years, two senior intelligence officials told NBC News, were sparked by a string of domestic incidents in 2015 and 2016 in which the watch list system and the FBI failed to stop American citizens from conducting attacks. The searches also reflect new abilities to extract contact lists, travel patterns and other data from phones very quickly.

But the officials caution that rhetoric about a Muslim registry and ban during the presidential campaign also seems to have emboldened federal agents to act more forcefully.

"The shackles are off," said Hugh Handeyside, a staff attorney with the ACLU's National Security Project. "We see individual officers and perhaps supervisors as well pushing those limits, exceeding their authority and violating people's rights."

Expect a lot of litigation and very unhappy travelers. Plus some other Fourth Amendment issues that go unreported.

Happy cell phoning!

Maybe the problem is too many guns, huh?

A 2015 theft of a gun shipment from a railroad yard in Chicago continues to plague the city:

The guns had been en route from New Hampshire weapon maker Sturm, Ruger & Co. to Spokane, Washington. Instead, the .45-caliber Ruger revolvers and other firearms spread quickly into surrounding high-crime neighborhoods. Along with two other major gun thefts within three years, the robbery helped fuel a wave of violence on Chicago's streets.

The 2015 heist of the 111 guns, as well as one in 2014 and another last September from the same 63rd Street Rail Yard highlight a tragic confluence. Chicago's biggest rail yards are on the gang- and homicide-plagued South and West sides where most of the city's 762 killings happened last year.

Chicago's leaders regularly blame lax gun laws in Illinois and nearby states that enable a flow of illegal weapons to the city's gangs and criminals. But community leaders and security experts say no one seems to be taking responsibility for train-yard gun thefts.

But the number of guns produced in this country has nothing at all to do with crime, according to the NRA. Right.

We may know where the leaks are coming from

Diners at Mar-al-Lago overheard the President talking with Japanese Prime Minister Shinzo Abe, the latest in a string of idiotic security breaches he's made all by himself:

As Mar-a-Lago's wealthy members looked on from their tables, and with a keyboard player crooning in the background, Trump and Abe's evening meal quickly morphed into a strategy session, the decision-making on full view to fellow diners, who described it in detail to CNN.

News of Pyongyang's launch had emerged an hour earlier, as Trump was preparing for dinner in his residence. Officials had concluded the Musudan-level missile flew 310 miles off North Korea's eastern coast before crashing into the Sea of Japan.

Oy.

Meanwhile, the Sears Death Watch continues:

[B]ecause Sears and its sister company Kmartare merely shells of their former selves after they destroyed so much value over the years for employees, customers, and investors, there may be a group of stakeholders secretly hoping the end comes soon: shopping malls.

While a Sears Holdings bankruptcy might lead malls to suddenly face the prospect of being flooded with zombie retail space, they would have the chance to redevelop the stores themselves and attract new tenants who would pay them, and not Seritage, significantly higher rents.

Of course, a Sears Holdings bankruptcy carries risks for them, too. As noted, many retailers are reducing their footprints, not expanding them, so filling up the space may not be so simple, and for malls not in desirable locations, Sears Holdings' demise could be catastrophic. Credit Suisse says some 184 malls can be classified as "least valuable property" -- meaning at risk of shutting down -- and, concernedly, Sears is the anchor store in 110 of them. A Sears Holdings bankruptcy and the wave of store closings that would follow could very well jeopardize their existence.

Again, oy.

Wormtongue in the Oval

By now, everyone in the world has heard about President Trump's patently unconstitutional order to ban refugees from some majority-Muslim nations (except, coincidentally, not from those with which he has business dealings). But after his first Take Out the Trash Day, he did something a lot more far-reaching and dangerous yesterday:

President Donald Trump is reshuffling the US National Security Council (NSC), downgrading the military chiefs of staff and giving a regular seat to his chief strategist Steve Bannon.

Mr Bannon, formerly the head of the populist right-wing, Breitbart News website, will join high-level discussions about national security.

The order was signed on Saturday.

The director of national intelligence and the joint chiefs will attend when discussions pertain to their areas.

Under previous administrations, the director and joint chiefs attended all meetings of the NSC's inner circle, the principals' committee.

On the point of the anti-Muslim ban, Lyft this morning announced a $1m donation to the ACLU to protest it. Good for them. (Uber only turned off surge pricing at JFK and offered to compensate their drivers who were detained, which at the moment could be as few as zero.)

Meanwhile, Republicans who slammed trump just 13 months ago after he said that he was going to do this were remarkably conciliatory when it actually happened. It's almost as if they're opportunistic toadies, who are morally complicit in Trump's attacks on American institutions.

So, anti-Semite and power-drunk Steve Bannon scores a twofer, nicely capping the president's first horrific week in office.

And for those who want a reminder of the reference:

Thanks, Obama!

Two big Obama stories today.

First, the president has commuted Chelsea Manning's sentence. She'll be freed in May:

In recent days, the White House had signaled that Mr. Obama was seriously considering granting Ms. Manning’s commutation application, in contrast to a pardon application submitted on behalf of the other large-scale leaker of the era, Edward J. Snowden, the former intelligence contractor who disclosed archives of top secret surveillance files and is living as a fugitive in Russia.

Asked about the two clemency applications on Friday, the White House spokesman, Joshua Earnest, discussed the “pretty stark difference” between Ms. Manning’s case for mercy with Mr. Snowden’s. While their offenses were similar, he said, there were “some important differences.”

“Chelsea Manning is somebody who went through the military criminal justice process, was exposed to due process, was found guilty, was sentenced for her crimes, and she acknowledged wrongdoing,” he said. “Mr. Snowden fled into the arms of an adversary, and has sought refuge in a country that most recently made a concerted effort to undermine confidence in our democracy.”

(Brian Beutler notes that Snowden's future is pretty uncertain now, too.)

Second, the non-partisan Congressional Budget Office has estimated that, should Republicans repeal the Affordable Care Act, it could lead to 18 million people losing health insurance right away and another 12 million in 20 years:

The bill that the budget office analyzed would have eliminated tax penalties for people who go without insurance. It would also have eliminated spending for the expansion of Medicaid and subsidies that help lower-income people buy private insurance. But the bill preserved requirements for insurers to provide coverage, at standard rates, to any applicant, regardless of pre-existing medical conditions.

“Eliminating the mandate penalties and the subsidies while retaining the market reforms would destabilize the nongroup market, and the effect would worsen over time,” the budget office said.

The office said the estimated increase of 32 million people without coverage in 2026 resulted from three changes: about 23 million fewer people would have coverage in the individual insurance market, roughly 19 million fewer people would have Medicaid coverage, and there would be an increase in the number of people with employment-based insurance that would partially offset those losses.

Republicans complained that they will pass an alternative plan, but no one is taking this seriously. Because they're not.

 

American authoritarianism

I grew up in Chicago, so I have some recollection of how things were before Harold Washington's mayoral administration. Particularly under the first Mayor Daley, large sections of the city lived under authoritarian rule. It wasn't pretty.

New Republic's Graham Vyse explains what this might look like nationally. It won't be The Hunger Games—and that's part of the problem:

Tom Pepinsky, a government professor at Cornell University, recently argued that Americans conceive of authoritarianism in a “fantastical and cartoonish” way, and that popular media—especially film—is to blame.

“This vision of authoritarian rule,” he wrote, “has jackbooted thugs, all-powerful elites acting with impunity, poverty and desperate hardship for everyone else, strict controls on political expression and mobilization, and a dictator who spends his time ordering the murder or disappearance of his opponents using an effective and wholly compliant security apparatus.”

“If you think of authoritarianism as only being The Hunger Games and Star Wars, you’re likely to focus on the wrong types of threats to democracy,” he said in an interview. “You’re out there looking for something unlikely to happen and you’re missing the things much more likely to happen.” Such as legal gerrymandering, he said. “One way to not lose elections that’s very common and essential to Malaysia is the construction of so many safe legislative seats that the party doesn’t need to get most of the voters to get most of the seats.”

In other words, it's already happening in places where Republican governments rule with minority popular votes, such as in North Carolina and (starting Friday) at the Federal level.

Meanwhile, Josh Marshall lays out pretty clearly how Trump and Putin are trying to destroy the EU and NATO, which average Americans might not care about until they're gone.

The next few years are going to suck.

The OPM hack

Wired has a good, long article on how millions of security clearance documents were stolen from the Office of Personnel Management:

Once Captain America’s name popped up, there could be little doubt that the Office of Personnel Management had been hit by an advanced persistent threat (APT)—security-speak for a well-financed, often state-sponsored team of hackers. APTs like China’s Unit 61398 have no interest in run-of-the-mill criminal activities such as selling pilfered Social Security numbers on the black market; they exist solely to accumulate sensitive data that will advance their bosses’ political, economic, and military objectives.

The hackers...delved into the complete personnel files of 4.2 million employees, past and present. Then, just weeks before OPM booted them out, they grabbed approximately 5.6 million digital images of government employee fingerprints.

Scary stuff.

Meetings all day

All of these articles look interesting, and I hope I get to read them:

Oh, fun! Another meeting!

Security expert: Don't blame the user

Bruce Schneier points out that we software developers have more responsibility to protect users than they have to follow all of our instructions:

The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things. Why can't users choose easy-to-remember passwords? Why can't they click on links in emails with wild abandon? Why can't they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?

Traditionally, we've thought about security and usability as a trade-off: a more secure system is less functional and more annoying, and a more capable, flexible, and powerful system is less secure. This "either/or" thinking results in systems that are neither usable nor secure.

We must stop trying to fix the user to achieve security. We'll never get there, and research toward those goals just obscures the real problems. Usable security does not mean "getting people to do what we want." It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users' security goals without­ -- as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it­ -- "stress of mind, or knowledge of a long series of rules."

I'm sometimes guilty of it, too. Though, I also feel that users can do really stupid things that ought not to be our responsibility. After hearing countless stories about fraud, why do some users give credit card numbers to complete strangers, for example?

Later, when I'm done with all this coding...

Some articles to read:

That's all for now. More conference calls...